A Cyber Analysts's first impression of the new Reveal

In my time at Ava it’s struck me how quickly major releases are put out, especially given how feature-rich each release is. The release of version 5 (V5) of Ava Reveal is no different, but this time I particularly feel the love and special attention given to features that directly benefit operators who use the product regularly. I’m talking about our people in the trenches: SOC analysts, threat hunters, incident responders, or anyone else whose day to day job is to know normal and find evil. In this post I’m going to cover those features that I think make it easy to use Reveal daily.

First, the obvious. Right when you log into the platform you are greeted with the all-new landing page. In prior versions of the platform, the first thing you saw was the atlas view, which is useful, but the new landing page is so much better because it allows you to hit the ground running and immediately see what’s important.

The left pane has a ranking of users and hosts based on a risk score made up of which policies, sensors, and alarms were triggered. this gives the operator easy visibility into which hosts or users are more consistently “misbehaving”.

In the next pane is a running list of sensors ranked by risk score. I like this because it’s adjustable based on the severity you’re interested in, and it updates automatically, so you can watch the sensors roll in. This isn’t necessarily useful in day to day activity, but I know personally during active incidents I’ve set up rules to catch certain TTPs, and running queries so that the SOC can see immediately see if a rule has been violated. With Reveal, this functionality is built right into the landing page. An operator just needs to make sure that the policy of interest triggers a sensor, but more about policies later.

The third pane of the landing page brings me around to one of my favorite Reveal V5 features: cases. In the right-most pane, a Reveal operator can see the latest open, ongoing cases. This isn’t a mind-blowing feature, but it does make it really convenient to jump back into something you were working on or to collaborate with your team. That being said, I’ll elaborate more on “cases” in Reveal.

Reveal operators now have the ability to create “cases”. Cases are essentially a collection of events, notes, and images related to some notable security event. The obvious workflow would be to create a case for an alarm raised by the Reveal machine learning. An operator could create a case, add relevant events collected by a Reveal agent, adding screenshots, images, notes, and links to the case as necessary. Even better, cases are collaborative so teams can work together. One scenario that particularly lends itself to the use of cases is that of an active incident. Sometimes when responding to an incident you have to compile a variety of events (file system, network, execution) that occur across a variety of hosts in your environment. With the advent of cases in Reveal, it’s easy to do this and keep track of what matters to you.

And on that note, I think I’ve come around to what I love about Reveal. With Reveal operators have a tool that is wide open to creativity so that they can secure their people, reputation, and data in the best way they see fit. The data is in there. The visibility and tools are in the platform. You just have to use it. There are a wealth of other features that have come with version 5, many others which are useful to day-to-day operators as well. I highly recommend reading the release notes for a full feature set. I just thought I’d cover the features that made me smile as a daily Reveal operator.