“When we submit a file to VMRay the results generally come back faster, and we have higher trust in those results.
The interactive visuals are a nice feature, and I don’t have to rebuild VMs all the time. It saves me a lot of time.”
Cyber Security Architect
With roots that reach back more than a century, this multi-billion dollar conglomerate is ranked as one of the Best Large Companies in the US.
Based in the United States, this VMRay customer is a global leader in the leisure and recreation industry. The firm has developed and acquired many iconic brands and currently serves more than 150 markets worldwide.
As the customer’s Cyber Security Architect explains, his company is executing an ambitious, multi-year strategy that’s driving growth, innovation and digital transformation across all businesses.
“We work hand-in-hand with all parts of the organization to support that strategic direction,” says this long-time member of the security team. “Our role is to safeguard IT infrastructure and critical business processes while maintaining operations at full capacity.”
Currently Level 1 and Level 2 SOC services are delivered by MSSPs. More serious threats and concerns are escalated to a 5-person, in-house staff that splits the duty across networking, desktops, servers, and architecture.
To align with the high-level corporate shift, the security team deployed VMRay threat analysis and detection, opting for VMRay’s cloud-based tools and advanced technology foundation, versus the open-source, locally administered tools they had been using.
All five in-house team members use VMRay in their routine workflow, making it easier to work collaboratively or cover for someone who’s not available. However, the analyst who is the team’s point person for incident response is the most frequent and expert user.
His most common VMRay tasks fall into two categories: One relates to phishing attempts: analyzing email attachments – such as Excel files and PDFs – as well as executables, DLLs and embedded links. The second is to validate possible false positives (FPs) generated by EDR and other security tools.
The analyst cites some of the key ways VMRay is superior to the open-source sandbox he previously relied on. “When you’re investigating a suspicious email link related to credential theft, you need to go to that potentially tainted login page and put in your password to see what would happen if the intended recipients were to click that link,” he says. “But to take that simple step I would first have to spin up a VM on my own so I didn’t explode my computer in the process.”
Now he just puts the link in VMRay, where he can continually monitor how the sample behaves as it safely executes in the analysis environment.
“VMRay moves the cursor. It clicks other links that advance the attack, and so on. There are no gaps in visibility,” says the analyst. “So you get better confirmation of possible threats, compared to a readout or by looking at the kinds of screenshots other sandboxes generate only periodically or only in response to a specific condition or event.” Additionally, VMRay enables him to directly interact with the sample being analyzed to gain deeper insight into malicious activity.
The security team also relies on VMRay to validate ambiguous or inconclusive analysis results produced by EDR and other tools.
“We see cases where EDR indicates a file is bad and moves to quarantine it. Yet some users tell us they need access to that file. So we’ll run it through VMRay. If the risk is tolerable, we can put an exclusion in place so a critical activity isn’t blocked needlessly.” Similarly, when EDR can’t make a clear determination – for example when a system reaches out to a SharePoint site – the security team relies on VMRay analysis results to decide whether any action is required.
“We have other tools in our kit that have sandboxing capabilities, but they’re just not as good,” says the analyst. “When we submit a file to VMRay generally get faster results, and we have higher trust in those results. The interactive visuals are a nice feature, and I don’t have to rebuild VMs all the time. It saves me a lot of time.”
The team is currently looking at ways to integrate VMRay with existing security tools to automate critical aspects of their workflow.