The USM Anywhere Sensor provides operational visibility into the security of your Amazon Web Services (AWS) environment. Based on the collected log information, USM Anywhere analyzes the data generated by your AWS environment and provides real-time alerting to identify malicious activity. When the sensor is deployed into your AWS environment, it provides ultimate control over the installation and the data contained within it, and also prevents any external access to your environment.

All USM Anywhere Sensors allow for authenticated scans of assets An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. by leveraging stored credentials that you define in USM Anywhere. This enables USM Anywhere to detect potential vulnerabilities, installed software packages, and running processes and services. Unlike the other USM Anywhere Sensors, the Amazon Web Services (AWS) Sensor queries AWS directly to discover assets using an AWS API.

Log Collection and Scans

The AWS Sensor collects AWS logs and system logs, and generates asset scans and vulnerability assessments Vulnerability assessment uses active network vulnerability scanning and continuous vulnerability monitoring to provide one of the five essential capabilities., consisting of the following:

• AWS CloudTrail logs
• AWS Elastic Load Balancing (ELB) logs
• Amazon Simple Storage Service (S3) access logs
• Amazon CloudWatch log collection
• Amazon S3 log collection
• Operational logs for critical software packages deployed, such as HTTP servers and database servers
• Asset scans on your virtual machines (VMs) to inventory installed software packages, running processes, and services
• Periodic vulnerability assessments

Log Analysis

USM Anywhere analyzes these logs in these stages:

Stage 1: Collects logs from systems and software running in your environment

Stage 2: Configures log line processing and generates events

• Includes IP addresses and timestamps culled from extracted log-line data
• Adds other data to the event, such as security context and environmental information

Stage 3: Analyzes events and stores them

Deployment Overview

LevelBlue distributes the AWS Sensor as a CloudFormation CloudFormation templates define specific AWS resources (for example, Amazon EC2 instances and IAM permissions) that enable AWS to automate the provisioning and configuration of the service ("stack"). Template in a virtual private cloud (VPC).

The deployment process for an initial USM Anywhere Sensor in your AWS environment consists of these primary tasks:

1. Review requirements for an AWS Sensor deployment.
2. Deploy the USM Anywhere Sensor within your AWS environment.
3. Register the sensor with your sensor authentication code to provision the USM Anywhere instance and connect the deployed sensor.
4. Complete your AWS Sensor configuration, including initial asset discovery.