USM Appliance Network Security Concepts and Terminology

Applies to Product: USM Appliance™ LevelBlue OSSIM®

When working with USM Appliance and using the USM Appliance web UI to perform network security operations, it is important to understand a few basic USM Appliance network security concepts.


First, a key tenet of the USM Appliance system is that it monitors assets. Assets are all devices in an enterprise that have some value to the enterprise and, generally, that it is possible to monitor or gather information about, such as their status, health or availability, configuration, activity, and events. The value comprises either the cost of the device itself, or the value of the data that is stored on the device or travels through the device.

  • An asset is defined as a unique IP address.
  • Assets are organized into networks based on IP addressing.
  • Networks are organized into locations or regions, based on their geographical location.

Typically, at least one USM Appliance Sensor is used to monitor one geographically self-contained location. If several locations are used by an enterprise, each location is monitored with at least one USM Appliance Sensor, which sends information to the USM Appliance Server about assets that are in the same location. Plugins are used in the USM Appliance Sensor to extract and normalize data from different data sources into standard-format events. USM Appliance provides a wide assortment of plugins that can be used to collect events for most commonly encountered data sources. You can enable up to 10 plugins per asset and up to 100 plugins per USM Appliance Sensor.


Another important concept to understand is risk. In most organizations, priorities for network security operations are determined primarily by risk, that is, factors such as the value of assets, the potential damage that particular threats pose to assets and the vulnerabilities those assets have to threats, and the likelihood that actual attacks will be carried out. In USM Appliance, risk values are calculated for each raw event received from the USM Appliance sensor as well as for additional security events generated as a result of correlation or cross-correlation of multiple events. USM Appliance generates an alarm for any event that has a calculated risk value greater than or equal to 1.

The formula that USM Appliance uses to calculate risk for individual events is the following:

Calculated Risk Value = (Asset Value * Event Priority * Event Reliability) / 25

In this formula, Asset Value is the value (0 to 5) that your organization assigns to a specific asset that is connected to an event. Event Priority is a priority ranking (0 to 5) that is based on the event type, such as authentication failure, web attack, or denial of service, which indicates the urgency with which an event should be investigated. (LevelBlue provides an event taxonomy to classify various events by category and subcategory. See USM Appliance Event Taxonomy). Event Reliability is a reliability ranking (0 to 10) that specifies the likelihood that an event is a real attack or a false positive event.


Finally, threats and vulnerabilities are what correlate the occurrence of certain events with risk and generate alarms when the risk values of events exceed a specific threshold value (greater than or equal to 1). Information about specific threats is obtained from sources such as those reported by LevelBlue Labs™ and the LevelBlue Labs™ Open Threat Exchange® (OTX™). For example, OTX provides indicators of compromise and notifications of malicious hosts, which can link assets by their vulnerabilities to specific threats and notification about events that involve known or suspect malicious hosts. (See the AlienVault OTX User Guide for more information on using OTX.) USM Appliance can also perform scans which identify assets’ vulnerabilities to specific, identified threats.