Virtru and FireEye
Virtru and FireEye provide mutual customers with persistent protection, control, and visibility of sensitive email and file attachments as they travel in and out of customers’ environments. For SOC teams, this means that as content is created and shared in the cloud, they can maintain granular visibility into who has accessed protected data, when and where they did it, and for how long.
How Does it Work?
Customers can leverage the Virtru Audit Export API to push telemetry to FireEye Helix. Together Virtru and FireEye provide customers with advanced user-behavior analytics, a process that leverages set data loss prevention (DLP) rules to identify abnormal email usage and suspicious or malicious activity, and gives insight into who is sharing sensitive data. In the event of a data breach, or if a user’s credentials become compromised, Virtru can immediately disable access via its advanced access control capabilities.
FireEye Helix has more than 70 rules set up for Virtru that generate alerts for SOC analysts to review. These alerts are normal day-to-day activities that Virtru customers would perform, such as:
- Email/Content Access: Revoked or Granted Access, Sharing Enabled/Disabled
- User Behavior: Failure/Success to Access Email/Content, Forwarded Email
- Admin Items: New/Deleted Admins, New API Tokens Created, Users
- Policy Information: New/Update/Deleted Policies or DLP Rules, Violated Policy Info
There are five Virtru Dashboards in FireEye Helix that visualize what alerts (Figure 1) are happening in an environment: Email Information, Email Advanced Control Usage, Organizational Events, User Events and User Activations. These dashboards (seen in Figure 2) allow SOC analysts to quickly view key information and take action.