USM Anywhere™

Workflow of the USM Anywhere Event Process

After USM Anywhere is installed in your environment, eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall. start flowing through the system, so you can start gaining visibility into the type of events that are occurring, what natural or non-threatening activity is taking place, and what activity can be a possible attack. USM Anywhere also begins collecting other informan tion about your network and various network devices such as firewallsVirtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them., routers and switches, servers, and applicationsA software program that performs some collection of tasks on a computer or some other programmable device.. In addition, it is discovering and determining possible vulnerabilities and threats to your environment.

The following illustration details a high level view of events and other information from your network environment as it is collected or generated by the USM Anywhere SensorsSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. and AgentsThe world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat data. This repository provides a continuous view of real time malicious activity., and then delivered to the USM Anywhere for processing and storage.

Data flow of raw packets to events and alarms

USM Anywhere Sensor combines assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. discovery, vulnerability assessmentVulnerability assessment uses active network vulnerability scanning and continuous vulnerability monitoring to provide one of the five essential capabilities., threat detection, and behavioral monitoringProcess of collecting all device status and event information and processing normalized events for evidence of vulnerabilities, possible attacks, and other malicious activity. to provide full situational awareness. USM Anywhere Sensor is the front-line security module of the USM Anywhere platform and provides detailed visibility into your environment, vulnerabilities, attack targets and vectors, and services.

USM Anywhere Sensor receives data and other activity or status information from devices and normalizes the information into a standardized event format. USM Anywhere Sensor then sends the normalized event to USM Anywhere, which tries to match every event with an asset or a user, enrich the event with environmental data where possible, and saves it.

Note: To protect the health of your system, USM Anywhere monitors the rate of events being sent to your sensor. If that rate, measured in events per second (EPS), threatens to impact your sensor's capacity your EPS will be throttled. Throttling allows your system to take more time to process events coming in, without risking event loss. USM Anywhere will generate an event when EPS throttling is engaged. See Protecting Your Sensor's Performance with EPS Throttling for more details about when EPS is engaged and how it works.

USM Anywhere provides a unified management interface through the web UI that combines security automation, and AT&T Alien Labs™ Open Threat Exchange® (OTX™The world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat data. This repository provides a continuous view of real time malicious activity.) and threat intelligenceEvidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging hazard to assets that can be used to inform decisions regarding the subject's response to that hazard. from the AT&T Alien Labs™ Security Research Team to correlate data, spot anomalies, reduce risk, and improve operational efficiency.

CorrelationCorrelation identifies potential security threats by identifying relationships between multiple types of events occurring in two or more assets. can be done logically, where events can be compared to patterns and multiple conditions can be connected by using logical operators such as OR and AND. After events are processed and correlated, USM Anywhere performs risk analyses and triggers an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. if the risk of the event is high enough.