Introduction to USM Appliance

Applies to Product: USM Appliance™ LevelBlue OSSIM®

This guide provides information for users of the LevelBlueUSM Appliance system, that are responsible for monitoring network security, and identifying and addressing security threats in their environment. The guide also describes operations provided by the USM Appliance web UI, which is used to perform most USM Appliance network security tasks after initial USM Appliance system deployment.

Topics covered in this guide include

  • Introduction — this section, which includes
    • Prerequisites and Requirements — target audience, recommended skills and background, and supported browsers for using the USM Appliance web user interface to perform network security operations.
    • USM Appliance Network Security Concepts and Terminology — description of key terms such as assets, threats, and vulnerabilities, and how USM Appliance calculates risk for specific assets.
    • About USM Appliance Components — high-level description of key USM Appliance components: USM Appliance Server, USM Appliance Sensor, and USM Appliance Logger.
    • About USM Appliance Network Security Capabilities — description of essential USM Appliance security capabilities including asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring and security information and event management (SIEM).
    • The USM Appliance Web User Interface — description of key elements and navigation of the USM Appliance web user interface (UI) used to access and perform USM Appliance network security monitoring and analysis operations.
  • Getting Started with USM Appliance — details typical security operations performed after initial USM Appliance installation and configuration, including security operation best practices and workflow, verifying USM Appliance operations, and establishing baseline network behavior.
  • USM Appliance Security Monitoring and Analysis — provides an overview of USM Appliance web UI main menu and submenu options and operations used for display, monitoring, and analysis of network security activities and events.
  • Incident Response — provides information on basic elements of incident response, effectively responding to threats ranging from single events or incidents to larger scale attacks involving multi-stage attacks.
  • Asset Management — describes operations to manage assets, asset groups, and asset-based security controls. Covers topics such as asset creation and discovery, vulnerability scans, HIDS deployment, and asset monitoring and analysis.
  • Alarm Management — provides information about alarms generated from events and OTX pulses, viewing and reviewing alarm information and field details, and assigning alarms for remediation with tickets.
  • Event Management — provides information on viewing, filtering, sorting, and analyzing events, alarms, and OTX field details.
  • Network Data Management — describes methods of capturing packet information from network traffic, and NetFlow data providing information about communication between network devices, to supplement information provided by system events and alarms.
  • Raw Log Management — provides information on searching and reviewing raw log information, configuring digital signing and verifying the integrity of raw logs, and exporting raw logs.
  • Ticket Management — details opening, searching, and editing of remediation tickets created using USM Appliance's own ticket management system.
  • Policy Management — provides information on creating and managing policies, defining policy conditions, consequences, and actions.
  • Event Correlation — describes how USM Appliance correlation works and provides information on creating and editing correlation directives or rules.
  • Vulnerability Assessment — Provides information on performing vulnerability scans, viewing and understanding scan results, and generating reports based on vulnerability scans.
  • Open Threat Exchange® and USM Appliance (OTX) — describes the open threat data platform allowing security researchers, and the OTX community at large, to share information about the latest threats and evidence of exploit or malicious acts that threaten network security.
  • USM Appliance Reports — provides information on report categories, creating and customizing reports, and generating reports based on vulnerability scan results.
  • User Administration in USM Appliance — describes USM Appliance user authentication and role-based authorization, configuration of authorization for specific assets, and monitoring user activity.
  • Using USM Appliance for PCI Compliance — provides information on USM Appliance capabilities to validate and document compliance with specific PCI DSS regulations.