Reveal provides broad and deep visibility and is designed with human behavior in mind. Reconstructing patterns and analyzing behaviors requires access to granular data. So Reveal gives access to user context from applications, connected devices, and behavioral patterns. At the same time, it provides entity context from network connections and operating systems.
Reveal integrates powerful search capabilities that allow security analysts to investigate data loss and quickly respond to an incident. Reveal can be an integral part of security operations by supercharging investigation, analysis and incident response.
For example, if a user leaked a product design file, you could perform a quick filename search on Reveal, which would then show the event streams related to the design file – event streams such as browser actions, file accesses, sensors, and alerts. Reveal doesn't just display information passively. It actively directs you or your security team to these threats, so they know where to focus their attention.
Focusing on browser events, your security team can use Reveal’s Investigate tool to narrow down the search to events and profiles that are relevant to the scenario. For instance, Reveal highlights those users who recently exchanged the sensitive file, and triggered suspicious violations. Reveal’s custom alerts - or sensors - can point a security analyst in this direction and really highlight those relevant events.
The Reveal agent gathers rich context, allowing to build the storyline of an incident. In this instance, a combination of sensor data and feeds from event streams inside Investigate allows an analyst to reconstruct a whole exfiltration pattern: the design file was renamed before being uploaded to an online file-sharing location.
Reveal’s analytic tools also accommodate different investigation methods. Instead of running a “top-down” investigation starting from a known pattern or event, analysts may want to reach for the “low hanging fruits” and just look for behavior or traffic abnormalities.
By looking at connectivity data, analysts can triage network anomalies generated by unusual behavior. For example, they can identify unusual destinations and indicators of compromise by accessing geolocation or connectivity data. Or they can leverage system-level context and spot skilled users using the command line and leveraging administrative tools. With all the evidence at hand, your security team can now reconstruct the chain of events, export all the relevant data, and create a security report.