This session introduces the “Next Generation of Compromise Assessments,” designed to bridge visibility gaps in disconnected cybersecurity stacks. By expanding data collection beyond network telemetry to include real-time data from endpoints, identities, and email, the platform can now track entire attack chains across on-premise, cloud, and roaming environments.
Key technical updates include four new detection types—anonymous users (VPN/Tor), unusual logins, and brute force attacks (login/network)—alongside a “built-in response” capability for Windows agents. This allows roaming devices to make autonomous security decisions. Furthermore, the platform now offers enhanced audit logs for administrator tracking and maintains two years of metadata for compliance and forensic use.
Takeaways
- Multi-Telemetry Expansion: Lumu no longer relies solely on network metadata; it now integrates telemetry from identities, endpoints, and email security perimeters to eliminate visibility gaps.
- Autonomous Endpoint Response: The Windows agent now features built-in response capabilities to protect roaming devices and reduce response latency without requiring manual intervention.
- New Detection Logic: The platform has introduced specific triggers for “unusual logins,” which monitor for anomalies like impossible travel, strange login times, or high-privilege account misuse.
- Threat Intelligence Correlation: Lumu utilizes the “Multiverse” engine to correlate data from over 100 threat intelligence sources, allowing it to track moving attacker infrastructure in real-time.
- Extended Data Retention: The solution includes two years of traffic log and metadata retention as a standard feature, supporting long-term forensic investigations and regulatory compliance.
FAQs
Why is Lumu collecting telemetry from identities and email instead of just the network?
Disconnected security controls often leave visibility gaps that attackers exploit; by collecting telemetry from identities and email in real-time, the platform can follow the complete attack chain across different business segments.
What are the four new types of detections introduced in this update?
The new detections are anonymous users (commercial VPNs and Tor networks), unusual login incidents (based on behavior and parameters), login brute force, and network brute force (scanning for open services/ports).
How does the Windows agent’s “built-in response” feature work for roaming devices?
The agent can be configured to autonomously block malicious connections locally on the machine, which helps protect devices outside the corporate network by reducing decision-making latency.
Does Lumu provide a way to prioritize incidents based on business relevance?
Yes, the portal uses a “labels” feature that allows technicians to see which business-relevant areas or specific assets (like administrative or marketing devices) are affected to make better prioritization decisions.
How does Lumu integrate with a customer’s existing firewall?
Lumu can share indicators of compromise (IoC) with firewalls like Palo Alto or Fortinet in real-time, allowing these devices to block malicious domains via dynamic lists even if they weren’t previously aware of the threat.
