How does an analyst determine that a given event–e.g., an employee copying files to a USB stick–constitutes a real security incident? How can one differentiate data exfiltration from data movement? To establish the true nature of a security event, context is king.
Typically, legacy and other vendors offer limited comparable context into security events:
- which employees or organizational units were the top offenders,
- what was the predefined severity of these events, and
- what were the top types of rule violations.
While these are useful for a high-level understanding of the overall risk posture, they offer insufficient insight for actual investigation of the event at hand. As a result, analysts have no choice but to manually drill down to the details of the specific event and gather insights at the micro level for each individual event.
Take for example a scenario where an employee downloads a sensitive file from the company’s web application, and a couple of days later copies it to a USB flash drive. Knowing that employee “Jon Smith” had triggered a couple of events, one is a file download, and the other is a USB event is one thing, but how can an analyst immediately be made aware the events are in fact related?
Or take another look at the employees’ habit of sending company materials to their personal email accounts. Being aware of the fact “Georgia Lipa” has sent 20 emails with sensitive information is one thing; what about having immediate insight into the fact that these emails were sent to her personal Gmail account, with files that were previously renamed from an unapproved folder, containing U.S. Social Security numbers and credit cards details?
To address this long-standing analyst pain, we are happy to announce Ava Reveal’s newest addition: actionable sensor information, revolutionizing the way security events can be investigated and addressed.