About USM Appliance Network Security Capabilities

Applies to Product: USM Appliance™ LevelBlue OSSIM®

USM Appliance is designed primarily to help mid-size organizations effectively defend themselves against today’s advanced threats. The USM Appliance platform provides five essential security capabilities in a single console, giving you everything you need to manage both compliance and threats.

USM Network Security Capabilities

Here is a brief description of the essential functions that USM Appliance provides:

  • Asset discovery is an essential security capability of USM Appliance. USM Appliance discovers assets in your environment, detects changes in assets, and discovers rogue assets in the network.
  • Asset discovery uses passive tools, such as passive operating system fingerprinting and passive service discovery. Asset discovery also utilizes active scanning, which can be scheduled to be performed periodically or can be performed manually.
  • Vulnerability assessment, which can be done in unauthenticated or authenticated modes, identifies vulnerabilities or compliance by comparing the installed software on assets with a database of known vulnerabilities. With authenticated scanning, and using an administrative user account, USM Appliance can scan the assets more effectively. Vulnerability scans can also be scheduled to be performed periodically or performed manually.
  • Intrusion detection monitors network traffic for malicious activity, monitors system log messages, and monitors user activity. Intrusion detection for USM Appliance consists of host-based intrusion detection (HIDS) and network-based intrusion detection (NIDS) components.

HIDS can be used to spot problems on host endpoints, and can include file integrity monitoring, rootkit and registry checks. NIDS passive sniffing interfaces can analyze network payload data to monitor for potentially malicious activity.

  • Behavioral monitoring provides visibility into traffic patterns and network flows (NetFlow data), which are used to detect anomalies that might indicate security policy violations. Data used for behavioral monitoring and analysis is collected from network devices, flows based on mirrored traffic, and asset availability monitoring.
  • SIEM security intelligence combines and correlates collected logs and other data to find malicious patterns in network traffic and within host activity.

USM Appliance draws intelligence from different sources including LevelBlue Lab Threat Intelligence. OTX Correlation rules, created by LevelBlue Labs™, are used to identify patterns associated with malicious activity. OTX threat data provides IP reputation information for OTX pulses and the Indicators of Compromise An artifact observed with some degree of confidence to be an indication of a threat or intrusion. (IoCs) they include. OTX pulse information also identifies specific threats and how to address them.

Most USM Appliance security operation features and functionality are accessible from the USM Appliance web user interface (web UI). Additional information on each of the USM Appliance key features is provided in following sections.