USM Anywhere Data Security

As a security-first organization, LevelBlue makes your data protection and privacy a top priority. USM Anywhere architecture and processes are designed to protect your data in transit and at rest.

Data Collection

All data sent from the USM Anywhere Sensor deployed in your on-premises or cloud environment to the USM Anywhere service in the LevelBlue Secure Cloud is encrypted Cryptographic transformation of data into a form that conceals the data's original meaning to prevent it from being known or used. and transferred over a secure TLS 1.2 connection. Each sensor generates a certificate to communicate with the USM Anywhere service. This means that all communication is uniquely encrypted between each sensor and USM Anywhere.

All forensic data (raw logs) is backed up on an hourly basis. The data collected in USM Anywhere is secured using AES-256 encryption for both hot (online) storage and cold (offline) storage.

Data Access

Your data in USM Anywhere is treated as highly confidential, and only a select few LevelBlue staff members have access. This group of employees uses multi-factor authentication A method of access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge, possession, and inherence. (MFA) to access the LevelBlue Secure Cloud. Strict internal controls and automation enable support for the service while minimizing administrative access.

LevelBlue also has a formal information security program that implements various security controls to the National Institute of Standards Technology (NIST) Cyber Security Framework. Key controls include: Inventory of Devices, Inventory of Software, Secure Configurations, Vulnerability Assessment, and Controlled Use of Administrative Privileges. Additionally, LevelBlue conducts security self-assessments on a regular basis.

Cold Storage Data Integrity

USM Anywhere offers secure long-term log retention, known as cold storage. By default, USM Anywhere stores all data associated with a customer’s subdomain in cold storage for the life of the active USM Anywhere subscription at no additional charge, while LevelBlue TDR for Gov customer data are kept for three years or longer (if requested).

Important: The retention period set on the license (30-days standard or 90-days standard) only applies to regular events. The retention policy for system events is 30 days and for user activities is 180 days, while the user activities related to investigations never expire.

USM Anywhere uses a write once, read many (WORM) approach in log storage to prevent log data from being modified or otherwise tampered with. You can download your raw logs at any time. If you do not renew your subscription, LevelBlue will keep the raw logs for 14 days after your subscription expires, giving you a grace period to restart your service. Within the 14 days, no data is collected until your license is reactivated. Therefore, data is lost between license expiration and reactivation. After 14 days, your data will be destroyed.

End-of-Contract Shut Down

If your subscription expires and you decide not to renew, your USM Anywhere instance will be decommissioned 14 days after the expiration. All data, including asset information, orchestration rules, user credentials, events and vulnerabilities (hot storage), and raw logs (cold storage), will be destroyed.

Business Continuity Plan

To ensure business continuity, USM Anywhere executes a backup procedure 2 times a day, encrypts the data, and stores it for 15 days. The Recovery Point Objective (RPO) is up to 12 hours and the Recovery Time Objective (RTO) is approximately an hour, depending on the size of the data being restored.

Password Policy

USM Anywhere stores and encrypts user credentials using the latest industry standards for securing passwords.

Keep in mind these points when you are logging in:

  • The login credentials that you set will apply to any USM Anywhere™ and USM Central™ you have access to.
  • USM Anywhere requires all passwords to have a minimum length of 8 characters and a maximum length of 128 characters.
  • The password must contain numerical digits (0-9).
  • The password must contain uppercase letters (A-Z).
  • The password must contain lowercase letters (a-z).
  • The password must contain special characters, such as hyphen (-) and underscore ( _ ).

Note: USM Anywhere passwords expire after 90 days. When your password expires, USM Anywhere enforces a password change when you next log in. A new password must be different from the previous four passwords.

After 45 days of inactivity, your user account will be locked. Manager users can unlock inactive accounts.

A user account is locked for 30 minutes after 5 consecutive failed login attempts (GovCloud users are locked out after 3 consecutive failed login attempts).