As the cyber security threat landscape continues to evolve and attacks become increasingly sophisticated, security operations center (SOC) teams need to incorporate email and file protection, sharing, and access to event logs that correlate with endpoint and network activity. All of this can provide organizations with comprehensive security intelligence to help strengthen monitoring workflows, quickly flag incidents, trace their impact and enable immediate remediation.
A recent collaboration between encryption company Virtru and FireEye does just that. Mutual customers get persistent protection, control and visibility of sensitive email and file attachments as they travel in and out of customers’ environments. For SOC teams, this means that as content is created and shared in the cloud, they can maintain granular visibility into who has accessed protected data, when and where they did it, and for how long.
How Does it Work?
Customers can use the Virtru Audit Export API to push telemetry to the FireEye Helix security operations platform. Together, Virtru and FireEye provide customers with advanced user-behavior analytics, a process that utilizes set data loss prevention (DLP) rules to identify abnormal email usage and suspicious or malicious activity and gives insight into who is sharing sensitive data. In the event of a data breach, or if a user’s credentials become compromised, Virtru can immediately disable access via its advanced access control capabilities.
FireEye Helix has more than 70 rules set up for Virtru that generate alerts for SOC analysts to review. These alerts are normal day-to-day activities that Virtru customers would perform such as:
- Email/Content Access: Revoked or Granted Access, Sharing Enabled/Disabled
- User Behavior: Failure/Success to Access Email/Content, Forwarded Emails
- Admin Items: New/Deleted Admins, New API Tokens Created, Users Added/Removed
- Policy Information: New/Update/Deleted Policies or DLP Rules, Violated Policy Info
There are five Virtru Dashboards in FireEye Helix that visualize what alerts (Figure 1) are happening in an environment: Email Information, Email Advanced Control Usage, Organizational Events, User Events and User Activations. These dashboards (seen in Figure 2) allow SOC analysts to quickly view key information and take action.
Figure 1: Virtru Alerts In FireEye Helix
Figure 2: Virtru Dashboards in FireEye Helix
To learn more about this integration visit the FireEye Market and email the contacts listed to get the integration started today. Learn more about Virtru by visiting their website. FireEye and Virtru are also working on FSO Orchestration Plugins to automate the revoke capabilities. Interested parties can contact Virtru to get code snippets to automate this today or visit the Virtru Developer Hub.