W H I T E PA P E R

Detecting Ransomware with Unified

Security
Alienvault USM helps you reduce the risk of extortion

Detecting Ransomware with AlienVault USM TM

AlienVault USM
Recent years has seen a marked increase in
encrypting ransomware. Ransomware usually
propagates as a trojan via email with an attachment
or directing users to a malicious website for a drive-
by malware download. Historically ransomware SIEM ASSET
has primarily targeted Windows operating systems DISCOVERY
but Mac OS X variants have also begun to emerge.
Typically, once the malicious file executes it
connects to a Command and Control (C&C) server
AlienVault Labs
where the malware begins to encrypt specific Threat Intelligence
file types on a system as well as shared drives.
The ransomware demands payment to provide a
password to unlock the encrypted files, or else
it will continue to encrypt files until the system is BEHAVIORAL VULNERABILITY
unusable. MONITORING ASSESSMENT

Outbound communication from an infected system

is often difficult to detect due to ransomware
employing techniques such as domain generation
algorithms. The algorithm enables the ransomware INTRUSION
administrator to create thousands of random DETECTION
domains every day. The same algorithm running on
each infected system generates that same list of random domains, and each compromised system tries to connect
to each of those domains until it finds the Command and Control (C&C) servers. This approach prevents the use of a
blacklist to block the connection to a static IP address or domain.

How AlienVault USM Detects Ransomware

The USM platform uses several built-in technologies working in unison to detect advanced threats like ransomware.
A unified approach is the most effective way to detect advanced threats because of its ability to collect log files
from a wide range of data sources and correlate them. Event correlation is a technique for taking a large number of
seemingly unrelated events across disparate systems and pinpointing the few events that are truly important in that
mass of information. AlienVault USM correlation rules identify, isolate, and investigate indicators of exposure (IOEs)
and indicators of compromise (IOCs) relating to ransomware.
 W H I T E PA P E R

The USM platform has all of the essential security controls built-in, with its capabilities continually enhanced by
AlienVault Labs Threat Intelligence. You can also incorporate log data from virtually any third party security tools via
the extensive plugin library, which allows you to preserve the value of previous investments.

The AlienVault USM platform uses a variety of technologies to gather information on a range of threat vectors to
provide the who, what, where, when and how of these attacks including:

Network Intrusion Detection (IDS) analyzes the network traffic to detect signatures of known attacks and patterns
that indicate malicious activity. Using field-proven IDS technologies, USM identifies attacks, malware, policy
violations and port scans by performing signature, anomaly and protocol analysis.

Host Intrusion Detection (HIDS) and File Integrity Monitoring (FIM) analyze system behavior and configuration
status to identify suspicious activity and potential exposure. This includes the ability to identify the registry change
required to initiate the ransomwares encryption engine.

Correlation Directives The AlienVault Labs Threat Research Team regularly adds ransomware-specific correlation
directives that identify a range of behaviors that are indicative of a ransomware infection, including:
Downloading the ransomware file

Systems attempting to connect with a C&C server and post data

Multiple failed connections from a system attempting to connect to a domain (or multiple domains) within a
narrow time window

AlienVault Labs Threat Intelligence

Cyber criminals and attackers are constantly evolving their methods, making for a constantly evolving threat
landscape. Organizations dont have the time or resources to continuously monitor the threat environment. Instead,
they turn to AlienVault Labs to help detect the latest threats. The AlienVault Labs threat research team spends
countless hours mapping out the different types of attacks, the latest threats, suspicious behavior, vulnerabilities and
exploits they uncover across the entire threat landscape.

The AlienVault Labs team uses this diverse source of information to deliver regular threat intelligence updates to the
USM platform. USMs integrated threat intelligence from AlienVault Labs eliminates the need for IT teams to spend
precious time conducting their own research on emerging threats, or on alarms triggered by their security tools. The
AlienVault Labs team regularly delivers threat intelligence as a coordinated set of updates to the USM platform, which
accelerates and simplifies threat detection, prioritization, and response:

Correlation directives translates raw events into actionable remediation tasks

Network and host IDS signatures detects the latest threats in your environment
Asset discovery signatures identifies the latest OSs, applications and device types
Vulnerability assessment signatures finds the latest vulnerabilities on all your systems
Reporting modules provides new ways of viewing data about your environment and / or meeting compliance
requirements

Dynamic incident response templates delivers customized guidance on how to respond to each alert
Newly supported data source plug-ins expands your monitoring footprint

2016 AlienVault. All rights reserved. AlienVault and the AlienVault logo are trademarks or registered trademarks of AlienVault. 2
All other names and trademarks are for identification purposes and are the property of their respective owners.
 W H I T E PA P E R

The AlienVault Labs team also utilizes the power of the

Open AlienVault Threat Exchange (0TX). OTX is the
worlds first truly open threat intelligence community
that enables collaborative defense with open access,
collaborative research. There are over 1 million
threat indicators submitted by the community to OTX
every day, from over 26,000 participants in over 140
countries.

OTX is also integrated with the AlienVault USM

platform, giving you additional insight into malicious
activity targeting your network. The integration with
OTX enables the powerful USM correlation engine to
quickly identify attackers, their tools, their infrastructure
who have previously attacked other members of OTX
or engaged in other malicious activity. Using the threat
intelligence in combination with behavioral correlation
rules provides an accurate way to quickly identify
known threats and known malicious actors.

You also have the ability to export indicators of

compromise (IoCs) from OTX to almost any security
product. OTX enables everyone in the OTX community
to actively collaborate, strengthening their own USM prioritizes alerts, from highest (System Compromise) to lowest
(Environmental Awareness) telling your IT team what are the most
defenses while helping others do the same.
important threats facing your network right now

Unified Security Management (USM)

The AlienVault USM platform provides a fast and cost-effective way for organizations with limited security staff and
budget to address compliance and threat management needs. With all of the essential security controls built-in, the
USM platform puts complete security visibility within fast and easy reach of smaller security teams who need to do
more with less.

USM combines the following essential security capabilities, including SIEM, for single-pane-of-glass security visibility
and management:

Asset Discovery and Asset Inventory

Active Network Scanning

Passive Network Scanning

Asset Inventory

Software Inventory

Vulnerability Assessment
Continuous Vulnerability Monitoring

Authenticated / Unauthenticated Active Scanning

2016 AlienVault. All rights reserved. AlienVault and the AlienVault logo are trademarks or registered trademarks of AlienVault. 3
All other names and trademarks are for identification purposes and are the property of their respective owners.
 W H I T E PA P E R

Intrusion Detection
Network IDS

Host IDS

File Integrity Monitoring

Behavioral Monitoring
Netflow Analysis

Service Availability Monitoring

SIEM
Log Collection

OTX Threat Data

SIEM Event Correlation

Incident Response

Traditional security point-products require extensive configuration and tuning during deployment, and monitoring
after deployment. The lack of integration with other tools means that even with a centralized management console
like SIEM, IT teams have to dedicate a significant amount of staff time to managing each security control, and even
more time trying to consolidate and correlate all of the alerts being generated by those tools.

By providing built-in essential security capabilities and integrating threat intelligence from AlienVault Labs, the USM
platform significantly reduces complexity and deployment time so that you can go from installation to first insight in
about an hour.

AlienVault USM Architecture

AlienVault USM is composed of three core components, each of which is available as a physical appliance or virtual
appliance for maximum deployment flexibility.

1. AlienVault Sensor: Sensors perform four of the five essential capabilities of AlienVault: Asset Discovery,
Vulnerability Assessment, Threat Detection, and Behavioral Monitoring. Sensor Processes perform initial
processing (normalization) on that raw data, then transmit normalized events to the AlienVault Server for correlation
and reporting.

2. AlienVault Server: The AlienVault Server provides a unified security management and configuration capability for
all monitored assets. The Server receives normalized data from one or more Sensors, correlates and prioritizes
the security events occurring across all assets, then displays these as alarms and security events in a variety of
summary and detailed reports and dashboard views.

3. AlienVault Logger: The AlienVault Logger provides the Server with the ability to archive log files for purposes of
forensic analysis and to fulfill compliance requirements for log archival and management.

2016 AlienVault. All rights reserved. AlienVault and the AlienVault logo are trademarks or registered trademarks of AlienVault. 4
All other names and trademarks are for identification purposes and are the property of their respective owners.
 W H I T E PA P E R

AlienVault Labs

USM Sensor

Threat
Intelligence

USM Server USM Logger

AlienVault USM helps you contain threats and investigate incidents

The AlienVault Difference

The AlienVault approach delivers a unique solution to the challenge that under-resourced IT teams face when trying
to secure their networks. We start with the USM platform, which is a built-in stack of integrated, essential security
technologies. We add to it our experienced team of security experts, whose sole job is to analyze changes in the
threat landscape. They then create the threat intelligence updates that are delivered regularly as a coordinated set
of enhanced detection capabilities, advanced correlation rules and reports, that help our customers detect, prioritize,
and respond to the most critical issues in their networks, such as ransomware.

About AlienVault
AlienVault has simplified the way organizations detect and respond to
todays ever evolving threat landscape. Our unique and award-winning
approach, trusted by thousands of customers, combines the essential security
controls of our all-in-one platform, AlienVault Unified Security Management,
with the power of AlienVaults Open Threat Exchange, the worlds largest
crowdsourced threat intelligence community, making effective and affordable
threat detection attainable for resource-constrained IT teams. AlienVault is a
privately held company headquartered in Silicon Valley and backed by Trident
Capital, Kleiner Perkins Caufield & Byers, Institutional Venture Partners, GGV
Capital, Intel Capital, Jackson Square Ventures, Adara Venture Partners,
Top Tier Capital and Correlation Ventures. For more information visit www.
AlienVault.com or follow us on Twitter (@AlienVault).