It’s been quite a year for us at Gem, from our launch back in February, through our Series A funding in September. We embarked on this journey aiming to build the best detection and incident response platform for the cloud, and it’s crazy to think that in such a short time we’re already delivering for dozens of SecOps organizations around the world in diverse verticals including financial services, hospitality, healthcare, manufacturing, energy, and software/technology.
These organizations rely on Gem because our agentless and cloud-native platform was purpose-built to help SecOps teams speed up the time to detect, forensically investigate, and contain cloud threats. At the same time, it continuously identifies gaps in real-time monitoring of cloud telemetry across all their accounts and cloud services, including Identity, Data, Network, and Compute.
Now that 2023 is behind us, we wanted to share some of the core product features and enhancements we’ve released and provide a sneak peek into all the exciting innovations planned for 2024.
Industry-Leading Coverage for AWS, Azure, GCP & Okta
Providing the deepest visibility and widest coverage for cloud threats across Identity, Network, Data, and Compute
We’ve added ingestion support for over 10 new data sources, across all the different resource categories, from network (VPC flow logs) to compute (EKS/AKS/GKE logs) and identity (Okta system audit logs, Azure AD audit logs and Google Workspace audit logs).
Given the critical nature of identity in the cloud, customers have been enthusiastic about our new ability to correlate suspicious and unusual IdP events with suspicious and unusual events from other cloud data sources such as the control plane. This now enables the Gem platform to automatically build investigation timelines incorporating all of these events in a single view that makes it easy for the analyst to immediately understand the full story of a multi-stage attack.
These new data sources expand on our previous industry-leading support for the broadest range of cloud data sources, including AWS CloudTrail, S3 data events, Azure activity and resource logs, GCP audit logs, and more.
Cutting Edge Detection Coverage for the Latest Cloud TTPs
Our cloud security research team has also been hard at work, developing detections for over 300 new TTPs while expanding our behavioral models to incorporate a deep understanding of what constitutes both normal and abnormal behavior for the cloud entities monitored by each of these logs.
This unique blend of detection logic and cloud-specific behavioral analytics is key to enabling high-fidelity detections and filtering out the noise generated by thousands or millions of events captured by each of those sources.
The cloud security research team also used a variety of Red Teaming tools, experimented in our own cloud sandbox, and meticulously researched every published cloud breach, to provide comprehensive coverage for the latest cloud TTPs.
We’ve also expanded the information on our TTP page to now show all TTPs covered by Gem, with additional information like:
MITRE tactic and description for each TTP
Involved cloud entities (IAM users, access keys, etc.) and exclusions for each TTP
Whether you have any open alerts associated with a TTP
Recent cloud breaches and associated TTPs, including whether any of them have been detected in your own cloud environment
Tags to enable sorting by category (identity, data, network, compute, and control), cloud provider, MITRE tactic, TTP name, etc.
Worried about a specific scenario or breach? You’ll find all the details there!
Broader & Deeper Alert Context
Speeding up response by providing the most relevant information for every alert
When investigating cloud alerts, context is king (and queen). At Gem, we’ve always provided deep context about the behavior of all cloud entities involved in an incident – before, during, and after the alert.
To accomplish this, the platform automatically provides you with contextual information enabling you to easily answer critical questions like “How often does this machine access data in S3?” or “Is this access key typically used from this location”?
To provide SecOps teams with the most relevant data, we’ve now extended our entity-based context mechanism to also include environmental information. Cloud environments are very different from organization to organization, and an event that’s a clear sign of malicious activity in one environment could be totally normal in another. Incorporating this context has always been a part of our detection engine, enabling us to modify the severity of alerts based on how unusual a given event is for a particular environment.
This environmental context is easily accessible from the platform itself, allowing you to easily answer questions like “What are the most common countries users are connecting from?” or “How often do specific events happen in an account?”. This will enable analysts to see trends and baselines related to the specific events that triggered each alert.
Wide Range of Out-of-the-Box Integrations
Seamlessly integrating cloud detection and incident response with your existing SecOps workflows and tools
Our goal at Gem is to integrate seamlessly with your existing SecOps workflows - whatever tools you’re currently using. To make that happen, we’ve added out-of-the-box integrations for a wide range of third-party tools, enabling you to both consume information from Gem in whatever central pane of glass you use (such as your SIEM) as well as incorporate risk context from other tools (such as CNAPP and EDR) to make more informed decisions.
During 2023 we’ve added tens of new integrations and now support all the top SIEMs, SOARs, ticketing systems, messaging apps, CNAPPs, and cloud-native security tools. This list of integrations now includes Splunk, IBM QRadar, ServiceNow, Slack, JIRA, Torq, Palo Alto Prisma Cloud, Wiz, and many others.
Containment & Forensics
Enabling incident responders to move as fast as attackers to quickly investigate, capture forensic snapshots, and contain incidents before they impact the business
We’ve added a library of pre-built automated actions that your team can quickly execute to:
Validate whether an event was performed for legitimate reasons, by automatically sending a pre-populated message to the appropriate user
Stop an attack by rotating an access key, isolating an instance, deleting a bucket, etc. (for users with appropriate permissions)
Capture a forensic snapshot and automatically run a full forensic analysis to determine root cause while preserving digital evidence to address compliance requirements.
Providing SecOps teams with these powerful automated capabilities, at the click of a button, Gem helps even the odds against adversaries while addressing the many ways in which the speed and complexity of cloud IR is different from traditional on-premises IR.
Customizable, No-Code Automation Workflows
Automating mundane tasks and reducing alert fatigue by automating response workflows and containment actions
As part of our effort to make SecOps teams more productive, we now support a wide range of customizable automation workflows - from setting custom destinations for specific alerts and controlling severity and alert status based on predefined conditions, to automatically stopping compromised machines and modifying security groups.
Similar to the pre-built actions described above, customizable automations have already seen great adoption by our customers. Users can pick from a series of drop-down menus to create automated workflows based on triggering events (threats, etc.), affected entities (source or target entity, source role, source user agent, severity, etc.), and automated actions (change severity, validate with a user, etc.).
Our favorite scenario? When we see an alert fire, the platform automatically reaches out to the user to verify their activity, the user verifies by clicking a button in the message, and if the action is legitimate, the platform automatically closes the alert with zero need for involvement from the SOC.
Multi-Cloud Threat Detection & Readiness Dashboard
Measuring what matters most and demonstrating continuous improvement
During 2023 we’ve continuously improved our Cloud SecOps Dashboard, by adding new insights and metrics to it based on customer feedback. The dashboard shows all of the critical issues you need to deal with at any given time, as well as your team’s performance and trends over time. Plus all of its data is accessible via our REST API. Learn more.
Data Explorer
Introducing a novel approach to Threat Hunting in the cloud
We’ve released our first data exploration module, allowing you to discover unusual behavior in your environment by looking for specific baseline deviations covering geolocation, access key creation and usage, root activity, user agents, and more.
Gem AI (get it 😉?)
Accelerating response with Generative AI designed for cloud SecOps use cases
The hype is real, but so is the possibility for enormous gains in speed and efficiency in the SOC.
At Gem, we’ve introduced Timeline tl;dr for incident responders. Now, whenever an alert is triggered in Gem, our IR co-pilot will automatically provide the complete story of what happened in a short summary paragraph you can read in seconds.
This industry-first capability enables all analysts – even those with limited expertise in multi-cloud security – to get an instant understanding of an alert without needing to review the investigation timeline or look at the blast radius graph.
The feedback we’ve gotten already has been amazing - customers are reporting measurable decreases in the amount of time spent triaging alerts, and this is only the beginning. Plus these summaries can also be used as a starting point to explain incidents in plain language to senior management and the board.
Plans for Continuing Innovation in 2024
We’re continuously working on new and innovative capabilities for the Gem platform. Our roadmap is driven by customer feedback and the daily challenges they face securing some of the largest and most complex cloud environments in the world, as well as by our internal teams who have many years of collective experience both defending the cloud and performing offensive cyber operations. We’re planning to continue expanding our cloud detection and incident response platform across multiple dimensions, including coverage for new IaaS and PaaS platforms as well as broadening existing capabilities around:
Identifying critical gaps in cloud monitoring and telemetry coverage
Gaining high-fidelity detections for the latest multi-cloud, multi-step TTPs
Quickly triaging alerts and building investigation timelines – without manually combing through diverse cloud logs – and quickly containing attacks with automated pre-built actions
Diving deep into cloud forensics by automatically extracting and preserving forensic artifacts to identify root cause and address compliance requirements.
Until next time, we hope you had a Happy New Year, with best wishes from everyone at Gem!