About USM Appliance System Architecture and Components

Applies to Product: USM Appliance™ LevelBlue OSSIM®

As a unified security platform, USM Appliance combines several critical security technologies in one integrated platform. USM Appliance can be deployed as a single appliance or distributed across multiple servers (either virtual or hardware) to provide additional scalability and availability. The following figure presents a high-level overview of the LevelBlue USM Appliance system architecture.

Illustration of USM Architecture

The three components of the USM Appliance architecture that work together to monitor and provide security in your environment are

  • USM Appliance Sensor(s) — Deployed throughout the network to collect and normalize information from any devices in your network environment that you want to manage with USM Appliance. A wide range of plugins are available to process raw logs and data from various types of devices such as firewalls, routers, and host servers.
  • USM Appliance Server — Aggregates and correlates information that the USM Appliance Sensors gather. (This is USM Appliance’s SIEM capability.) Provides single pane-of-glass management, reporting, and administration through a web-based user interface.
  • USM Appliance Logger — Securely archives raw event log data for forensic research and compliance mandates. (This archive of raw event data is also referred to as cold storage.)

Basic USM Appliance Workflow

There is a consistent workflow that USM Appliance follows in collecting raw data from network devices, then parsing and normalizing that data into a stream of events which can then be stored, filtered, and correlated to identify threats and vulnerabilities.

1. USM Appliance Sensors passively collect logs and mirrored traffic, and actively probe assets in the network, to obtain information about the current network activity going on in your environment..

2. The USM Appliance Sensor parses the raw data from different sources and transforms it into a stream of events, each having a common set of data fields. It then sends the events to the USM Appliance Server.

3. The USM Appliance Server correlates the events and assesses their risk.

4. The USM Appliance Server sends the events to the USM Appliance Logger, which signs them digitally and stores them for forensic analyses, archival, and regulatory compliance.

For a more in-depth description of event collection and processing, see Log Collection and Normalization in USM Appliance. Also refer to the Policy Management and Event Correlation topics.

USM Appliance Deployment Options

LevelBlue USM Appliance can be deployed in one of two basic configurations:

  • Simple Deployment Model — All USM Appliance components (Sensor, Server, and Logger) are combined in a USM Appliance All-in-One appliance. This configuration is most often used in smaller environments, as well as for demonstrations and proof-of-concept deployments.
  • Multi-tier, Distributed Deployment Model — This model deploys each LevelBlue USM Appliance component (Sensor, Server, and Logger) as an individual virtual or hardware appliance to create a distributed system topology.

The distributed deployment model also comes in two versions, USM Appliance Standard and USM Appliance Enterprise, that increase scalability and performance by provisioning dedicated systems for each USM Appliance component. See USM Appliance Deployment Examples for more details on USM Appliance deployment models and examples.

AlienVault OSSIM Limitations: LevelBlue OSSIM doesn't include the USM Appliance Logger.