SOC teams are often overwhelmed by the flood of known and suspected malware coming at them from every direction. Web and email gateways, endpoints and other systems all feed into the fire hose of suspicious files sent to the SOC—and all those potential threats need to be vetted ASAP.
The challenge facing security analysts can be summed up with a few imperatives:
- Tell me if a file or a URL is good or bad so our systems know whether to block it.
- If it’s bad, tell me why.
- Tell me fast – really fast – so I can stay on top of the flood of threats.
- And tell me with a high level of certainty, so I’m not wasting my time chasing down false positives.
That, in a nutshell, describes the capabilities of VMRay Detector, which was introduced in March at the RSA Conference.
An Overview of VMRay Detector
VMRay Detector is built on our flagship platform, VMRay Analyzer. However, while VMRay Analyzer is designed for comprehensive, in-depth malware analysis and detection, VMRay Detector is focused on rapid, highly accurate malware detection for high-volume use cases.
Affordable and scalable, the solution ingests suspicious files and URLs from multiple sources. VMRay’s multi-stage triage and detection process quickly distinguishes between malicious and benign files: dismissing the latter so the system’s analytical firepower can be focused on the former.
VMRay’s Now, Near, Deep architecture (see Figure 1), integrates three core components:
- Rapid reputation lookup leverages threat intelligence from leading security providers. In milliseconds, VMRay Detector flags known malicious files and unknown but suspected threats and submits them for further scrutiny. Known good files are discarded from the detection pipeline.
- VMRay’s static analysis engine identifies potentially harmful active elements within documents—such as a URL embedded in a PDF file or a macro within a spreadsheet—and passes them along to the VMRay Analyzer malware sandbox.
- Dynamic analysis: Isolated in the sandbox, even the most evasive malware executes completely and without interruption. As a result, malicious files can be identified with a high degree of certainty
Figure 1: VMRay’s Now, Near, Deep Architecture
Automation for high-volume use cases
When it’s integrated with high-volume sources, such as web and email gateways, VMRay Detector provides rapid, fully automated threat detection. No human interaction is required. And because VMRay’s Now, Near, Deep architecture ensures that high-level results are very accurate, false positives are virtually eliminated. In turn, security teams can confidently share those results with other security tools to automate block/allow decisions and additional protection measures.
The Multiplier Effects of Integration
The more widely VMRay Detector is integrated with other security systems, the greater its value to the organization. When VMRay Detector is combined with VMRay Analyzer, analysts can conduct in-depth analyses and access actionable threat intelligence to investigate the most severe and advanced threats.
When integrated with other security products, VMRay Detector complements them in important ways. It fills security gaps that exist in traditional malware detection tools. By feeding those tools fast and highly accurate detection results, VMRay enhances the precision and timeliness of their automated protection measures. And when results are shared with threat intelligence systems, analysts can identify commonalities that may indicate a wider threat or recognize an attack that has been seen before, enabling a faster and better-informed response.
Leveraging VMRay’s REST API and out-of-the-box connectors, security teams can integrate VMRay Detector with diverse components of their enterprise security ecosystem.
The Bottom Line: Optimal Detection Results at Very High Volume
VMRay Detector is designed to apply the right technology at the right stage of the detection pipeline to deliver optimal results at very high volume. By empowering SOC teams to handle the deluge of threat information they face every day, VMRay’s solution not only enhances security but also increases the efficacy of SOC personnel.