Identity threat detection and response startup Permiso Security Inc. today launched a new open-source tool aimed at simplifying one of the biggest pain points in cloud defense: inconsistent logging across platforms.
Called P0LR Espresso, the first part short for P0 Labs Live Response, the framework normalizes cloud runtime logs to give security teams faster, clearer insights when triaging suspicious activity.
The tool seeks to assist with the issue whereby security practitioners have long been hindered by vendor-specific log formats. Amazon Web Services Inc., Google Cloud Platform, Microsoft Azure, Okta Inc. and GitHub all log activity differently, often labeling identical fields with completely different names.
For example, what AWS calls eventName might appear as protoPayload.methodName in GCP. Analysts investigating identity behavior or cross-environment anomalies must spend valuable time learning each provider’s structure and rewriting queries accordingly.
P0LR Espresso addresses the issue by unifying critical fields, such as identity, IP address, user agent and action, into a consistent schema. The result allows defenders to focus directly on the story contained in the data instead of having to decipher multiple log structures.
The tool is designed to assist with Priority-0 Live Response investigations, where analysts are under pressure to quickly determine if an identity is compromised. P0LR Espresso helps streamline triage and reduces the risk of missing key indicators from inconsistent log naming conventions by “pulling shots” of normalized context.
The interface within P0LR Espresso comes with three primary sections: an event list, indicators of compromise panel and identity activity analysis.
The event list offers normalized views of activities with filters for users, IPs and actions, as well as counts of indicators of compromise. The complimentary IOC panel allows deeper exploration of triggered alerts and the identity activity analysis view plots behavior across timelines, making it easier to spot anomalies or unusual activity clusters.
The company said in a blog post that normalizing during the initial ingestion of runtime events greatly simplifies all downstream log analysis, whether manual investigations or additional automated detection evaluation.
Image: News/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
