Welcome to the LevelBlue USM Anywhere newsletter! We’ve had an exciting couple of months and have many updates to share with you.
We are pleased to share the results of a recent third-party evaluation of the USM Anywhere platform. The evaluation was performed by independent testing organization SecureIQLab and involved 41 attack scenarios incorporating multiple real-world threats and attack stages. The scores affirm our strong extended detection and response capabilities. Below are some highlighted results. To read the full report, please visit our website.
You can keep up with our regular product releases by reading the release notes in the USM Anywhere Product Forum, and you can direct any questions or support issues to the LevelBlue Success Center.
New in USM Anywhere
Automated Playbooks
Automated playbooks build on Manual Playbooks, adding the ability for customers to automatically run a set of predefined actions in response to specific alarms being triggered.
Checking the “Is it an Automated Playbook?” option in the playbook creation menu will automatically run any alarm that is checked in the Alarm Rules Assignment list. When creating a fully automated playbook, customers will have to specify every detail of the associated response action. Therefore, you will find more pull-down menus in the Action boxes to specify these details.
Note: Automation is only appropriate for alarms where there is a clear response to be taken, and the necessary information is included in the log.
For example, an IDS system might detect a command-and-control connection. Since the local host always reaches out to the internet destination for these types of connections, the address that needs to be blocked will always be the destination address. This is easy to automate in the system. However, a more generic “intrusion detection” alarm from the same system could require blocking either the source or the destination address. This type of alarm should be triaged by an analyst, so traffic is not blocked in the wrong direction. Therefore, this alarm probably isn’t a good one to automatically respond to.
We are in the process of testing each of our response actions to ensure they work correctly with automated playbooks. Many of the actions for our 13 most popular applications, including SentinelOne, Office 365, Qualys, Zscaler, and Workspace, have already been tested. The remainder of the actions will be tested over the next several months. Once tested, they will show up in the menu of available actions. You can also see which response actions can be automated by checking the new column in the “Actions” tab for each application.
To understand what has happened with an automated playbook, it is necessary to check the history for playbooks under the history tab and look for “in progress” playbooks. Clicking on them will bring up a view of which steps were completed, and which steps were not. All app actions are recorded under the “history” for each app.
The current feature triggers based on an alarm rule and cannot be initiated any other way. For now, manual playbooks are the only option for analyst-run remediation. In the future, customers will have the ability to initiate fully automated playbooks from alarms.
For more information, please visit here.
New Investigations API and UI for Anywhere and Central
New features are available within our refreshed Investigations UI. Additionally, Investigations are now viewable within USM Central, allowing users to view all investigations from within a single pane rather than clicking into individual instances to review.
Some changes to the USM Anywhere Investigations UI include:
· Text formatting
· Bold, italicized, and underlined
· Bullet points
· Numbered bullet points
· Font differentiators, e.g., heading versus body
· Text alignment
· Hyperlink
· Add image
· Code snippet
· “Last Modified by” will display the full name of the person
Investigations API
A new public API has been made available to interact with Investigations and has replaced the existing USM Anywhere feature. This reduces the need for API calls within the control node and allows for increased performance.
For a full list of the investigation APIs by region, please go here.
Compliance Report Updates
This past quarter, we have refreshed all our existing compliance reports to ensure compliance with current industry standards.
Additionally, we have added the following new compliance templates:
PCI DSS v4:2022
ISO 27001:2022
NIST 800-53
NIST 800-171
HITRUST
Other Enhancements
In addition to some of these major updates, we have released several enhancements across the platform.
Scheduled reports can now be scheduled on a daily, weekly, biweekly, monthly, and annual basis.
New filters and search functionality have been added to the vulnerability dashboard, including “Available Patches” and “Affected Software.” Both filters can be seen in the tabular view of the Vulnerabilities page or when you open a vulnerability in full-screen mode.
Orchestration and Suppression rules can now be scheduled. When setting up the rule logic you’ll select the “Schedule Alarm” checkbox or “Schedule Suppression.” This will need to be performed on a rule-by-rule basis.
Users can now add multiple events to an investigation at the same time rather than associating events one at a time.
Orchestration rules can now be exported and imported between instances.
For full details on these enhancements, please visit here.
BlueApps
New Advanced BlueApps
Mimecast – The Mimecast advanced BlueApp is used for log collection from the Mimecast cloud. The app does not contain any response actions but allows customers using Mimecast email security to ingest events via API.
BlueApps coming soon!
Cisco Firepower Manager – This BlueApp allows customers to use response actions to control their entire fleet of Cisco Firepower next-generation firewalls. As a device manager, the Firepower manager doesn’t collect log messages, so logs are input via our existing BlueApp for Cisco Firepower firewalls. The app ships with eight response actions. Note however that we are actively working with Cisco to fix an issue with the external block list feature. Once the issue has been remedied, this feature will be supported. The app will stay in early access until the feature is confirmed as working.
SpyCloud – A new SpyCloud advanced BlueApp is now in early access and will soon be available for general access. The Advanced BlueApp for Dark Web Monitoring leverages SpyCloud technology to monitor the dark web for stolen user credentials, such as email addresses, usernames, and passwords. If stolen credentials are detected, USM Anywhere will provide alerts so that users can respond swiftly to the compromise. The app will include log collection and a response action to get historical breach records for verified watchlist domains and emails.
Proofpoint on Demand – This BlueApp will be focused only on events collection.
Crowdstrike Falcon – We are improving this BlueApp to include integration across the vendor’s various license tiers.
LevelBlue Labs Threat Feed Updates
In Q1, we released six threat feed updates that include 76 defects fixed, 81 improvements, and 111 new elements.
Here are a few examples of improvements made and new elements created:
Improved a rule to identify windows shadow copy and deletion, which was observed in an Akira ransomware scenario
Multiple improvements to Crowdstrike plugin to match severity between Crowdstrike and USM Anywhere
Expanded detection for newly installed remote access tools
Created a new rule which identifies abusive password storage as a part of the DarkGate Malware. Focused on four major TTPs that leveraged privilege escalation and key logging to eventually credential harvesting.
Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.
LevelBlue Labs Open Threat Exchange
LevelBlue Labs Open Threat Exchange (OTX) is among the largest open threat intelligence communities in the world. We have more than 200,000 members who contribute near-real-time threat intelligence to OTX, which is then enriched by LevelBlue Labs. You can go here to find out more about the new pulses or to sign up to be part of the community.
Need More Information?
To have Release Notes emailed to you automatically, follow these steps:
1. Log in to the LevelBlue Success Center.
2. Click on the announcement for the product you wish to follow.
3. Select the “Follow” button on the right-hand side.
4. Select the drop-down menu on the right-hand side and choose “Every Post” to enable receiving emails from leading security and IT tools.