What is Alert triage for EDR?
Alert triage for EDR is the process of evaluating and prioritizing malware-related security alerts. It involves filtering out false positives, assessing alert severity based on policies and threat intelligence, and prioritizing responses to focus on the most critical threats. This systematic approach helps security teams efficiently manage the constant flow of alerts and allocate limited resources effectively.
Global Top 10 Technology Company | Threat Intelligence Team
Swimming in a Sea of Malware Alerts?
A constantly high-volume of alerts causes desensitization when manually responding to potential threats, leading to critical alerts being missed or ignored, or delayed responses to critical incidents. VMRay can help keep your Analyst’s heads above water.
Quickly reduce MTTD and MTTR to security incidents.
VMRay’s accuracy and speed of analysis, in addition to high volume alert throughput – makes it the best choice for Large Enterprise and MSSP/MDR SOC environments.
The VMRay platform integrates with EDR/XDR solutions such as SentinelOne via the VMRay API. Setup of the connector is a simple process by copying the generated API Keys and pasting them into their configuration files to enable bi-directional communication. This simple process takes just a few minutes to complete.
EDR Malware alerts submitted to the platform can include “Suspicious”, “Unknown” and “Malicious” alerts. The alert and associated binaries are submitted to the queue where they are cached and processed on a first come, first served basis.
Multiple analyses can be performed in parallel dependent on the number of Virtual Machines (VM’s) in the chosen subscription plan. Each plan can be customized with additional VM’s up to a total of 8 VM’s running in parallel, speeding high volume automated analysis and SOC incident response times.
Typically, the time to triage “Suspicious” or “Unknown” EDR malware alerts depends on whether the malware is previously known or an unknown Zero-Day malware threat. VMRay solutions use three levels of analysis, Reputational, Static, and Dynamic Analysis.
First, the submitted binary will pass through the reputational analysis engine to see if the file Hash has been identified previously. If it is previously known, the malware will be tagged as malicious. If no file hashes match the sample file, the binary is then passed on to the Static Analysis Engine to perform a signature match. Both the reputational and signature analysis takes mere seconds to complete.
If the Reputational or static analysis fail to make a match, the binary is then sent for Dynamic Analysis which typically takes 1-3 minutes depending on the type of malware, which is much faster and more accurate than manual SOC alert triage.
Security Operations Analysts performing manual alert triage realize it is a slow process that can increase the Mean Time To Detect (MTTD) and Mean Time To Resolution (MTTR) for incident response. VMRay is unique in the market because it uses a 3rd Generation Hypervisor-based monitoring and analysis architecture. Unlike 2nd Generation Hooking-based sandboxes, the monitoring and analysis takes place outside the detonation environment, ensuring that today’s evasive, environment aware malware does not detect the presence of a sandbox or research environment.
VMRay’s Anti-Sandbox Evasion Resistance ensures that malware samples detonate every time, which avoids queue stalls, analysis stalls, partial detonations, and malware hibernation.
The VMRay cloud-based platform receives reputational and static engine updates as they become available and are automatically uploaded to the cloud by VMRay.
The Dynamic Analysis uses thirty different types of technology including thousands of YARA Rules to identify malicious behavior. New YARA rules are created and added frequently between each major quarterly release to ensure the platform reflects the current and future threat landscape.