Alert Logic SD WAN & SASE Cybersecurity Solutions

Alert Logic SASE Solutions: Comparisons, Review, Benefits, Use Cases, Pros & Cons

Author: Netify Research Team

If you have questions about Alert Logic and how their capability is aligned to your needs, email the Netify research team. UK: uk@netify.co.uk North America: northamerica@netify.com 

(Please use the UK email for ROW - Rest of the World - questions or enquiries)

Netify Review

Alert Logic specializes in Managed Detection and Response (MDR) security solutions. They have spent many years developing a strong Security Operations Center (SOC) with security experts to support clients on an individual basis, whilst using machine-learning technology to deliver bespoke security solutions. The MDR service is offered in three different tiers (see, Managed Detection and Response) each of which is managed and leverages constant support from the Alert Logic SOC. 

The solution also features granular cloud security, offering products designed specifically for cloud providers such as AWS, Azure and Google Cloud (see, How does Alert Logic deliver cloud security?). Each offering comes as-a-service, with MDR built in for AWS, a detailed security stack for Azure and security-as-a-service for Google Cloud. 

Netify recommends Alert Logic to clients who require a feature-rich MDR solution designed for cloud environments. It may be beneficial to clients with a small IT team, as the Alert Logic solution offers constant support from security experts, reducing the time that the client’s workforce will need to spend analyzing security threats. However, caution may be taken for clients looking for network-based or SASE security solutions, as Alert Logic do not currently offer either of these service and remain largely focused on cloud-based and MDR security solutions.

About Alert Logic

Alert Logic was founded in 2002, and its corporate headquarters is located in Houston, Texas, United States. The company offers the industry’s first SaaS-enabled MDR solution and was named a Leader in the New MarketScape by IDC. They have offices in North America, the UK and Latin America. As of March 2022, Alert Logic was acquired in a merger agreement with Fortra (formerly HelpSystems) and is now part of Fortra’s cybersecurity portfolio.

What are Alert Logic's Solutions?

• Threat Management Solution: Combines vulnerability management, IDS, endpoint protection, log management and WAF, for on-premises, hybrid and cloud environments. Offers real-time alerting with constant monitoring from security experts and is compliant with security mandates
• Network Intrusion and Detection System (IDS): IDS can be deployed across cloud, hybrid and on-premises environments, and has the ability to identify brute force attacks, ransomware, lateral movement, command and control exploits and privilege escalation. It is able to detect threats to containers running on Azure, AWS, as well as on-premises deployed AWS Elastic Container Service (ECS), Docker, Kubernetes, CoreOS and AWS Elastic Beanstalk. Deployed agents can encrypt and transmit client’s egress, ingress and lateral network traffic to the Alert Logic backend for processing, whilst comparing network traffic with 17,000 IDS signatures in order to detect malicious activity, with constant monitoring from Global SOCs.
• Cybersecurity Monitoring: Offers constant network security monitoring, to detect suspicious activity, maintain security compliance and mitigate security threats. This offers a single view into system health and security, with support from security experts for remediation. Comprehensive security compliance programs are also available, ensuring clients will meet the requirements for HIPAA, GDPR, SOC 2 and PCI-DSS.
• Vulnerability Scanning and Assessment: Helps clients to track movement such as additions and deletions within their environment, identify compromising gaps in their network and service layers and offers remediation and mitigation guidance to help clients to know what steps to take to reduce risk. A vulnerability assessment process is managed for clients on a regular basis to help clients to stay ahead of security threats across hosted environments, on-premises installations, container infrastructures and public clouds. Further, misconfigurations can be identified and fixed using API-driven technology, with no-touch automation via AWS APIs such as GuardDuty and CloudTrail, and REST API integration with clients DevOps toolchain. The service comes in all three MDR service offerings: Alert Logic Essentials, Alert Logic Professional and Alert Logic Enterprise.
• Web Application Firewall (WAF): WAF offered as-a-service monitors web application traffic to build a policy that will block malicious web traffic by whitelisting valid requests and data. This uses machine-learning, blacklisting, whitelisting and signature based blocking by building a model of client’s applications in order to recognize suspicious activity. This meets the requirements for PCI DSS 6.6. The service includes: constant support from SOCs; managed deployment; zero-day emerging threat detection; rule and behavior-based detection; ongoing management and tuning; fully featured WAF as a service; auto-scaling and high availability setup; cloud deployment capability; and application delivery controls.
• Log Management: Automatically collects and aggregates event log files from servers, cloud, security, application, container and network assets, to provide visibility across a client’s environments. The solution is available in both Alert Logic Professional and Alert Logic Enterprise MDR offerings (see, Managed Detection and Response). This minimizes storage requirements, adheres to compliance mandates, collects the correct data and allows for activities to be traced back in order to deeper understand and investigate what occurred during an event. The service offers automated deployment, simple integration, and the ability to track user activity and collect and aggregate data. Clients can identify and research events from AWS - CloudTrail S3, IAM, EC2, AWS-deployed containers, Office 365 - for user activity, admin changes, Sharepoint, and Active Directory services as well as Azure - monitor, storage accounts, AppServices and Azure-deployed containers.
  
• Extended Endpoint Protection: A managed endpoint security solution designed to monitor and isolate threats to endpoint security as early as possible for macOS and Windows. Leverages machine-learning to identify ransomware and malicious techniques in real-time, whilst isolating compromised devices. This provides clients with deep visibility and can cover endpoint devices whether they are online or offline.
• Data Center Security: An on-premises security solution to protect data centers, infrastructure and applications. This includes IDS, vulnerability scanning and assessment, threat management, cybersecurity monitoring, WAF and log management.
  
• MDR for SaaS Vendors: Offers a cloud-based software-as-a-service monitoring solution, leveraging constant support from security experts. The service is designed to protect customer data stored by SaaS vendors, whilst also protecting SaaS vendor applications themselves. This includes threat detection, visibility, IDS with security monitoring and threat analysis, Threat Risk Index and WAF for applications. 

AWS Security Products: 

• AWS Cloudformation: Allows Alert Logic’s asset discovery and detection technologies to work providing sample cloud formation scripts for customers to adapt to their workflow. 
• AWS Control Tower: Combines MDR services into AWS Control Tower managed accounts. This allows users to deploy and configure Alert Logic MDR using an existing AWS Control Tower setup, which reduces the number of steps that are required for deployment and ensuring consistency across accounts. 
• GitHub: Alert Logic’s public GitHub that includes configuration of AWS services, deployment of Alert Logic sensors and deployment of the company’s container agent directly into client’s container environment. 
• AWS Security Services and Tools: AWS security services such as AWS IAM Access Analyzer, Amazon Inspector and AWS Config send findings to Alert Logic, where they are reported as exposures and remediations within the Alert Logic console. This allows clients to view account configuration issues, AWS authentication, config rule violations, vulnerabilities and exposures that are identified by the service through a single pane of glass. 
• AWS EC2: A lightweight traffic agent designed to detect attack methods for security threats that may be lurking in log data and network traffic. This includes exploits in web application frameworks, application stack components, containers and OWASP Top 10. 
• AWS Container Services: A network intrusion detection solution with log management, designed for containers, leveraging support for AWS, on-premises and hybrid environments. Threats can be detected and visualized in real-time in any container and for any workload, such as Docker or AWS Fargate. The solution is constantly monitored by security experts. 
• AWS Identity and Access Management: Detects and alerts to any potential security threat, with user Behavior Anomaly Detection (UBAD). Leverages machine learning which helps to understand normal user behavior and identify any changes in user behaviors, such as location and times of access to company systems. AWS CloudTrail data allows Alert Logic to detect and raise incidents for anomalous user behavior which has the potential to impact critical assets in client’s AWS environment. 
• Amazon GaurdDuty: Alert Logic helps users to respond to data from Amazon GaurdDuty, and helps to discover and analyze AWS configurations, finding exposures and simple actions to prevent future security issues. 
• AWS Security Hub: Alert Logic integrates with AWS Security Hub to offer visibility into a client’s security state. It presents as a dashboard located within the AWS console where findings from AWS and Alert Logic can be viewed. 
• AWS Network Firewall: Offers users enhanced visibility and threat detection coverage. 
• Amazon Workspaces: Endpoint protection designed to stop attacks that attempt to compromise Windows endpoints. Breaches are recognized by multi-vector attack monitoring and isolation, stopping them before damage can occur. 
• AWS Center for Internet Security (CIS) Benchmarks: A set of guidelines to help customers secure AWS cloud environments, with guidance for implementation and assessment. CIS AWS Foundations Benchmark support Level 1 and Level 2 are checked by Alert Logic Configuration, providing a clear report available from the user interface. 
• AWS CloudTrail: Designed to keep records of user, role and AWS services actions, logging them as events. API activity data is treated as any other data source that is captured and managed, integrating with AWS CloudTrail in order to collect API activity data from within an AWS account, combining it with log data from other applications and systems. 
• AWS User Behavior Anomaly Detection: Alert Logic can be used with AWS Cloud Trail data to identify and alert to incidents for anomalous user behavior, which may pose a security threat to business-critical assets in the AWS environment. 
• AWS Outposts: AWS Outposts allows users to run AWS services locally, until they are ready to migrate applications. Also provides increased visibility across the network. 

Azure Security Products: 

• Azure Security Monitoring: A suite of managed security services, delivered on a single platform. This includes: Intrusion Detection System (IDS), which identifies security threats which may be present in network traffic such as exploits in containers, web application frameworks, application stack components and methods which are listed in the OWASP Top 10, Log Management, which is needed to reach compliance requirements and helps to locate suspicious behavior from sources such as Azure-deployed containers, Azure Monitor and Azure Storage Accounts (Blobs or Tables), Vulnerability Management, which includes security configuration management and helps to identify vulnerabilities and analyze a client’s security posture in all layers of an application stack, Network-Level Container Security intrusion detection designed for Azure-deployed Kubernetes, Security Compliance Controls for SOX COBIT, HIPAA HITECH, SOC 2, GDPR, PCI DSS Compliance and PCI ASV attestation reporting; Integration with Azure Event Hubs with machine-learning analytics, the solution also leverages GIAC-certified security analysts for incident analysis and real-time notifications of critical attacks. 
• Azure User Behavior Anomaly Detection (UBAD): UBAD designed specifically for Azure environments to detect and report suspicious activity. Using machine-learning, a baseline of user behavior is determined, which helps to identify any changes in the way these users are accessing client systems, based on factors such as location and time of access. Leverages Azure Security Logs to detect and raise incidents for obscure user behavior. 
• Azure Event Hubs: Allows clients to identify unauthorized activity and investigate and analyze incidents without the need for a security expert. 
• Actionable Threat Detection and Response: Collects, aggregates and analyzes security data in order to identify attacks. Notable threats are verified and clients will be sent remediation recommendations.  

Google Cloud Platform Security Products: 

• Managed WAF: A cloud-based WAF that leverages security experts, who help to identify and validate web traffic before transporting it to web servers. 

What is the Alert Logic Managed Detection and Response (MDR) solution?

Alert Logic’s main focus is on MDR solutions. The system retains a log of aggregated data from over 1,000 customers that is leveraged by the Alert Logic Security Operations Center (SOC), in order to better identify potential security threats. The SOC features MDR Concierge, which is a single point of contact who works closely with clients and a designated Security Expert who will further analyze security threats and offer tailored response plans. This offers clients real-time reporting, information on vulnerabilities, potential security risks, compliance status and remediation activities. The service covers all areas, including network, system, cloud, applications and endpoint, with full SaaS scalability and threat analytics. 

The MDR service is offered in three different tiers: MDR Essentials, MDR Professional and MDR  Enterprise:

• MDR Essentials: Implementation Support, 24/7 Platform Support, Vulnerability Insight Support and PCI Dispute and PCI DSS and ASV Program Support, Hybrid Asset Discovery, Internal and External Vulnerability Scanning, Cloud Configuration Checks/CIS Benchmarks, Endpoint Detection, PCI Scanning, Real-Time Reporting and Dashboards
  
• MDR Professional: Contains all of the above, as well as MDR Concierge, 24/7 Threat Management, 15-Minute Escalation SLA, Emerging Threat Response, On-Demand Tuning and Sensor Optimization and Expert Log Review, File Integrity Monitoring, Network Monitoring, Log Data Monitoring, Log Collection and Search with 12 Month Retention, Web Log Analytics, Cloud Security Service Integration, Cloud Change Monitoring and User Behavior Monitoring. 
• MDR Enterprise: The most featured offering, contains all of the previous two, and Designated Security Expert, Continuous Threat Hunting, Pro-Active Tuning and Sensor Optimization, Extended Security Investigations, Weekly Security Review and Annual On-Site. 

How does Alert Logic deliver cloud security?

Alert Logic offer MDR services that are specifically designed to be implemented with the following cloud vendors:

• AWS: Alert Logic have been an AWS Partner since 2011, and currently offer clients a fully managed security suit designed to be delivered as-a-service for AWS as well as on-premises and hybrid infrastructures. Alert Logic has achieved Level 1 Managed Security Service Provider Competency, meaning they are able to offer 24/7 managed cloud security.  Their main focus is MDR services which run within AWS, integrating new AWS services and features into the Alert Logic MDR services. This can protect AWS workloads, by working with API-driven automation and DevOPS templates and defending cloud applications and infrastructure. The solution also offers container security solutions for AWS ECS, EKS and Fargate, with easy to deploy software agents and cloud-based analytics for most AWS services and has the capability to detect threats with behavioral machine-learning for systems, users and applications. The service also includes: vulnerability assessment, asset visibility, web application security and threat detection and response, with incident analysis and threat intelligence, advanced event correlation, managed intrusion detection, configuration management and log management and review. The service is compliant with a number of controls including HIPAA, SOC 2, SOX, HITECH, GDPR, AWS CIS Benchmark and PCI DSS Compliance. (See, Alert Logic products and services: AWS Security Products for more information). 
• Azure: Alert Logic provide a purpose-built security solution designed to protect Azure deployments against cyber attacks. The stack features constant security monitoring, to protect workloads and applications in real-time. It is cloud-native, with security visibility and adheres to a wide range of security compliance controls. Microsoft will provide security for the cloud, such as instance isolation, physical security and the protection of foundation services, whilst Alert Logic helps clients by providing security for data and applications stored within the Azure cloud, such as IDS, advanced event correlation, log management, and web application firewall (WAF). Further, Alert Logic design security applications specifically for deployment with Azure - their RESTful API and micro services architecture integrate with advanced logic to better understand Azure API outputs, such as Azure Storage Accounts - IIS logs and Azure SQL from App Services workloads, and Azure Monitor, which integrate with client’s CI / CD dynamic production environment and pipeline (See, Alert Logic products and services: Azure Security Products for more information). 
• Google Cloud Platform (GCP): Alert Logic offer security as a service solutions designed for GCP.  This includes managed IDS, WAF, and log management, with support from security experts in Alert Logic’s Global Security Operations Center (SOC) (See, Alert Logic products and services: Google Cloud Platform Security Products for more information). 
• Hybrid Cloud Security: Supported by Alert Logic’s MDR platform, the hybrid cloud security offers clients global threat activity visibility, constant monitoring and a dedicated global security research team. This includes threat management, cybersecurity monitoring, WAF, IDS, vulnerability scanning and assessment, cloud vendor security integrators, log management, extended endpoint protection, AWS user behavior anomaly detection and AWS Outposts (See, What are Alert Logic's Solutions?). 

How does Alert Logic support remote users?

Alert Logic support remote users by offering Endpoint Detection and Extended Endpoint Protection. These solutions secure home-workers networks with protection against file-less and file-based cyber attacks. Extending Alert Logic’s MDR service across teleworker devices reduces the overall area of the corporate attack surface and therefore opportunities for attackers to exploit. 

What is the Alert Logic managed, co-managed and DIY services solution?

Alert Logic MDR Essentials, MDR Professional and MDR Enterprise are all provided as a direct managed solution for incident response. These solutions offer support from cloud security experts at Alert Logic’s SOC to ensure the necessary skill and expertise for operation. For a breakdown of the features and service elements please see, Managed Detection and Response (MDR) or alternatively view the table below: 

What Reporting and Management is available via the Alert Logic Portal?

Alert Logic offer two different portals to help secure the attack surface. Please see below for more details:

• DevNet Software Development Portal: Provides tools and resources such as programing language integrations, library of use cases and a command-line toolkit. These features help companies to develop and embed their own integrations and automation to ensure the MDR platform can be extended at scale. The portal also provides scripting tools for automation and command execution as well as the provision of IT health data that can be extracted to other systems, ideal for companies wishing to operate using their preferred platforms and tools. 
• MDR Essentials Portal: This portal enables IT teams to identify and assess attacks on their network through clear incident reports. When an incident occurs the portal provides an insight into the asset involved and its topology within the network and recommendations into short term actions to be taken when an incident is confirmed. Proactive configuration checks help to identify known exposures as well as details of root-causes which allow IT teams to coordinate a strategic response through exposure management making the environment more secure through reduced exposure levels. 

What is the Alert Logic SLA?

The Alert Logic Availability Service Level is 99.5% with service credits available for failure to meet this SLA. See the table below for more details: 

Alert Logic provides an Escalation Time Requirement target of within 15 minutes. If this target is not met, service credits will be given. See the table below for more details: