About USM Appliance

Applies to Product: USM Appliance™ LevelBlue OSSIM®

Businesses today are exposed to an ever-increasing number of threats:

  • Network-based threats — Aimed at networks and network infrastructure.
  • Host-based threats — Aimed at individual hosts.
  • External threats — Coming from external attackers.
  • Internal threats — Coming from internal attackers.

Although the goal of security solutions is to detect and prevent such threats, no network can be completely protected from them all. For this reason, USM Appliance focuses on mitigating risk, identifying vulnerabilities, detecting threats, and prioritizing response to the highest priority threats and vulnerabilities. Measures for mitigating risk, identifying vulnerabilities, and detecting threats include the following:

  • Identifying patterns of events that indicate a possible threat or vulnerability.

  • Determining the risk of potentially harmful attacks or compromise.

  • Implementing controls to address reported vulnerabilities.

  • Taking action to respond to identified attacks.

  • Performing ongoing monitoring and reporting of network and host-based activities.

The Role of Risk Assessment

To properly secure your infrastructure, first conduct a risk assessment of your assets. Risk assessment helps you determine the relative importance of the assets within your network, the vulnerabilities of those assets in relation to specific exploitation threats, and the likelihood of security events taking place against those assets. After completing these analyses, you can design security policies in response to the relative asset values and exploitation risks that various threats and vulnerabilities pose.

Strong security policies focus on how best to protect your most vital and at-risk assets. For example, if a network resource is critical and the likelihood of an attack against it is high, focus your efforts on creating security policies that monitor for such attacks, and develop response plans to them.

How USM Appliance Helps with Risk Assessment and Mitigation

USM Appliance provides you with the ability to identify your critical assets and to set policies to alert you when those assets have vulnerabilities or are subjected to attacks. USM Appliance will generate alarms based upon the risk associated with any given security event captured in USM Appliance.

The importance given to any given security event depends on three factors:

  • The value of the asset associated with the event
  • The threat represented by the event
  • The probability that the event will occur

These factors are the building blocks for the traditional definition of risk: a measure of the potential impact of a threat on your assets and the probability a threat will be carried out.

Each event generated in USM Appliance is evaluated in relation to its associated risk; in other words, in proportion to the assets at risk, the threat represented by the event, and the probability the threat is real. Accordingly, USM Appliance provides you the capability to identify all high risk events, some of which will result in alarms, and allow you to properly prioritize your response.

How USM Appliance Helps Detect Threats and Prioritize Responses

The following illustration highlights the capabilities and related tools that USM Appliance provides to help you perform security management tasks in your own environment.

AlienVault USM Security Management Capabilities

Asset Discovery — Combines core discovery and inventory technologies to give you visibility into the devices that are on your network. Features include:

  • Active and Passive Network Scanning
  • Asset Inventory
  • Service Inventory

Performing asset discovery and inventory are the first essential steps to knowing what systems and devices are on your network. USM Appliance combines core discovery and inventory technologies to give you visibility into the devices you want to monitor.

Note: Before scanning a public network space, see Addendum Notice Regarding Scanning Leased or Public Address Space.

Vulnerability Assessment — Identifies assets and devices with unpatched software, insecure configurations, and other vulnerabilities on your network. Features include:

  • Continuous Vulnerability Monitoring
  • Authenticated / Unauthenticated Active Scanning
  • Remediation Verification

The integrated internal vulnerability scanning keeps you abreast of vulnerabilities on your network, so you can prioritize patch deployment and remediation. Continuous correlation of your dynamic asset inventory with our vulnerability database provides you with up-to-date information on the vulnerabilities in your network, in-between your scheduled scans.

Note: Before scanning a public network space, see Addendum Notice Regarding Scanning Leased or Public Address Space.

Intrusion Detection — Coordinates incident response and threat management across your network with built-in security monitoring technologies, emerging threat intelligence from LevelBlue Labs™, and seamless closed-loop workflow for rapid remediation. Features include:

  • Network-based IDS (NIDS)
  • Host-based IDS (HIDS)
  • File Integrity Monitoring (FIM)

Built-in file integrity monitoring in host-based agents installed on servers alerts you to unauthorized modification of system files, configuration files or content. Monitoring of network access using host- and network-based detection systems identifies who tried to access those systems, files, and content.

Behavioral Monitoring — Identifies anomalies and other patterns that signal new, unknown threats in your network, as well as suspicious behavior and policy violations by authorized users and devices. Features include:

  • NetFlow Analysis
  • Service Availability Monitoring
  • Network Protocol Analysis / Packet Capture

Integrated behavioral monitoring gathers data to help you understand “normal” system and network activity, which simplifies incident response when investigating a suspicious operational issue or potential security incident. Full packet capture enables complete protocol analysis of network traffic, providing a comprehensive replay of the event that occurred during a potential breach.

Security Information and Event Management (SIEM) — Identify, contain, and remediate threats in your network by prioritizing your risk and response. Features include:

  • Log Management
  • Integrated OTX Threat Data
  • SIEM Event Correlation
  • Incident Response

You can automatically correlate log data with actionable security intelligence to identify policy violations and receive contextually relevant and workflow-driven response procedures. You can also conduct forensic analysis of events using digitally signed raw logs. The raw logs also can be used to satisfy compliance requirements for evidence preservation.

A web-based user interface provides access to all the security management functions provided by LevelBlue USM Appliance. The USM Appliance User Guide provides information on accessing and using all of the tools in USM Appliance and performing specific security management operations from this user interface.

Managing Regulatory Compliance in USM Appliance

In addition to regular security management operations, USM Appliance also delivers essential security capabilities to help you achieve regulatory compliance. Through its built-in asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, log management, and file integrity monitoring, USM Appliance can help organizations achieve compliance with regulations such as PCI DSS, GLBA, ISO/IEC 27001, FISMA, NERC CIP, FERPA, and SOX. USM Appliance also generates built-in reports specifically for HIPAA, PCI, GLBA, ISO 27001, FISMA, NERC CIP, GPG13, and SOX.

In addition, the Using USM Appliance for PCI Compliance section provides detailed information on using USM Appliance to help achieve PCI DSS compliance. This information can also be useful in meeting compliance regulations for other standards as well.

About LevelBlue Threat Intelligence

LevelBlue Threat Intelligence, integrated into USM Appliance through the Threat Intelligence Subscription, provides USM Appliance with capabilities that differentiate it from most other security management solutions available in the marketplace today. LevelBlue Threat Intelligence, developed by the LevelBlue Labs™ Security Research Team and powered by the LevelBlue Labs™ Open Threat Exchange® (OTX™), is actionable information about the threats facing your network, including the malicious actors, their tools, their infrastructure, and their methods. LevelBlue Threat Intelligence tells you what the threat is, where it’s originating from, which assets in your environment are at risk, and how to respond.

LevelBlue Labs

LevelBlue Labs is an internal security research team at LevelBlue, consisting of security experts who perform ongoing research and analysis of emerging global threats and vulnerabilities. This team constantly monitors, analyzes, reverse-engineers, and reports on sophisticated zero-day threats, including malware, botnets, and phishing campaigns.

The team regularly publishes threat intelligence updates to the USM Appliance platform in the form of correlation directives, IDS signatures, vulnerability signatures, asset discovery signatures, IP reputation data, data source plugins, and report templates. The team also provides up-to-the-minute guidance on emerging threats and context-specific remediation guidance, which accelerates and simplifies threat detection and response.

The LevelBlue Labs team also leverages the collective resources of OTX, the world’s largest crowd-sourced repository of threat data to provide global insight into attack trends and malicious actors. The security experts at LevelBlue analyze, validate, and curate the global threat data collected by the OTX community.

The Security Research Team improves the efficiency of any security monitoring program by delivering the threat intelligence necessary to understand and address the most critical issues in your networks. They perform the analysis, allowing you to spend your scarce time remediating and mitigating the threats, rather than researching them.

Open Threat Exchange®

The Open Threat Exchange (OTX) is the world’s most authoritative open threat information sharing and analysis network. OTX provides open access to a global community of threat researchers and security professionals. It now has more than 100,000 participants worldwide, who contribute over 19 million threat indicators daily. It delivers community-generated threat data and OTX pulses, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source. OTX enables anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques, strengthening your defenses while helping others do the same.

The OTX community and corresponding threat data is one of the critical data sources used by the LevelBlue Labs team to generate LevelBlue Threat Intelligence. LevelBlue Labs leverages the collective resources of the OTX by analyzing, validating, and curating the global threat data contributed by the OTX community.

AlienVault OSSIM Limitations: LevelBlue OSSIM doesn't include the USM Appliance Logger.