<< PREVIOUS  NEXT >>

 

IMPLEMENTATION

 

Virsec Threat Intelligence is configured and used on VSP CMS. Since the threat intelligence database must remain updated all times, it is a SaaS based service. As a result, CMS requires constant internet access to following URLs:

 

  1. ticloud-cdn-api.reversinglabs.com

  2. https://ticloud-aws1-api.reversinglabs.com

The access can be provided through a proxy server also. Reach out to your Virsec SE/CST contact to configure Virsec Threat Intelligence.

 

VSP-Host collects file metadata from the workloads it protects during:

  1. Initial host scan from reference host during/after a host profile creation

  2. During runtime when a new, un-allowlisted file is executed

In cases where the trustworthiness of the files cannot be determined locally on the servers through OS level check or existing published allowlist, the meta data of those files is sent to CMS. On CMS, these files get populated in the allowlist section for further action by the user. At this point, VSP CMS also connects with Virsec Threat Intelligence via a REST API call over TLS channel and send the checksum (only) of these reported files to get a reputation outcome as the response. These requests often send queries in bulk for multiple checksums and cache them locally on CMS for efficiency. A typical high-level outcome that VSP CMS would leverage would be:

  1. Malicious – The file is considered malicious based on the multi-level analysis performed by Virsec Threat Intelligence classification algorithm

  2. Suspicious - The file is considered suspicious based on the multi-level analysis performed by Virsec Threat Intelligence classification algorithm. This file may be declared malicious at a later time based on its threat profile

  3. Known - The file is presumed to be benign. The sample does not have any AV detections from trustworthy sources, and it does not match any of the internal threat signatures. In addition, these files also have been found to be valid with trusted software vendors. Files marked as SAFE by reversing labs also have a trust factor. VSP trusts only the files with trust factor values 0,1 and 2. Files with trust factor 3 and above are not considered as known by VSP

  4. Unknown - The requested hash is not present in the system or the system does not have enough data to make the Malware Presence calculation

With this analysis available, the files presented in the allowlist window are marked as either:

  1. Threat - For Malicious & suspicious files

  2. Safe - For known files

  3. Unverified - For unknown files

This allows the user to make allowlisting decisions, manually or automatically (using auto allowlist settings in host profile configuration).

In case a publisher/package is explicitly not allowed in the publisher/package list, files belonging to these entries are marked as threats in the edit allowlist section. No additional threat check is performed on these files.

 

In addition, CMS also reports additional information about malicious files as shown below:

  1. Threat Score - Based on threat level send by threat intelligence service

  2. Full outcome of Threat intelligence query that can be reviewed by a click on the Reputation status file corresponding to each file

 

<< PREVIOUS  NEXT >>