The AlienVault Unified Security Management® (USM) platform is the only security platform that combines out-of-the-box capabilities for asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, and security information and event management (SIEM) as well as integrated threat intelligence. AlienVault USM Appliance provides a reliable, highly flexible, scalable deployment model that helps you, as a managed service provider, quickly deploy it to monitor your customer environments. The USM Appliance platform enables you to quickly detect, prioritize, and respond to threats in your customers’ networks. For more details, see About USM Appliance.
Managed Service Providers, Cloud Providers, and Managed Hosting Providers in every region of the world are expanding their service catalogs, earning industry-leading margins, and ensuring uptime and availability of their customers’ business-critical applications by partnering with AlienVault. MSSPs/MSPs choose the USM Appliance platform to deliver highly effective unified security management for the smallest to largest of environments because it offers:
- Centralized View — USM Appliance enables you to use a single console to see all of your customers’ networks. You can provide your subscribers with local views of their data and security, and compliance reports labeled with your brand.
- Product Breadth — The scope of AlienVault's software provides you many service-offering options, including vulnerability assessment, intrusion detection, security information and event management (SIEM), and other capabilities.
- Market Differentiation — One of the primary differentiators of USM Appliance is the AT&T Alien Labs™ Threat Intelligence Subscription. The AT&T Alien Labs™ Security Research Team regularly delivers threat intelligence that keeps the USM Appliance platform current with the latest changes in the threat landscape. (To find out what's included in each update, see The Threat Intelligence Updates.) In addition, USM Appliance has built-in integration with Open Threat Exchange® (OTX™). OTX is the world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat data. To learn about the integration between OTX and USM Appliance, see Using OTX in USM Appliance.
USM Appliance for MSSP Architecture
There are three components in the USM Appliance architecture, and each is available as a physical device or a virtual appliance. See About USM Appliance System Architecture and Components for more information.
We recommend that you employ a USM-as-a-Service deployment in your Security Operations Center (SOC) to best utilize the USM Appliance platform’s ability to perform security services for your clients.
Important: All deployment scenarios described in this guide require the installation and configuration of an AlienVault Federation Server and an MSSP license agreement.
USM Appliance as a Customer-Hosted Service with Centralized View
Deploying AlienVault USM Appliance as a managed service simply involves installing a USM Appliance All-In-One on the customer premises. Installing an All-in-One device simplifies deployment, because you only need to install one device instead of separate server, sensor, and logger devices, and leverages all of the USM Appliance components. With an All-in-One deployment, you can forward alarms and events to a USM Appliance installation on your premises. Your USM Appliance Server can accept events and alarms from multiple All-in-Ones deployed at your customers' premises. This configuration is also referred to as Federation.
About the Federation Server
AlienVault USM Appliance utilizes a Federation Server that connects to every customer's USM Appliance deployments and collects alarms into one alarm panel. For more detail on the benefits of the Federation Server and how it works, please see Section 4 of the MSSP Resource Kit available on the AlienVault Partner Portal.
The traditional MSSP deployment sends all security events up to a central SIEM server for log management, correlation, alerting, and reporting. The central SIEM must be able to keep up with the growing number of log events from all of their customers concurrently. This creates great demand on the central SIEM, requiring constant resource upgrades to keep up. In addition, any downtime affects all customers.
The Federation Server concept moves this overhead away from the SOC. Each customer has an independent USM Appliance installation that collects, correlates, and stores security events. All events with elevated risk level (determined by correlation at customer level) are sent up to the Federation Server in your SOC, where your analysts can triage the incoming customer alerts. Analysts can click-through to the customer environment at any time to do forensics or filter out false positives.
Federation offers several advantages over a traditional multi-tenant setup:
- Move the cost of scaling to the customer deployment
- Ability to scale each client independently based on their size and needs
- Scales to many customers as the Federation Server only receives alerts, not each security event, minimizing your own hosting requirements
- Requires minimal equipment for the MSSP to deploy in customer environments
- Segregates data — Data/Logs remain on the customer’s system under their control
Information Synced Between Servers
The following information is synced between the Federation Server and customers' USM Appliance, so that the Federation Server can get the full context behind an alarm:
- Correlation Contexts