In my time at Qush (formerly Ava), it’s struck me how quickly major releases are put out, especially given how feature-rich each release is. The release of version 5 (V5) of Qush Reveal is no different, but this time I particularly feel the love and special attention given to features that directly benefit operators who use the product regularly. I’m talking about our people in the trenches: SOC analysts, threat hunters, incident responders, or anyone else whose day to day job is to know normal and find evil. In this post I’m going to cover those features that I think make it easy to use Reveal daily.
Live alarm and threat feed
First, the obvious. Right when you log into the platform you are greeted with the all-new landing page. In prior versions of the platform, the first thing you saw was the atlas view, which is useful, but the new landing page is so much better because it allows you to hit the ground running and immediately see what’s important.
The left pane has a ranking of users and hosts based on a risk score made up of which policies, sensors, and alarms were triggered. this gives the operator easy visibility into which hosts or users are more consistently “misbehaving”.
In the next pane is a running list of sensors ranked by risk score. I like this because it’s adjustable based on the severity you’re interested in, and it updates automatically, so you can watch the sensors roll in. This isn’t necessarily useful in day to day activity, but I know personally during active incidents I’ve set up rules to catch certain TTPs, and running queries so that the SOC can see immediately see if a rule has been violated. With Reveal, this functionality is built right into the landing page. An operator just needs to make sure that the policy of interest triggers a sensor, but more about policies later.
The third pane of the landing page brings me around to one of my favorite Reveal V5 features: cases. In the right-most pane, a Reveal operator can see the latest open, ongoing cases. This isn’t a mind-blowing feature, but it does make it really convenient to jump back into something you were working on or to collaborate with your team. That being said, I’ll elaborate more on “cases” in Reveal.
Reveal operators now have the ability to create “cases”. Cases are essentially a collection of events, notes, and images related to some notable security event. The obvious workflow would be to create a case for an alarm raised by the Reveal machine learning. An operator could create a case, add relevant events collected by a Reveal agent, adding screenshots, images, notes, and links to the case as necessary. Even better, cases are collaborative so teams can work together. One scenario that particularly lends itself to the use of cases is that of an active incident. Sometimes when responding to an incident you have to compile a variety of events (file system, network, execution) that occur across a variety of hosts in your environment. With the advent of cases in Reveal, it’s easy to do this and keep track of what matters to you.
Next up I’d like to touch on another feature which admittedly is more useful to the SOC analyst types than the threat hunters or DFIR folks – policies. With version 5, Reveal is a bit more hybrid to serve the needs of everyday use. While the machine learning is excellent for detecting anomalous activity of various sorts, sometimes evil activity looks normal and we have to rely on intelligence sources, our own research, or threat hunting to find evil. This is where policies come in.
Reveal allows operators to create policies based on various events captured by the Reveal Agent and trigger an alarm (with custom risk score, of course) or even take a harder line of action against a host. Actions include things like isolating a host, or triggering a pop-up that the user has to acknowledge. Of course, policies and actions can be used for more than detecting or containing evil.
Creating policies with a pop-up action can be used as a way to provide immediate, highly relevant user training as they commit acts which could endanger your company’s data, even inadvertently. It could be something as simple as notifying the user that download of executable binaries is not allowed. Another application of training policies could be warning users that the file they are trying to upload to Google Drive contains plain text, Social Security numbers. With Reveal policies, operators have quite a bit of latitude to creatively secure their environments.