USM Anywhere™

AWS Sensor Deployment

The USM Anywhere Sensor provides operational visibility into the security of your Amazon Web Services (AWS) environment. Based on the collected log information, USM Anywhere analyzes the data generated by your AWS environment and provides real-time alerting to identify malicious activity. The sensor is deployed into your AWS environment to provide ultimate control over the installation and the data contained within it, and also avoiding any external access to your environment.

All USM Anywhere Sensors allow for authenticated scans of assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. by leveraging stored credentials that you define in USM Anywhere. This allows USM Anywhere to detect potential vulnerabilities, installed software packages, and running processes and services. Unlike the other USM Anywhere Sensors, the AWS Sensor queries AWS directly to discover assets using an AWS API.

Log Collection and Scans

The AWS Sensor collects AWS logs and system logs, and generates asset scans and vulnerability assessmentsVulnerability assessment uses active network vulnerability scanning and continuous vulnerability monitoring to provide one of the five essential capabilities., consisting of the following:

  • CloudTrail Logs
  • Elastic Load Balancing Logs
  • S3 Access Logs
  • CloudWatch Log Collection
  • S3 Log Collection
  • Operational logs for critical software packages deployed, such as HTTP servers and database servers
  • Asset scans on your VMs to inventory installed software packages, running processes, and services
  • Periodic vulnerability assessments

Log Analysis

USM Anywhere analyzes these logs in these stages:

  1. Collects logs from systems and software running in your environment
  2. Configures log line processing and generates events

    • Includes IP addresses and timestamps culled from extracted log line data
    • Adds other data to the event, such as security context and environmental information
  3. Analyzes events and stores them

USM Anywhere collects log data, processes the data, and produces normalized events

Deployment Overview

AT&T Cybersecurity distributes the AWS Sensor as a CloudFormationCloudFormation templates define specific AWS resources (for example, Amazon EC2 instances and IAM permissions) that enable AWS to automate the provisioning and configuration of the service ("stack"). Template in two different forms. The one that you use depends on the type of AWS environment where you want to deploy it (a Virtual Private Cloud or the EC2-Classic).

The deployment process for an initial USM Anywhere Sensor in your AWS environment consists of these primary tasks:

  1. Review requirements for an AWS Sensor deployment
  2. Deploy the USM Anywhere Sensor within your AWS environment
  3. Register the sensor with your sensor authentication code to provision the USM Anywhere instance and connect the deployed sensor
  4. Complete your AWS Sensor configuration, including initial asset discovery

Related Video Content

To view other related training videos, click here.