Tag: Cybersecurity

Alienvault USM Anywhere Updates

We just received very good updates from the Alienvault channel team (or AT&T Cybersecurity team as they call themselves now). I think to quickly summarise our excitement into two short phrases:

a) Google Cloud Support – Heck Yeah.

b) Custom Plugin Development – Heck Yeah!

Of course, there were tons of other updates as well, such as scheduled reports, unified UI, more AlienApps support, Cloudflare integration (which is very interesting, as we can identify actions to it, effectively making Alienvault function more like an active prevention system, as opposed to its traditional detective role), new search capability incorporating wildcard searches and advanced asset importing through CSVs as opposed to rudely scanning our clients network.

But the two main courses were the Google Native support and custom plugin.

Google Native support has been a pain point for years. We do have customers moving into GCP or already into GCP where we have been constantly battling to match their expectations for Alienvault to perform as seamlessly as it does on AWS – but it can’t. We had to rely on EDR (endpoint detection and response) for instance, where the agent grabs logs a’la HIDS and sends it over to the server directly. Of course, areas where a native sensor would function, such as creating an internal VPC filter mechanism, or doing vulnerability scanning without having too much inter VPC traffic – these were not able to be done with the EDR so it was very much a bandaid. We knew that our patched up GCP solution wasn’t functioning as well as its handsomer and more dashing brother, AWS. In other words, it kinda sucked.

GCP custom applications also presented its own set of issues – custom apps were difficult to integrate – even with Stackdriver, or us logging to BigQuery, presented a lot of issues to send these logs to Alienvault. When we could configure to send to BigQuery, we couldn’t filter properly, causing our 1TB per month customer quota to be annihilated within days. Now, getting PUB/SUB to work with Alienvault requires APIs to be written, and on top of that to have Alienvault write the custom plugins – all these add to pro services costs, and more importantly, resource and time cost to the project.

So what happens now? In the next General Acceptance/Availability of USM-A, GCP will be supported. The information is sparse so more updates will be forthcoming. But the GCP sensor will be able to:

a) Perform threat detection (like all other sensors), asset discovery, provide Alarms, events, widgets, correlation etc. Basically, it will be native to GCP, doing what it is doing for AWS, Azure and on-prem Hyper and VMWare.

b) Detect VPC flow logs

c) Monitor cloud services through Stackdriver

The last bit is very important. Stackdriver, in essence, is GCP’s answer to Cloudwatch and Cloudtrail of AWS. It monitors and manages services, containers, applications and infrastructure for the cloud. If you have a Cloud services or developing cloud applications, you should be able to support Stackdriver logging. In GCP Compute, the logging agent is used to stream logs from VM Instances. It can even provide the traditional network flow logs (or VPC flow logs), which MSPs can use to monitor network health etc. In other words, this ugly GCP little brother solution is going to get buffed. We’re going to look a lot better now.

The roadmap is bright: Automatic response action against a cloud service when a security event occurs – putting Alienvault into more of a proactive than detective stance it takes traditionally. This is similar to what the Cloudflare integration is achieving. More and more GCP services will be added to be supported. There is also a topic on “User Entity Behaviour Analytics” – which is basically matching behaviour to normal baselines and telling us that Bob is having coffee at 10 am instead of his usual 8 am, which meant he was running late to work, which meant he got stuck in traffic, which meant he left the house late, which meant he woke up late, which meant he slept late last night, which meant he went out for a drink with someone and got smashed, which could possibly mean he is having an affair with a stripper named Daisy. Maybe.

So, pretty exciting times, Aliens!

The other one on the plate wasn’t on the normal discussion agenda but was brought up by us on the international call – we just bombarded the screen with around 10 – 15 queries and at least 4 made it to the table. One of them was: when the hell are we going to get to do our own plugins?

No offence to Alienvault, who currently for USM-A are doing our client’s custom plugins – but 3 – 4 weeks isn’t really going to cut it. Furthermore, sometimes we are not even getting what we want from the custom plugins. We don’t blame Alienvault. The application is ours (as in our client’s). We are the ones who know the events, the priorities. We know what we want to see. We just can’t develop the plugins like what we do now for our USM Appliance clients.

Imagine the win-win situation here. We write plugins for clients (assuming its similar to Appliance), within 2 – 3 days we are done. Testing, another 1 – 2 days. Instead of setting the project timeline back 3 – 4 weeks we are 1 week in. That’s a HUGE impact for compliance clients who are often chasing a deadline. 3 weeks squashed to 1? Hell, Yeah! The win is also for Alienvault. They don’t have to deal with nagging customers or smart-ass channel partners like us banging them for not updating us on our new application plugin. Imagine the parties engineers can now attend to instead of writing regex for a company operating in Elbonia. Imagine the time they now can save and spend socialising with the rest of the world, or having the chance to meet people like Daisy.

It’s a whole new world, really.

So, Alienvault, please, get those updates to us as soon as you can and the world will be a better place for it.

If you need any information on Alienvault, or general help on your SIEM or PCI-DSS compliance, drop us an email on alienvault@pkfmalaysia.com and we will attend to it immediately!

PPWG (Protection Profile Working Group) Workshop at the Lexis

On the 10th – 11th October 2013, we had a meeting of all the Protection Profile Working Groups (PPWG) in Lexis Hotel, Port Dickson.

The PPWG is an initiative under Thrust 3: Cyber Security technology framework of the National Cyber security policy (NCSP), which in turn is to address cyber risks pertaining to Malaysia’s Critical National Information Infrastructure (CNII). 4 PPWGs were established

1. Data Protection

2. Network Devices

3. Application

4. Smart Card and related devices

The idea behind this was to set up standards and frameworks for developers to adhere to, to ensure information security is embedded in the system, instead of tacked on. We are, in all aspirations, like the National Institute of Standards and Technology (NIST) in the US.

PKF Avant Edge was formerly invited at the beginning of this year to be part of the PPWG3 group, comprising representatives from MIMOS, Cybersecurity, IRIS, Bank Negara and a few other private companies. In our first meeting, there were several representatives from the industries aside from the ones named above; but by the time this workshop rolled in, and after several iterations of all day meetings to discuss on the standards and protection profile for banking applications; we were the only ones left.

The idea behind PKFAE’s participation and our continuous support for the PPWG is not so much for profit, than for our philosophy. We don’t get anything out of it. The meetings are all day, 9 – 5 in Technology Park, in MIMOS’ HQ, and PKFAE’s representative is the managing director himself, not any other member of the company. So time cost’s perspective, it doesn’t really make too much sense for us to be part of it. But our philosophy has always been to balance profitability and responsibility. These are reasons why we give free workshops on Personal data protection act and project management; why we give free talks and industry contribution to universities; why we spend time engaging the government and educational societies in bringing information security awareness: we don’t get paid at all, and yet we do it. The underlying idea is to contribute back to the industry in which you are part of. If not in charity or donations, then in time and value. It does sound utopian, but we started the company with these basic tenets, so why not just continue on?

As such, aside from the government agencies, we are one of the few, if not the only consulting firm that is participating in our PPWG. It takes a lot of hard work and sacrifice, as well as doing something without any fees. We are not looking for any reward, but simply as something we need to be part of, as the basic form of our existence.

Once in a while, it’s still nice to get away from it all to Port Dickson, of course.

Good View from my room

Session ongoing from one of the PPWG

© 2021 PKF AvantEdge

Up ↑