““IR is a discipline that requires a specialized and skilled workforce with years of experience. The best way to leverage the incredible value of our people’s expertise is through processes that are harmonized, repeatable and scalable.”
Cybersecurity Team Leader
In recent years, the organization that Jim works for was spun off from its parent company, leading to a period of transition for his cyber security team. A 12-person staff was split up, leaving the new company with a lean, 3-person team. In addition, a legacy system developed in-house to perform many SOAR-like functions was no longer adequate for the spin-off company’s needs. A decision was made to acquire a commercial SOAR platform and replicate existing workflow automation processes in the new environment.
A big piece of this project involved choosing a malware analysis solution and integrating it with both the SOAR platform and the legacy system. “In our search, we more or less stumbled onto VMRay, which fit all of our requirements for a sandbox,” says Jim. “It has a great API, and there’s a lot you can do with it.” VMRay provides an easy way to automate and standardize the submission of suspicious files, URLs and code to the sandbox, via the SOAR. Conversely, it offers the ability to pull VMRay analysis results back into an alert within the SOAR, to enrich the alert data and support fast, accurate decision-making.
VMRay also matched up well with Valvoline’s other requirements. It delivers solid signature detection (URL reputations, multi-AV scanners, heuristic scans), robust analysis reporting, and ease of use: an essential trait for a small, busy team.
VMRay provides some of the many puzzle pieces the SOAR assembles to orchestrate the detection, analysis and mitigation of phishing attempts. VMRay’s primary role in this context is to analyze suspicious URLs and email attachments and identify which are malicious. Those results are then returned to the relevant SOAR components.
As Jim points out, “Any malicious email that makes it to the user’s Inbox has already beaten some of our tools. So time is of the essence.” One of the strengths of the VMRay integration is that newly discovered indicators of compromise (IOCs) can be published in the team’s threat intelligence application within hours, rather than at the 2-week intervals required by the old system.
Another benefit is being able to directly interact with live malware and URL samples in VMRay’s contained environment. This feature takes advantage of what Jim calls ‘the human sensor’: individuals’ ability to discern subtle traits that automated processes will sometimes miss. He gives the example of a benign verdict that may actually be a False Negative. “With awareness training, email users often can sense when a message ‘looks fishy’ and should be forwarded for analysis,” he says. Similarly, expert responders will intuitively look one or two “hops” past a benign landing page and uncover a credentials harvesting page.
Fast is good! VMRay analysis is fast. Using their old on-premises system, team members sometimes waited 10 or 15 minutes to get their results. “With VMRay, the results always come back quickly, in under a minute,” says Jim. “And with a cloud solution, we can scale flexibly as the business changes. We’ve never had a problem with it. Its always available.”
Tapping into the power of partners: In working with the customer’s new SOAR provider – who happened to be a VMRay integration partner – it was discovered that the SOAR was initially pulling back only a small fraction of the results data generated by the sandbox. With guidance from the VMRay team, the vendor quickly corrected the problem and updated their existing VMRay Plug-in.
Revisiting the past: Jim and other senior Incident Responders sometimes revisit a security event that happened many months prior. “With VMRay, I can pull the whole analysis archive into that event,” he says. “I can look at the PDF report, IOCs, and screen shots of malware executing. I even have a sample of the object, which I can re-submit to dig deeper into the incident or to get an analysis results based on updated information. Having that capability in our SOAR is pretty awesome.”
How people learn what “normal” and “malicious” looks like: While effective commercial tools are essential, Jim places a high premium on the human factor in sniffing out threats. “I’m happiest when I’m part of a team that’s collaborating,” he says. “VMRay’s ease of use and visual interface accelerates collaboration and learning, especially for junior staff. ”It helps them make clear, concise decisions. And by repeatedly observing the analysis process, step by step, they learn what ‘normal’ looks like, what ‘malicious’ looks like, and when something seems ‘off’ and probably calls for a second opinion.”