For security professionals, one of the first steps in defending an organization is having visibility across environments and being able to analyze and prioritize event data, alerts, and incident response. Collecting log and data artifacts allows defenders to fully understand which events authentic, and which ones are problematic.
Defenders must first be able to cut through log data generated by network traffic, applications, endpoints, services, and file-sharing activity to connect the dots that tell a bigger story of a potential threat or incident. However, doing so means organizations spend an inordinate amount of time connecting appliances and virtualized devices and services in the hopes that their SIEMs will work as intended to analyze and correlate information that alerts on threats with minimum false-positive rates. They must then communicate findings in ways that are actionable to their security teams, their DevOps function, or other parts of the organization. Unfortunately, many teams fail to tie everything together successfully and log information either goes untouched or analysis inundates teams with alerts and false positives and does not provide the security outcomes the organization expected.
With the latest release of Armor Anywhere, we have enhanced our proven threat detection and response solutions with new capabilities that allow us to see more of your environment, ingest more event data than ever before, analyze and correlate that data, and report on findings with minimal false positives and greater context, as a result. We have also added new visualization and reporting capabilities to help defenders more easily communicate what they see to others.
Security Analytics
The Armor Anywhere agent now features two important enhancements in security analytics. First, we’ve added the ability to ingest logs from more sources, providing deeper context into customer environments. Whether they are coming through our log and data management platform or from private, public, or hybrid sources, Armor can ingest logs from any cloud-hosted network, accepting 290 source feeds including agent sources such as Apache, third-party log relay sources such as Check Point or Cisco, and CSP security feeds such as AWS CloudTrail and GuardDuty.
We have also added analytics tools including a search and analytics engine. Armor Management Portal users can now search time and date ranges for specific IOCs to discover patterns or establish context behind incidents.
With enhanced log and data management capabilities, security professionals can dig deeper into what is occurring in their environments. Operators can identify their own IOC hashes and determine their threat response or follow up with recommendations from the Security Operations Center.
Virtualization and Dashboards
Virtualization tools and dashboards such as those in the Armor Management Portal use values of data to help security teams visualize what is occurring in each environment. Users can then process that data to develop reports and graphs, making it easier to share with others. Once data is gathered, users can then take advantage of the virtualization and reporting capabilities with just a few clicks.
With Log Search and Data Visualization capabilities, users can build customer dashboards within the Armor Management Portal. With just a few clicks, users can visualize log alerts and incident information within any environment. For example, teams may want to see where a certain malware has surfaced across multiple environments. Searches can show patterns and include artifacts for analysis. Searches can also be saved and are designed to return results based on a current time range.
Finally, the new enhancements include Security Incident Connectors, which allow an application to provide another application with real-time information. The connectors give customers and partners flexibility in how they consume our threat detection and response outputs based on their unique operational needs. For instance, if a partner has their own Security Operations Center, they can take advantage of Armor’s analysis and correlation of event information and feed the results of that into their own SIEM. Users can feed incident and other information into existing tools for more centralized capture across the applications and data.
Armor Evolution
Together, these enhancements are designed to provide faster and more comprehensive security assessments, and to provide additional visualization and reporting features that make those assessments easier to digest or communicate. These new features are just part of the Armor security platform’s continued evolution. With additional log sources, new search capabilities, and robust visualization tools, Armor is adding features that make security simple.