Ava Reveal launches kill process feature

Cyber    Alan Brown, February 10 2021
3 mins

Alan Brown

Software Engineer

Reveal allows your organization to monitor, analyze, and understand activity across your users and endpoints. Reveal helps your security team prevent data leaks and loss, detect threats, and train employees on cyber hygiene and compliance requirements. The Reveal Agent is responsible for collecting information, hosting policies, and taking actions when commanded by the operator directly or when triggered by a policy. 

Ava is pleased to announce that we’re adding a new action to the Reveal Agent’s arsenal–the ability to end a process’s life. In our latest Reveal Agent version, we’re also providing a number of new policies that take advantage of this feature to offer better protection for your data, your employees and your organization.

What are the benefits of Reveal’s kill process feature?

The ability to stop a malicious process in its tracks and thereby preventing further compromise to your organization’s security means your security team can be proactive in arresting threats. Coupling this action with a set of highly targeted policies means that your organization’s data is protected while allowing users the freedom to continue their work knowing there is a safety net if they need it.

For IT Security Managers and Admins

A Security Specialist in your organization can configure the Reveal Agent to end processes that are leaking information, violating security policies, behaving maliciously, and more. Coupling this new action with our existing Reveal Agent features allows the operator to prevent files being copied to cloud services, or by means of file copy facilities such as scp or rsync. You can control when a process is terminated with the file or clipboard content inspection facilities if a user accesses data containing specific words, phrases or sophisticated pattern matching for complex data, i.e. social security numbers, credit card numbers, and/or national identity numbers.

For employees

Ava firmly believes that your employees are your first line of defence against security incidents. Hence, good user education and training should be an essential part of any organization’s security strategy. While Reveal has a number of options for educating users with incident-based training to improve cyber hygiene, the addition of the kill process action offers a safety net with Reveal preventing them from making embarrassing, potentially costly or even illegal mistakes. This could be as simple as copying data to unauthorized or unsecured locations like third party cloud storage. This lets the users in your organization focus on their task knowing that the Reveal Agent will help them comply with the organization security policies.

For CISOs and C-levels

Reveal offers peace of mind to leadership, as features are targeted towards ensuring compliance with your industry standards and your organization’s policies. The ability to kill processes allows Reveal to take a proactive approach in preventing employees from violating security policies or allowing malicious software to run amok in your organization.

How does Reveal’s kill process feature work?

To take advantage of this new functionality, a Reveal administrator needs only to install our latest Reveal Agent and policy packs. Our policy packs come with a number of out-of-the-box configurations tailored to specific use cases to protect your systems from day one. Of course, as every organization is different, it’s possible to tailor the pre-canned policies to suit your needs to take further advantage of the process kill action.

As well as configurability, reliability of all of our features is always a priority. The key to reliable process death is reliable process identification.

For the curious mind

On the surface process identification might seem like a simple problem as all of the operating systems the Reveal Agent supports provide a numerical identifier for a particular process. However, this identifier is usually recycled in some fashion once a process exits. The Reveal Agent must be careful to avoid killing the current process occupying this process identifier when a policy or operator intends to kill one of the previous tenants of this identifier.

To address this concern, the Reveal Agent maintains an extensive set of information about all of the processes currently running on the system which are under observation. When a new process is detected, the Reveal Agent assigns it a globally unique identifier which is then used to identify this process when sending subsequent events about its activity. This identifier is also used by policies and the operator console to identify the process to kill when the action is activated. In this way, as the landscape on the system changes around the Reveal Agent the right process will always be killed, and innocent activity is allowed to continue.

The Reveal Agent also uses this list of processes as a key way to reduce the CPU and memory impact of inspecting the system. In order to provide the rich set of detail on running processes–e.g. the Reveal Agent provides process binary signing information, application metadata, binary executable file hashes and more–the Reveal Agent must query many sources. Not all of these sources are computationally inexpensive, and the Reveal Agent must take care to observe the system without preventing an employee from accomplishing their work. To this end, the Reveal Agent stores information for a particular process instance once it is queried from the system. This information is stored and maintained on disk until the next system restart so that the Reveal Agent can provide consistent information in the case of upgrade or failure. Information on executable files is queried once, stored on disk permanently and modified based on changes to the file system. In this way information need only be queried once ever for a particular file.