ReversingLabs has learned the importance of openness and integration. We understand that every company has a security infrastructure in place and any new piece of technology added must not only work with but also improve the capabilities and operations of that infrastructure.
If you read last week’s blog, you saw that many security vendors utilize our file reputation service and static file analysis engine. These partnerships lead to integrations and these integration requirements lead to the continued development of an open and easily integrated architecture from ReversingLabs. That all means one thing to a security architect – they can deploy a product that will work within their infrastructure without custom coding and offer the integrations actually adds additional value to the entire security operations process.
With RSA around the corner, and most of our integration and OEM partners sponsoring, now is a good time to highlight a few. Here is a sample set of out of the box integrations that should interest you and will be demonstrated at RSA.
Endpoint: Tanium
Use Case: High Risk Unknown File Investigation
https://www.tanium.com/calendar_events/the-tanium-experience-during-rsa/
ReversingLabs has integrations and partnerships with many endpoint security vendors. One example is our integration with Tanium. The use case coverage is unknown file investigation, identification and response. When Tanium Detect discovers an “unknown” high risk file on an endpoint, the file’s context is enriched by ReversingLabs TitaniumCloud File Reputation service, and if known, the files threat classification is assigned. With the threat defined, Tanium initiates the proper response process.
If the file is unknown, it is automatically passed to ReversingLabs A1000 malware analysis workstation where analysts initiate a deeper investigation that includes both static and dynamic analysis of the file. With the file and any embedded malware automatically “reverse engineered” by the A1000, the investigator quickly determines the true threat of the file, identifies the malware type and family and produce YARA rules to define that high-risk file and malware. The analyst then sends those rules back to Tanium to search out any files like it and be prepared to detect the new threat next time it hits an endpoint.
Threat Intelligence: Recorded Future, booth 2219
Use Case: Unknown External Threat Identification
https://www.recordedfuture.com/events/
Threat Intelligence vendors look to unite multiple threat sources and types into a unified intelligence center where analyst can quickly identify what is important to their company that is occurring beyond their walls and proactively improve detection and prevention defenses. ReversingLabs delivers file reputation data for goodware and malware into almost every Threat Intelligent vendor to improve the coverage and accuracy of their solutions, so if you have a threat intelligence solution deployed, you are already getting value from ReversingLabs. When you add our products into your security infrastructure, that value multiplies quickly. One unique example offered by our integration with Recorded Future is use case coverage of “Threat in the wild discovery.” This is the preverbal “unknown, unknown” discovery case and it connects Recorded Futures threat intelligence platform with ReversingLabs A1000 malware investigation workbench.
Recorded Future’s threat intelligence platform is integrated with ReversingLabs TitaniumCloud File Reputation Service. An automatic API call populates Recorded Future’s Intel Card with hash and file reputation data to the potential threat object. When you add ReversingLabs A1000, you are able to complete a deep investigation on the object including: tracing a sample’s lineage and provenance over time, identifying when it was first seen, if it has been classified, and how its classification may have changed over time. The resulting information is used to proactively improve impact triage, forensics, and remediation workflows. You can read more about this integration at: https://www.recordedfuture.com/partner-spotlight-reversinglabs/
SIEM: Splunk, Booth 3409
Use Case: Improved Incident Investigation and Response
https://www.splunk.com/en_us/about-us/events.html
ReversingLabs products and SIEM solutions integrate in a number of ways which can be broken down into two use case categories. The first is where ReversingLabs highly scalable file identification and threat classification solutions are deployed in front of the SIEM to remove noise and potential false positives making it possible to gain threat visibility from massive amounts files moving in and across the enterprise. These utilize ReversingLabs TitaniumScale and N1000 products.
The second category is deploying ReversingLabs file investigation and malware hunting solutions after the SIEM for deep file and malware investigation, identification and hunting. Like the use cases above, this enables an investigation team to define unknown files and the threats that are hidden in them, and with that knowledge, improve response time and effectiveness, as well as proactively update detection and prevention tools.
Both of these use cases and the product mix is deployed at a very large global financial institution. In this deployment the customer uses ReversingLabs TitaniumScale to analyze and classify all inbound emails and attachments, and we are talking numbers in the millions. The files are scanned and classified as “good,” “known threat,” or “unknown.” The known threats and unknown files are sent to Splunk. The known “good” files are removed from the process greatly reducing the number of files needing investigation as well as potential Splunk false positives.
(A quick side note here – ReversingLabs can identify “known good” files because we maintain and constantly update the largest data base of goodware and malware available and that database is integrated with and used by all of our products. Read more about our industry leading file reputation database and service here.)
Through an API call, Splunk also utilizes ReversingLabs File Reputation Service, and all the threats classified by ReversingLabs as “known threats” automatically have their identification and context enriched by ReversingLabs intelligence data. Analysts have all the information they need to properly respond to the threat.
For the unknown threats, a click of a link opens the “file of interest” in ReversingLabs A1000 for deep investigation. The A1000 automatically decomposes and reverse engineers the file so that investigation teams can quickly identify any hidden threats. YARA rules are then used to share the new threat information across response, detection and prevention solutions. For this company, an unknown piece of malware can be detected, analyzed, defined and detection tools updated in a day or two – keeping their own internal defenses weeks ahead of their AV vendor.
Security Orchestration Automation and Response (SOAR): IBM/Resilient, Booth 3829 North Hall
Use Case: Malware Optimized Response Orchestration
Response has traditionally been a weak spot for companies reacting to an incident or breach. Large numbers of assets effected, security tools that need to be utilized or updated, number of people that need to be alerted and correct processes that need to be activated create amazing complexity, and literally costs the business money as defenses are slowly rallied while the attack is ongoing. Enter SOAR tools – systems the link together multiple security tools, define complex response processes, and automate as much of the pieces and process as possible.
Resilient Systems, Bruce Schneier’s company that was acquired by IBM, is a leader in the SOAR space, and fully integrated with ReversingLabs. The use case coverage is similar to that of how we work with SEIM products, but occurs during the incident response stages of the security operations process.
After incidents or artifacts that need investigating are passed from the SIEM into Resilient’s IRR platform, built-in file reputation and threat intelligence feeds from ReversingLabs File Reputation Service automatically gather and deliver valuable incident context. This context helps reduce investigation time and enable a rapid and effective response. Analysts can then leverage an integration to the A1000 to complete a deep investigation of files and artifacts whose threats remain undefined. Results of the investigation are delivered back to the proper Resilient Playbooks so that effective response procedures carried out.
Focused on improving visibility and detection, ReversingLabs Enterprise Scale Analysis solutions work with your SIEM to analyze and classify files find real threats and unknowns and greatly reduce incident traffic and false positives. ReversingLabs Malware Analysis, and File Reputation solutions work across all of these integrations to greatly reduce the time required to get critical information to your analysts so they can make the correct response decisions. So when you are at RSA – take the time to talk to these vendors and ask them about their integrations with ReversingLabs. Have them show share a demo, and then come by our booth (230) and we can talk reverse engineering and malware detection.