Workflow of the USM Anywhere Event Process

After USM Anywhere is installed in your environment, events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. start flowing through the system, so you can start gaining visibility into the type of events that are occurring, what natural or non-threatening activity is taking place, and what activity can be a possible attack. USM Anywhere also begins collecting other informan tion about your network and various network devices such as firewalls Virtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them., routers and switches, servers, and applications A software program that performs some collection of tasks on a computer or some other programmable device.. In addition, it is discovering and determining possible vulnerabilities and threats to your environment.

The following illustration details a high level view of events and other information from your network environment as it is collected or generated by the USM Anywhere Sensors Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. and Agents The world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat data. This repository provides a continuous view of real time malicious activity., and then delivered to the USM Anywhere for processing and storage.

Data flow of raw packets to events and alarms

USM Anywhere Sensor combines asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. discovery, vulnerability assessment Vulnerability assessment uses active network vulnerability scanning and continuous vulnerability monitoring to provide one of the five essential capabilities., threat detection, and behavioral monitoring Process of collecting all device status and event information and processing normalized events for evidence of vulnerabilities, possible attacks, and other malicious activity. to provide full situational awareness. USM Anywhere Sensor is the front-line security module of the USM Anywhere platform and provides detailed visibility into your environment, vulnerabilities, attack targets and vectors, and services.

USM Anywhere Sensor receives data and other activity or status information from devices and normalizes the information into a standardized event format. USM Anywhere Sensor then sends the normalized event to USM Anywhere, which tries to match every event with an asset or a user, enrich the event with environmental data where possible, and saves it.

Note: To protect the health of your system, USM Anywhere monitors the rate of events being sent to your sensor. If that rate, measured in events per second (EPS), threatens to impact your sensor's capacity your EPS will be throttled. Throttling allows your system to take more time to process events coming in, without risking event loss. USM Anywhere will generate an event when EPS throttling is engaged.

See Protecting Your Sensor's Performance with EPS Throttling for more details about when EPS is engaged and how it works, and Understanding Your Data Consumption Status to learn more about sensor capacity and USM Anywhere tier limits.

USM Anywhere provides a unified management interface through the web UI that combines security automation, and LevelBlue Labs™ Open Threat Exchange® (OTX™ The world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat data. This repository provides a continuous view of real time malicious activity.) and threat intelligence Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging hazard to assets that can be used to inform decisions regarding the subject's response to that hazard. from the LevelBlue Labs™ Security Research Team to correlate data, spot anomalies, reduce risk, and improve operational efficiency.

Correlation Correlation identifies potential security threats by identifying relationships between multiple types of events occurring in two or more assets. can be done logically, where events can be compared to patterns and multiple conditions can be connected by using logical operators such as OR and AND. After events are processed and correlated, USM Anywhere performs risk analyses and triggers an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. if the risk of the event is high enough.