When working with USM Anywhere and using the USM Anywhere web UI to perform network security operations, it is important to understand a few basic USM network security concepts. First, a key principle of the USM system is that it monitors assets An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers.. Assets are all devices in an enterprise that have some value to the enterprise and, generally, that it is possible to monitor or gather information about, such as their status, health or availability, configuration, activity, or events Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall.. The value comprises either the cost of the device itself, or the value of the data that is stored on the device or travels through the device.
- An asset is defined as a unique IP address
- Assets are organized into networks based on IP addressing
- Networks are organized into locations, based on their geographical location
Typically, at least one USM Anywhere Sensor Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. is used to monitor one geographically self-contained location. If several locations are used by an enterprise, each location is monitored with at least one USM Anywhere Sensor, which sends information to USM Anywhere about assets that are in the same location. AlienApps are used in the USM Anywhere Sensor to extract and normalize data from different data sources into standard-format events. USM Anywhere provides a wide assortment of integrations that can be used to collect events for most commonly encountered data sources.
USM Anywhere includes correlation rules A correlation rule correlates incoming events based on previously defined relationships defined in the correlation directive, associating multiple events, of the same or different event types, from the same data source. for identifying important events or patterns of events within large volumes of data. Alarms Alarms provide notification of an event or sequence of events that require attention or investigation. are generated by an explicit call within the rules, either orchestration or correlation rules A correlation rule correlates incoming events based on previously defined relationships defined in the correlation directive, associating multiple events, of the same or different event types, from the same data source.. Correlation rules detect threats and are continuously provided as part of the AT&T Alien Labs™ Security Research Team. Information about specific threats is obtained from sources such as those reported by AT&T Alien Labs™ Threat Intelligence Subscription The AT&T Alien Labs™ Threat Intelligence Subscription provides subscribers with the ability to detect the latest threats with continually updated correlation rules, IDS signatures, vulnerability audits, asset discovery signatures, IP reputation data, collection and integrations, and report templates. and AT&T Alien Labs™ Open Threat Exchange® (OTX™). For example, OTX provides indicators of compromise An artifact observed with some degree of confidence to be an indication of a threat or intrusion. and notifications Communication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms. of malicious hosts Reference to a computer on a network., which can link assets by their vulnerabilities to specific threats and notification about events that involve known or suspect malicious hosts. USM Anywhere can also perform scans which identify assets' vulnerabilities to specific and identified threats.
See Rules Management for more information.