Zach Garcia is a threat hunter in Jazz Networks cyber analyst services team.
In my time at Jazz Networks it’s struck me how quickly major releases are put out, especially given how feature-rich each release is. The release of version 5 (V5) of Jazz is no different, but this time I particularly feel the love and special attention given to features that directly benefit operators who use the product regularly. I’m talking about our people in the trenches: SOC analysts, threat hunters, incident responders, or anyone else whose day to day job is to know normal and find evil. In this post I’m going to cover those features that I think make it easy to use Jazz daily.
The new welcome dashboard
Live alarm and threat feed
First, the obvious. Right when you log into the platform you are greeted with the all-new landing page. In prior versions of the platform, the first thing you saw was the atlas view, which is useful, but the new landing page is so much better because it allows you to hit the ground running and immediately see what’s important.
The left pane has a ranking of users and hosts based on a risk score made up of which policies, sensors, and alarms were triggered. this gives the operator easy visibility into which hosts or users are more consistently “misbehaving”.
In the next pane is a running list of sensors ranked by risk score. I like this because it’s adjustable based on the severity you’re interested in, and it updates automatically, so you can watch the sensors roll in. This isn’t necessarily useful in day to day activity, but I know personally during active incidents I’ve set up rules to catch certain TTPs, and running queries so that the SOC can see immediately see if a rule has been violated. With Jazz, this functionality is built right into the landing page. An operator just needs to make sure that the policy of interest triggers a sensor, but more about policies later.
The third pane of the landing page brings me around to one of my favorite Jazz V5 features: cases. In the right-most pane, a Jazz operator can see the latest open, ongoing cases. This isn’t a mind-blowing feature, but it does make it really convenient to jump back into something you were working on or to collaborate with your team. That being said, I’ll elaborate more on “cases” in the Jazz Platform.
Jazz operators now have the ability to create “cases”. Cases are essentially a collection of events, notes, and images related to some notable security event. The obvious workflow would be to create a case for an alarm raised by the Jazz machine learning. An operator could create a case, add relevant events collected by a Jazz agent, adding screenshots, images, notes, and links to the case as necessary. Even better, cases are collaborative so teams can work together. One scenario that particularly lends itself to the use of cases is that of an active incident. Sometimes when responding to an incident you have to compile a variety of events (file system, network, execution) that occur across a variety of hosts in your environment. With the advent of cases in Jazz, it’s easy to do this and keep track of what matters to you.
Next up I’d like to touch on another feature which admittedly is more useful to the SOC analyst types than the threat hunters or DFIR folks – policies. With version 5, Jazz is a bit more hybrid to serve the needs of everyday use. While the machine learning is excellent for detecting anomalous activity of various sorts, sometimes evil activity looks normal and we have to rely on intelligence sources, our own research, or threat hunting to find evil. This is where policies come in.
Jazz allows operators to create policies based on various events captured by the Jazz Agent and trigger an alarm (with custom risk score, of course) or even take a harder line of action against a host. Actions include things like isolating a host, or triggering a pop-up that the user has to acknowledge. Of course, policies and actions can be used for more than detecting or containing evil.
Creating policies with a pop-up action can be used as a way to provide immediate, highly relevant user training as they commit acts which could endanger your company’s data, even inadvertently. It could be something as simple as notifying the user that download of executable binaries is not allowed. Another application of training policies could be warning users that the file they are trying to upload to Google Drive contains plain text, Social Security numbers. With Jazz policies, operators have quite a bit of latitude to creatively secure their environments.
See it for yourself
And on that note, I think I’ve come around to what I love about Jazz. With the Jazz Platform operators have a tool that is wide open to creativity so that they can secure their people, reputation, and data in the best way they see fit. The data is in there. The visibility and tools are in the platform. You just have to use it. There are a wealth of other features that have come with version 5, many others which are useful to day-to-day operators as well. I highly recommend reading the release notes for a full feature set. I just thought I’d cover the features that made me smile as a daily Jazz operator.