Gain immediate insights with actionable sensor information

How does an analyst determine that a given event–e.g., an employee copying files to a USB stick–constitutes a real security incident? How can one differentiate data exfiltration from data movement? To establish the true nature of a security event, context is king. 

Typically, legacy and other vendors offer limited comparable context into security events: 

• which employees or organizational units were the top offenders, 
• what was the predefined severity of these events, and 
• what were the top types of rule violations. 

While these are useful for a high-level understanding of the overall risk posture, they offer insufficient insight for actual investigation of the event at hand. As a result, analysts have no choice but to manually drill down to the details of the specific event and gather insights at the micro level for each individual event.

Take for example a scenario where an employee downloads a sensitive file from the company’s web application, and a couple of days later copies it to a USB flash drive. Knowing that employee “Jon Smith” had triggered a couple of events, one is a file download, and the other is a USB event is one thing, but how can an analyst immediately be made aware the events are in fact related?

Or take another look at the employees’ habit of sending company materials to their personal email accounts. Being aware of the fact “Georgia Lipa” has sent 20 emails with sensitive information is one thing; what about having immediate insight into the fact that these emails were sent to her personal Gmail account, with files that were previously renamed from an unapproved folder, containing U.S. Social Security numbers and credit cards details?

To address this long-standing analyst pain, we are happy to announce Qush Reveal’s newest addition: actionable sensor information, revolutionizing the way security events can be investigated and addressed.

With this new feature members across the security team’s chain of command can search, filter, and aggregate on no less than 25 new sensor properties–from the file name or path of the file event to the recipient of an email event or the details of the USB event–to better detect, correlate, and analyze events in their environments. With easy access to actionable sensor information, we believe analysts will be better equipped than ever to streamline their work, gain better insights quicker, and minimize false positives faster. 

As a security manager, knowing the bottom line is crucial to be able to draw conclusions and form an action plan to address the identified risk. This is true tenfold in security monitoring, where the bottom line is often well hidden behind details upon details of technical information–making the extraction of actionable insights harder and harder. 

With actionable sensor information, this complex task becomes much easier. By knowing which areas of the organization are involved in risky behavior, security managers can get immediate insights on the violations in question and tailor-make their security mitigation plan accordingly: 

• Have you discovered that developers tend to send data over to their personal email accounts? Configure your policy to warn the employee beforehand, and potentially even send the employee to targeted incident-based training as part of your automatic on-screen message response. 
• Have you discovered that an employee labeled as “Leaver” has visited Wikileaks lately? Flag them to prioritize the detection of their activities across the solution, and discover the reason for their behavior with their line manager.

Immediate actionable insights, sorted.

From the outset, the process is clear: once you observe a violation, you need to establish its nature as quickly and smoothly as possible; whether it is a true or false positive, and accordingly either mitigate the identified risk or tune the parameters of the policy. 

However, this one-liner enfolds one of the more complex tasks of the process–triaging. With actionable sensor information, analysts can triage and investigate faster than ever before: 

• Have you observed 10 browser upload events, but saw that three of them were to a website you deem to be legitimate? Quickly add the legitimate sites to the policy configuration so it won’t trigger again. As for the remaining events, look at the URL aggregations to see if any of these were to an unsanctioned file-sharing site. In addition, quickly filter on each of the referenced file names to see if these were referenced by another event, to gain further insights on the origin of the file or any other modifications to it. 

Event investigation, sorted.