Multi-vendor security frameworks are a reality in virtually every enterprise. InfoSec teams need to manage that reality in order to protect the organization’s assets and data against targeted cyber-attacks and advanced malware. Deploying multi-vendor products means that there can often be challenges related to interoperability and integration. At VMRay, we are committed to ensuring that our customers can seamlessly integrate VMRay Analyzer into their cybersecurity ecosystem. In that vein, the VMRay Analyzer Add-on leverages Splunk as a hub for other security solutions.
Security and Information Event Management (SIEM) systems such as Splunk® Enterprise Security (ES) are deployed in Security Operations Centers (SOCs) to monitor and analyze alerts and notifications, conduct forensic investigations for detailed incident analysis and solve many other security use cases. They add additional context to the vast amounts of threat intelligence generated by security products and are usually at the core of data analysis and digital forensics within an organization.
The VMRay Analyzer Splunk Add-On – now available in Splunkbase, the Splunk app and add-on repository – enables Splunk users to import valuable security information from VMRay Analyzer. In this blog post, we will discuss the three most important features of the VMRay Analyzer Splunk Add-On.
Automatically Import Analysis Results from VMRay Analyzer into Splunk
Users can import detailed analysis information as well as sample and submission details from VMRay Analyzer into Splunk. This includes severity scores, file hashes and file types. Once imported, these data points can be monitored and correlated with other data sources (such as threat intel feeds) to gain insights into potential threats as well as vulnerabilities within an organization (shown in Figures 1 &2).
Automatically Import Yara Rule Matches & Results
YARA rules leverage a pattern-based matching algorithm to identify and classify malware. Users can set custom YARA rules in VMRay Analyzer and import all rule matches into Splunk (see an example of the configuration options in Figure 3). Tracking all analyses with YARA rule matches provides a wealth of information to Digital Forensics and Incident Response (DFIR) teams, allowing them to act on potential malware attacks.
Automatically Blacklist Files with High Severity Scores via Splunk Enterprise Security
Splunk ES is a premium security solution that enables security teams to use all data to gain organization-wide security intelligence, to quickly detect and respond to internal and external attacks, and to simplify threat management while minimizing risk, and safeguard your business. It supports continuous real-time monitoring and rapid incident response. Using the VMRay Analyzer Add-On for Splunk, security teams can automatically blacklist files with high VMRay Threat Indicator (VTI) scores via Splunk Enterprise Security. This blacklist can then be shared with other security products such as firewalls and endpoint detection and protection systems (EDRs, EPPs) deployed within the organization, eliminating the risk of attack from these malicious files.
The VMRay Analyzer Splunk Add-On enables Computer Incident Response Teams (CIRTs) and IT Forensics teams to import valuable security information from VMRay Analyzer into Splunk by seamlessly integrating the two products. Data imported into Splunk can then be monitored, investigated and acted upon, which enables users to achieve deep visibility and easy correlation across multiple threat intel sources.
Download & Install the VMRay Add-On in SplunkBase