VMRay Detector & Analyzer: A Single Pane of Glass for High-Volume Threat Detection and Analysis

According to Forrester, there will be 2 million job vacancies in the cybersecurity sector by 2022. This reality is the impetus for greater efficiency and achieving a significant improvement in the “signal to noise” ratio that security teams are dealing with.  Automating malware analysis and detection on a large scale is the key to allowing your team to focus on the threats that will impact your organization.

Enter VMRay Detector. A high-volume, fully automated threat detection solution built to work seamlessly with VMRay Analyzer: our industry-leading malware sandbox (see Figure 1). By combining the two capabilities in a single pane of glass, security organizations are better equipped to manage the increasing volume of advanced threats, streamline workflows between different teams, and maximize the positive impact VMRay brings to the wider security ecosystem.


VMRay Analyzer and Detector Working Together

Figure 1: VMRay Detector and VMRay Analyzer, at a glance


Providing High-Level, Actionable Detection Results

Working in VMRay Detector, SOC analysts can monitor a deluge of potential malware, quickly identify and assess the most severe threats and then hand off high-level detection results to an IR or CERT team member. Based on that information, the specialist decides whether the threat is severe enough to warrant a deep-dive analysis or a forensic investigation.

Let’s take a look at how this works in practice.

When triaging the firehose of potential threats, SOC analysts primarily need to know two things about a file or URL: Is it bad? And what makes it bad?

VMRay Detector’s high-level detection results answer both questions. In the Sample Overview page shown in Figure 2, Detector has labeled the malware sample as being Malicious, classified it as an information stealer, and assigned a severity score—called a VTI score—of 100/100.


VMRay Detector - High-level Detection Results

Figure 2: Providing high-level detection results


Further down the page, color-coded threat identifiers highlight suspicious activity. A known malicious file is present. The malware exhibits Spyware behavior. Keyboard input is being monitored, and a file is being injected into another process.


A Faster, Smoother Handoff & A Deeper Dive

These results can be automatically propagated through the API to other security platforms for immediate protective action.

Concluding that a deeper dive is called for the SOC analyst can handoff the Detector result to the IR Team. The reports are locked, but the IR Team can unlock the reports for deeper analysis. Looking at the detailed report the IR Team will be able to take the appropriate action based on these results.


VMRay Detector - MITRE ATT&CK techniques triggered

Figure 3: MITRE ATT&CK techniques used by the malware sample being analyzed


For example, in the unlocked report shown above in Figure 3, VMRay Analyzer displays the MITRE ATT&CK techniques that were used by the malware sample in question. Clicking on Process Injection in the Defense Evasion column of the matrix, the IR Team accesses a detailed description of the technique (Figure 4).



Figure 4: SOC Analysts can drill down on MITRE ATT&CK techniques triggered


The handoff process described above involves intervention by the IR Team. In an even more streamlined scenario, the same high-level VMRay Detector results could bypass the analyst and be sent directly to the enterprise SOAR platform, which would apply the relevant playbook and likely decide (as the human analyst did here) that a closer look is needed. The SOAR system unlocks the analysis reports and routs the incident to an IR Team member, who can begin action immediately.


The Importance of VMRay’s Now, Near, Deep Architecture

High-volume threat detection is severely compromised if it doesn’t also provide an exceptionally high level of accuracy. Otherwise, some percentage of threats will always bypass existing protections, creating security risks that may negate the operational value of automated processes.

VMRay’s Now, Near, Deep architecture, shown in Figure 5, is a key element in enabling both the high-volume and high-precision aspects of VMRay Detector. When files and URLs are submitted to VMRay, they are triaged using three phases of scrutiny:

    • In milliseconds, a rapid reputation engine identifies known-bad files and suspicious behavior
    • In seconds or less, static analysis identifies active elements that may be malicious, such as embedded macros and URLs
    • Lastly, dynamic analysis kicks in if no determination was made. Files and URLs are detonated and observed using VMRay’s hypervisor-based monitoring technology.


VMRay's Now, Near, Deep Architecture

Figure 5: VMRay’s Now, Near, Deep Architecture


Because VMRay’s hypervisor-based monitoring technology is invisible to malware, it detects even highly evasive strains that other solutions miss.

On the front end, VMRay can ingest threat information and alerts from many sources: firewalls, email gateways, web gateways, endpoint protection systems, and others. On the back end, detection and analysis results can accelerate and enhance incident response, security research, and threat hunting. Shared with other security systems, VMRay’s output can be used to automate block/allow decisions and inform other protective actions and policies. In short, the wider ecosystem benefits from the speed, accuracy, and completeness of VMRay analysis and detection.


Complementary Licensing, Report Quotas & Pricing

Because VMRay Detector and VMRay Analyzer are designed for very different use cases−high-volume detection and in-depth analysis, respectively−they have different but complementary licensing and pricing structures that enable scalability.

With VMRay Analyzer, the customer contracts for a daily quota of in-depth analysis reports, which provide a comprehensive, detail-rich view of whatever malware sample being scrutinized; the standard quota is 100 analysis reports a day. With VMRay Detector, the customer can bolt on a daily quota of detection results, which provide high-level threat information, as described earlier. A typical quota is 1,000 detections a day. Whenever a detection result is generated or an analysis report is unlocked, that is deducted from the quota.