The JASK ASOC (Autonomous Security Operations Center) open API platform has broad and flexible ingestion capabilities to support logs and endpoint/network sources while providing user and entity attribution. It uses an agentless collection methodology with passive software sensors that report metadata to the JASK platform and encompasses three types: network sensor, log sensor and active directory sensor.
Network sensors monitor network segments, extracting metadata with deep packet inspection. Log sensors are used for the collection of existing detection tools including SIEM solutions. Data is accepted as syslog locally while all parsing and processing is done by the JASK cloud platform. Active Directory Sensors gather information from the AD and extract event log data from a subset of event log types. This automatically scalable, cloud-native platform aims to address analyst overload by providing rapidly digestible information of real-time results, quick search functionality, and enriched data.
The dashboard is clean and modern, housing some informational widgets with items like insights, entities and signal coverage by attack stage. They can’t be moved around the dashboard, nor did we see an option to add custom widgets. Any available insights will be shown at the bottom of the dashboard. The navigation page is intuitive and keeps the platform simple, but there did not appear to be a way of reaching documentation links or a knowledgebase from the portal dashboard.
Signals are points of interest that essentially look at events and build relationships between other events to stitch together a story for the analyst. This is provided with an algorithm that monitors events and looks for patterns and correlations. While investigating, analysts can record comments and see threat intelligence matches as well as top-to-bottom coverage of all the DNS request information they could want.
Another simplification is the correlation of entities provided by an insight engine that is running continuous evaluation. This displays information that analysts can drilldown into to see anything they want or need to know about an HTTP request. It automatically correlates the flow with the HTTP record, saving them time with initial investigations.
The setup was relatively straight forward. We were given a different set of instructions from the UI of the dashboard we were working in, and still were able to find the correct location of the sensor key within minutes.
Starting price is $125 per monitored employee for 1,000 employees. Basic support is part of the SaaS Agreement. Additional fee-based support includes Gold (12/5) and Platinum (24/7 support and Technical Account Manager) beginning at 20 percent of the license fee cost.
Tested by Matthew Hreben