Over the past quarter, the Cado team has been hard at work bringing new features and enhancements to the Cado platform. Here’s an overview of what we’ve been up to:
SaaS Support
The Cado team has been working hard to bring SaaS support to the platform, beginning with the ability to acquire Microsoft 365 Unified Audit Log (UAL), a critical data source when investigating and responding to M365 compromises, including BEC, as it logs all activities users and admins perform in the different Microsoft 365 services. Within the Cado platform, security teams can seamlessly analyze UAL logs, which contain over 70 categories of data, including events from Azure, Exchange, Sharepoint, and OneDrive, alongside other critical sources captured across on-premises and cloud environments to gain a better understanding of the scope and impact of malicious activity.
Investigating the UAL in the Cado Platform
Insights Dashboard
The Cado platform has introduced a new dashboard providing analysts with a quick overview of an incident. Cado’s Insights Dashboard highlights key incident details including: severity level, scope, and recommendations for where to begin an investigation based on detected malicious events. The dashboard also delivers the ability to quickly filter by evidence item.
Cado’s Insights Dashboard
Cado AI Investigator
Cado recently introduced its AI Investigator feature, bringing the power of Large Language Models (LLMs) to the world of DFIR. The local LLM provides analysts with instant investigation insights regarding malicious activity detected in their environment. Cado AI investigator saves analysts time and allows a lower barrier to entry for analyzing a wide range of evidence sources acquired across different resources. By utilizing a Local Language Model (LLM), the Cado platform is able to sidestep the usual privacy concerns associated with using public cloud-based AI platforms.
Cado AI Investigator currently performs two key tasks:
Incident Summarization: Cado AI Investigator provides a concise and informative overview of an incident, presented directly on the project overview tab. This summary highlights key findings and saves analysts time which would normally be spent sifting through mountains of data.
File Analysis: Cado AI Investigator analyzes potentially malicious files, such as scripts, executables, or documents, and tells an analyst what these files do. For example, it can tell you if a script downloads and executes a payload, modifies registry keys, or creates persistence mechanisms.
Cado’s AI Investigator delivers a summary of an incident, which is readily available on Cado’s Project Overview Dashboard.
Azure Triage
Cado’s triage capability now supports Microsoft Azure Virtual Machines, giving investigators the ability to perform a fast triage collection of key forensic artifacts to get answers quickly and narrow the scope of an investigation within Azure environments.
Performing an Azure VM Triage Acquisition Using the Cado Platform
Cado Security and Wiz Integration
The Cado Platform now natively integrates with Wiz to further expedite forensic investigations of critical cloud resources. The integration is also available in WIN, Wiz’s Integration platform. The Cado Security and Wiz integration eliminates common access obstacles often experienced by security teams, expediting investigation and response.
Leveraging Wiz’s recently introduced Digital Forensics capabilities, security analysts can seamlessly copy captured EC2 volumes to a dedicated forensics account and apply specific tags. Based on these tags, the Cado Security platform will automatically discover and spin up a deeper forensic investigation, without analyst intervention.
How it Works: Cado Security & Wiz Integration
Cado Security and CrowdStrike Integration
Cado now natively integrates with the CrowdStrike FalconⓇ platform. The integration between the Cado platform and the CrowdStrike Falcon® platform enables security teams to rapidly perform in-depth forensic investigations by delivering the following capabilities:
- Automated Forensic Data Capture: Gain immediate access to forensic evidence and key incident details across systems of interest.
- Broad Coverage: Seamlessly investigate incidents that span cloud, container, and on-premises environments.
- Expanded Threat Hunting: Incorporate forensic-level detail into your threat-hunting practice.
- Real-Time and Historical Context: Gain visibility into everything that has occurred on a system since it was installed.
To find out more about the Cado and Crowdstrike integration, check out the Joint solution brief.
The Cado Security & Crowdstrike Falcon Integration
AWS GovCloud Support
Cado has extended support of its forensics and incident response capabilities to AWS GovCloud (US) to empower US government agencies to better understand risks identified across their sensitive workloads.
Cado Deployments now Support us-gov-east-1 and us-gov-west-1
Key benefits of Cado for AWS GovCloud include:
Deploy in Minutes: Deployment via a cloud formation template or terraform script happens in minutes. All collected data resides in the customer’s cloud environment to ensure unique data privacy requirements are met.
Hosted by You: Deploy natively within your cloud environment to ensure your unique privacy requirements are met.
Gain Deep Forensic Insights: Gain a deeper understanding of detected incidents by analyzing hundreds of data sources quickly and securely.
Respond Faster: Automation is applied to the end-to-end incident response process – from data capture to analysis. With Cado, security teams can get to root cause and scope faster, drastically reducing response times.
AWS Organizations
This quarter, Cado introduced AWS organizations which introduces the ability to synchronize accounts managed through AWS organizations into the platform. This significantly reduces the burden of managing accounts manually in the Cado platform, as many customers have cloud accounts that open and close frequently.
AWS Organization Support in the Cado Platform
Proxy Support
Customers can now specify a proxy URL and proxy certificate URL within the Cado platform. This allows Cado to utilize proxies for outbound communication such as updates, sending logs to support, etc.
Proxy Settings in the Cado Platform
Event Multi-Select
The Cado platform now supports the ability to select multiple timeline events and action them in bulk, with the option to add and remove Alarms and set and unset events as important. This quality of life feature will facilitate a more streamlined and efficient workflow for analysts, allowing them to quickly action alerts.
Selecting Multiple Events in the Cado Timeline
Rerun Detections Across all Evidence Items
Users now have the ability to rerun detections against all evidence items in a given project. This can be extremely helpful, as during an ongoing investigation new indicators of compromise/behaviors are often discovered and added to the Cado platform. This new feature allows the user to rapidly rerun the up-to-date intelligence against their existing datasets.
Re-Running Detections in the Cado Platform
This is just a brief look into the recent achievements and progress the Cado team has made over the past quarter. We’re extremely excited about the positive impacts these new features are having on our customers. While these features and improvements are another step forward in revolutionizing forensics and incident response, there’s much more to come!
If you want to see how Cado can revolutionize your investigative workflow, schedule a demo with our team.
Source: Original Post