Enrich EDR/XDR alerts with dynamic threat intelligence on unknown or “suspicious” incoming alerts.
What is Alert Enrichment for EDR?
Alert Enrichment is the process of adding context, data, and insights to raw security alerts to make them more actionable for Security Operations Center (SOC) teams. By including metadata, threat intelligence, and risk scores, it helps prioritize critical threats, reduce noise from false positives, and streamline investigations, enabling faster and more effective responses.
Quickly reduce MTTD and MTTR to security incidents.
VMRay’s accuracy and speed of analysis, in addition to high volume alert throughput – makes it the best choice for Large Enterprise and MSSP/MDR SOC environments.
Swimming in a Sea of Malware Alerts?
A constantly high-volume of alerts causes desensitization when manually responding to potential threats, leading to critical alerts being missed or ignored, or delayed responses to critical incidents. VMRay can help keep your Analyst’s heads above water.
The VMRay platform integrates with EDR/XDR solutions such as SentinelOne via the VMRay API. Setup of the connector is a simple process by copying the generated API Keys and pasting them into their configuration files to enable bi-directional communication. This simple process takes just a few minutes to complete.
EDR Malware alerts submitted to the platform can include “Suspicious”, “Unknown” and “Malicious” alerts. The alert and associated binaries are submitted to the queue where they are cached and processed on a first come, first served basis.
Multiple analyses can be performed in parallel dependent on the number of Virtual Machines (VM’s) in the chosen subscription plan. Each plan can be customized with additional VM’s up to a total of 8 VM’s running in parallel, speeding high volume automated analysis and SOC incident response times.
Typically, the time to triage “Suspicious” or “Unknown” EDR malware alerts depends on whether the malware is previously known or an unknown Zero-Day malware threat. VMRay solutions use three levels of analysis, Reputational, Static, and Dynamic Analysis.
First, the submitted binary will pass through the reputational analysis engine to see if the file Hash has been identified previously. If it is previously known, the malware will be tagged as malicious. If no file hashes match the sample file, the binary is then passed on to the Static Analysis Engine to perform a signature match. Both the reputational and signature analysis takes mere seconds to complete.
If the Reputational or static analysis fail to make a match, the binary is then sent for Dynamic Analysis which typically takes 1-3 minutes depending on the type of malware, which is much faster and more accurate than manual SOC alert triage.
Security Operations Analysts performing manual alert triage realize it is a slow process that can increase the Mean Time To Detect (MTTD) and Mean Time To Resolution (MTTR) for incident response. VMRay is unique in the market because it uses a 3rd Generation Hypervisor-based monitoring and analysis architecture. Unlike 2nd Generation Hooking-based sandboxes, the monitoring and analysis takes place outside the detonation environment, ensuring that today’s evasive, environment aware malware does not detect the presence of a sandbox or research environment.
VMRay’s Anti-Sandbox Evasion Resistance ensures that malware samples detonate every time, which avoids queue stalls, analysis stalls, partial detonations, and malware hibernation.
The VMRay cloud-based platform receives reputational and static engine updates as they become available and are automatically uploaded to the cloud by VMRay.
The Dynamic Analysis uses thirty different types of technology including thousands of YARA Rules to identify malicious behavior. New YARA rules are created and added frequently between each major quarterly release to ensure the platform reflects the current and future threat landscape.
Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!
