Malware Alert Triage for EDR

Enrich EDR/XDR alerts with dynamic threat intelligence on unknown or “suspicious” incoming alerts.
Turn down the noise created by false positives.

What is Alert triage for EDR?
Alert triage for EDR is the process of evaluating and prioritizing malware-related security alerts. It involves filtering out false positives, assessing alert severity based on policies and threat intelligence, and prioritizing responses to focus on the most critical threats. This systematic approach helps security teams efficiently manage the constant flow of alerts and allocate limited resources effectively.

Overcoming the challenge of EDR & XDR false positives

EDRs and XDR solutions collect and analyze telemetry from endpoints related to security threats. However, plagued with high numbers of false positives, their impact significantly reduces SOC response times to critical incidents.

Advanced Threats Become More Difficult to Detect

For traditional security stack deployments, zero-day, evasive malware, Advanced Persistent Threats (APTs), and targeted phishing can be especially difficult to detect and analyze.

The SOC resource sinkhole: manual alert validation

Security practitioners must manually verify that each suspicious malware alert is either genuine malicious activity or a potential false positive, taking time and precious skilled resources.

False Positives Negatively Affect Service Performance

Some EDR solutions generate a backlog of hundreds or thousands of unwanted false positives in high volume environments – such as an MSSP / MDR SOC – impacting detection and response times to security incidents.

Alert Fatigue Causes Delayed Responses

With high volumes of security alerts to triage, security practitioners can quickly experience alert fatigue, missing critical events with the potential to exceed client’s SLA’s.

The VMRay Solution
EDR Alert Enrichment and Validation

Swimming in a Sea of Malware Alerts?

A constantly high-volume of alerts causes desensitization when manually responding to potential threats, leading to critical alerts being missed or ignored, or delayed responses to critical incidents. VMRay can help keep your Analyst’s heads above water.

Definitive verdicts of malicious or benign

By automating the EDR malware alert triage process, VMRay can provide a definitive verdict to facilitate the automation of accurate blacklisting or whitelisting of true and false positives to identify legitimate threats.

Continuous, 24/7
EDR / XDR alert enrichment

VMRay’s malware alert triage enriches EDR / XDR data with accurate, collated reporting and increased operational threat intelligence in the form of prioritized IOCs to assist in threat hunting, detection engineering, and threat mitigation tasks.

Reduce attacker dwell time on the network

When integrated as part of EDR/XDR deployment, automated actions such as quarantining systems, remediation or forensic snapshots can be tasked with confidence to ensure malicious activity is stopped before an attacker gains a foothold.

The benefits of validating EDR alerts with VMRay

Quickly reduce MTTD and MTTR to security incidents.

VMRay’s accuracy and speed of analysis, in addition to high volume alert throughput – makes it the best choice for Large Enterprise and MSSP/MDR SOC environments.

Take Quick,
Decisive Action

Automated alert triage with fast verdicts allows SOC teams to take quick decisive action, and in turn, set up automated mitigation processes to significantly reduce the reliance on manual analysis.

Reduce The Stress of Repetitive Manual Tasks

Automated alert validation significantly reduces the risk of SOC Analyst burnout, freeing them from the more mundane EDR alert triage tasks to focus on more strategic business goals.

Automate Responses to Reduce Attacker Dwell Time

Based on the verdict of malicious or benign, automated EDR/XDR actions can confidently make remedial actions to include quarantining systems involved in an attack or preventing write access to vulnerable resources.

Seamless
API Integration

The VMRay API connector automates the process of pulling file packages from EDR endpoints and submits them directly to the VMRay platform.

Integrate seamlessly

Start automating
alert investigations for EDR.

Further resources
on security automation

5 reasons to augment your EDR

Automating alert triage to reduce EDR false positives

Finding the right approach to security automation

Demystifying Malware Alert Triage for EDR: FAQs

1. How easy is it to setup, deploy, and integrate into the VMRay Platform?

The VMRay platform integrates with EDR/XDR solutions such as SentinelOne via the VMRay API. Setup of the connector is a simple process by copying the generated API Keys and pasting them into their configuration files to enable bi-directional communication. This simple process takes just a few minutes to complete.

EDR Malware alerts submitted to the platform can include “Suspicious”, “Unknown” and “Malicious” alerts. The alert and associated binaries are submitted to the queue where they are cached and processed on a first come, first served basis.

 

Multiple analyses can be performed in parallel dependent on the number of Virtual Machines (VM’s) in the chosen subscription plan. Each plan can be customized with additional VM’s up to a total of 8 VM’s running in parallel, speeding high volume automated analysis and SOC incident response times.

Typically, the time to triage “Suspicious” or “Unknown” EDR malware alerts depends on  whether the malware is previously known or an unknown Zero-Day malware threat. VMRay solutions use three levels of analysis, Reputational, Static, and Dynamic Analysis.

 

First, the submitted binary will pass through the reputational analysis engine to see if the file Hash has been identified previously. If it is previously known, the malware will be tagged as malicious. If no file hashes match the sample file, the binary is then passed on to the Static Analysis Engine to perform a signature match. Both the reputational and signature analysis takes mere seconds to complete.

 

If the Reputational or static analysis fail to make a match, the binary is then sent for Dynamic Analysis which typically takes 1-3 minutes depending on the type of malware, which is much faster and more accurate than manual SOC alert triage.

Security Operations Analysts performing manual alert triage realize it is a slow process that can increase the Mean Time To Detect (MTTD) and Mean Time To Resolution (MTTR) for incident response. VMRay is unique in the market because it uses a 3rd  Generation Hypervisor-based monitoring and analysis architecture. Unlike 2nd Generation Hooking-based sandboxes, the monitoring and analysis takes place outside the detonation environment, ensuring that today’s evasive, environment aware malware does not detect the presence of a sandbox or research environment.

 

VMRay’s Anti-Sandbox Evasion Resistance ensures that malware samples detonate every time, which avoids queue stalls, analysis stalls, partial detonations, and malware hibernation.

The VMRay cloud-based platform receives reputational and static engine updates as they become available and are automatically uploaded to the cloud by VMRay.

 

The Dynamic Analysis uses thirty different types of technology including thousands of YARA Rules to identify malicious behavior. New YARA rules are created and added frequently between each major quarterly release to ensure the platform reflects the current and future threat landscape.