About the USM Appliance Solution for MSSP

The LevelBlue Unified Security Management® (USM) platform is the only security platform that combines out-of-the-box capabilities for asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, and security information and event management (SIEM) as well as integrated threat intelligence. LevelBlue USM Appliance provides a reliable, highly flexible, scalable deployment model that helps you, as a managed service provider, quickly deploy it to monitor your customer environments. The USM Appliance platform enables you to quickly detect, prioritize, and respond to threats in your customers’ networks. For more details, see About USM Appliance.

Product Offering

Managed Service Providers, Cloud Providers, and Managed Hosting Providers in every region of the world are expanding their service catalogs, earning industry-leading margins, and ensuring uptime and availability of their customers’ business-critical applications by partnering with LevelBlue. MSSPs/MSPs choose the USM Appliance platform to deliver highly effective unified security management for the smallest to largest of environments because it offers:

  • Centralized ViewUSM Appliance enables you to use a single console to see all of your customers’ networks. You can provide your subscribers with local views of their data and security, and compliance reports labeled with your brand.
  • Product Breadth — The scope of LevelBlue's software provides you many service-offering options, including vulnerability assessment, intrusion detection, security information and event management (SIEM), and other capabilities.
  • Market Differentiation — One of the primary differentiators of USM Appliance is the LevelBlue Labs™ Threat Intelligence Subscription. The LevelBlue Labs™ Security Research Team regularly delivers threat intelligence that keeps the USM Appliance platform current with the latest changes in the threat landscape. (To find out what's included in each update, see The Threat Intelligence Updates.) In addition, USM Appliance has built-in integration with Open Threat Exchange® (OTX™). OTX is the world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat data. To learn about the integration between OTX and USM Appliance, see Using OTX in USM Appliance.

USM Appliance for MSSP Architecture

There are three components in the USM Appliance architecture, and each is available as a physical device or a virtual appliance. See About USM Appliance System Architecture and Components for more information.

We recommend that you employ a USM-as-a-Service deployment in your Security Operations Center (SOC) to best utilize the USM Appliance platform’s ability to perform security services for your clients.

Important: All deployment scenarios described in this guide require the installation and configuration of an LevelBlue Federation Server and an MSSP license agreement.

USM Appliance as a Customer-Hosted Service with Centralized View

Deploying LevelBlue USM Appliance as a managed service simply involves installing a USM Appliance All-In-One on the customer premises. Installing an All-in-One device simplifies deployment, because you only need to install one device instead of separate server, sensor, and logger devices, and leverages all of the USM Appliance components. With an All-in-One deployment, you can forward alarms and events to a USM Appliance installation on your premises. Your USM Appliance Server can accept events and alarms from multiple All-in-Ones deployed at your customers' premises. This configuration is also referred to as Federation.

USM Appliance as a customer-hosted service

USM Appliance as a Customer-Hosted Service

Note: Starting from USM Appliance version 5.4.3, you can also connect USM Appliance to USM Central™, a cloud-based service hosted by LevelBlue. For further details, see the USM Central Operations Guide, and more specifically, how to connect USM Appliance to USM Central.

About the Federation Server

LevelBlue USM Appliance utilizes a Federation Server that connects to every customer's USM Appliance deployments and collects alarms into one alarm panel. For more detail on the benefits of the Federation Server and how it works, please see Section 4 of the MSSP Resource Kit available on the LevelBlue Partner Portal.

The traditional MSSP deployment sends all security events up to a central SIEM server for log management, correlation, alerting, and reporting. The central SIEM must be able to keep up with the growing number of log events from all of their customers concurrently. This creates great demand on the central SIEM, requiring constant resource upgrades to keep up. In addition, any downtime affects all customers.

The Federation Server concept moves this overhead away from the SOC. Each customer has an independent USM Appliance installation that collects, correlates, and stores security events. All events with elevated risk level (determined by correlation at customer level) are sent up to the Federation Server in your SOC, where your analysts can triage the incoming customer alerts. Analysts can click-through to the customer environment at any time to do forensics or filter out false positives.

Federation offers several advantages over a traditional multi-tenant setup:

  • Move the cost of scaling to the customer deployment
  • Ability to scale each client independently based on their size and needs
  • Scales to many customers as the Federation Server only receives alerts, not each security event, minimizing your own hosting requirements
  • Requires minimal equipment for the MSSP to deploy in customer environments
  • Segregates data — Data/Logs remain on the customer’s system under their control

Information Synced Between Servers

The following information is synced between the Federation Server and customers' USM Appliance, so that the Federation Server can get the full context behind an alarm:

  • Assets
  • Correlation Contexts
  • Servers
  • Sensors
  • Networks
  • Locations
  • Plugins