We have an audacious goal on the USM Central Product team. We believe that we can create the most phenomenal security platform for MSPs and MSSPs on the market with the combination of USM Central, USM Anywhere, and USM Appliance. As we move into Q3, we wanted to take some time to stop and reflect a bit on our journey. We thought it’d be helpful to provide some perspective on the problems we believe USM Central should solve for our customers, recap what we’ve built so far, and preview what’s ahead of us as we storm ahead into the back-half of the year.
When prioritizing our efforts for USM Central, we always try to ask ourselves two questions. The first is, “how can we help our MSSP / MSP partners to be more efficient?” For instance, are they taking some redundant action multiple times across several deployments? What data are they looking for in the “child deployments” that would be helpful to view in USM Central? The second is, “how are USM Central users “patching” our functionality?” By talking to our partners every week, we try to understand what other systems or tools they are using in conjunction with our products and find ways that we could either 1) address that need in product or 2) integrate with the existing workflow. While USM Anywhere continues to push the envelope on core security capabilities, we believe we can create “SOCs with superpowers” with USM Central by showing up every day and trying to answer those two questions. Below, you’ll find a short summarization of our recent efforts and what we’re excited about moving forward.
Alarm Status and Label Synchronization
Labels are a simple yet powerful method to track the status of alarms in the various stages of the investigation cycle, classify alarm data for analysis/reporting, or even show “proof of work” to your end customers. Before USM Central, any edit to a label in the child instance would not be reflected in the Federation Server, requiring an analyst to make the label or alarm updates in multiple places. Today, any changes made to an alarm from connected USM Anywhere deployments are automatically synced to USM Central, and USM Central users can standardize labels across all of their USM Anywhere deployments. We're hoping this will dramatically streamline alarm workflows. Check out the details of this feature in the documentation here.
Orchestration Rule Management
Often, when our MSSP partners create an orchestration rule in USM Anywhere for one client, they recognize that it would be useful to deploy that same rule to another client. Additionally, when onboarding a new client, we’ve found that it’s helpful to do a comparative audit with another more mature deployment to make sure all of you've covered all of your bases, from filtering to alarm rules. With the most recent release of USM Central, all of the rules for your connected USM Anywhere deployments are now synced to USM Central. USM Central users can filter their view to only view rules from selected deployments or to copy a rule and quickly apply it to another customer.
Do you use a ticketing system to generate tickets for alarms generated within your AlienVault deployment(s)? Maybe you customize reports or dashboards by using data from AlienVault and other products for use internally or client presentations?
You can now generate an API key in product for the USM Central API. The REST interface will allow you to search for alarms for all of you connected USM Anywhere or USM Appliance instances. For this first release, we've only exposed an Alarms endpoint, but we're looking forward to adding additional capabilities in the coming months. Check out our documentation here or head to the Profile view within your USM Central instance to test it out today!
In an upcoming release, you’ll have the ability to manage labels for connected USM Appliance deployments, too. Next, we’re going to look at adding additional API endpoints for vulnerabilities and configuration issues (only applicable for USM Anywhere to start). After that, we’ll circle back and expand on our role-based access control feature set. As a manager, you’ll have the ability to assign your analysts to specific deployments in your USM Central installation. For example, Analyst A could be assigned to deployments 1 - 3 while Analyst B is assigned to Deployments 4 - 6. Each analyst’s view and permissions would be limited to their assigned deployments. We’re hoping this makes it easier to manage USM Central deployments with a large number of child deployments.
Late this year, we’ll begin to bridge the gap towards allowing you to initiate incident investigation and response workflows directly from USM Central. We’ll start with managing vulnerability scans and go deeper from there based on your feedback.
Thanks for tuning in. You can give me a shout anytime you want by hitting the “mail” icon and messaging me within your USM Central instance. We’d love to hear any feedback or learn about your business!
Senior Product Manager, USM Central & USM Appliance