How does an analyst determine that a given event–e.g., an employee copying files to a USB stick–constitutes a real security incident? How can one differentiate data exfiltration from data movement? To establish the true nature of a security event, context is king.
Typically, legacy and other vendors offer limited comparable context into security events:
While these are useful for a high-level understanding of the overall risk posture, they offer insufficient insight for actual investigation of the event at hand. As a result, analysts have no choice but to manually drill down to the details of the specific event and gather insights at the micro level for each individual event.
Take for example a scenario where an employee downloads a sensitive file from the company’s web application, and a couple of days later copies it to a USB flash drive. Knowing that employee “Jon Smith” had triggered a couple of events, one is a file download, and the other is a USB event is one thing, but how can an analyst immediately be made aware the events are in fact related?
Or take another look at the employees’ habit of sending company materials to their personal email accounts. Being aware of the fact “Georgia Lipa” has sent 20 emails with sensitive information is one thing; what about having immediate insight into the fact that these emails were sent to her personal Gmail account, with files that were previously renamed from an unapproved folder, containing U.S. Social Security numbers and credit cards details?
To address this long-standing analyst pain, we are happy to announce Reveal Cloud’s newest addition: actionable sensor information, revolutionizing the way security events can be investigated and addressed.
With this new feature members across the security team’s chain of command can search, filter, and aggregate on no less than 25 new sensor properties–from the file name or path of the file event to the recipient of an email event or the details of the USB event–to better detect, correlate, and analyze events in their environments. With easy access to actionable sensor information, we believe analysts will be better equipped than ever to streamline their work, gain better insights quicker, and minimize false positives faster.
As a security manager, knowing the bottom line is crucial to be able to draw conclusions and form an action plan to address the identified risk. This is true tenfold in security monitoring, where the bottom line is often well hidden behind details upon details of technical information–making the extraction of actionable insights harder and harder.
With actionable sensor information, this complex task becomes much easier. By knowing which areas of the organization are involved in risky behavior, security managers can get immediate insights on the violations in question and tailor-make their security mitigation plan accordingly:
Immediate actionable insights, sorted.
From the outset, the process is clear: once you observe a violation, you need to establish its nature as quickly and smoothly as possible; whether it is a true or false positive, and accordingly either mitigate the identified risk or tune the parameters of the policy.
However, this one-liner enfolds one of the more complex tasks of the process–triaging. With actionable sensor information, analysts can triage and investigate faster than ever before:
Event investigation, sorted.