24 March 2018

GAME OVER (for speculators)

A Company born from high expertise may bring back the value of cyber security to be driven by humans and not by "super-expensive tools"!

Bullet proof automation in detection and response, but above all a framework to enhance cyber security professionals' creativity and make complex operations within reach of all budgets: This is the message we perceived looking at the evolution of a project that succesfully budged in something that has already been defined as capable of challenging even the big security brands!

To give you a taste, here is a short term mitigation written for Wanacry in about 2 minutes
Match:
event.Process( pathEndsWith = '@wanadecryptor@.exe' ) Action:
sensor.task( [ 'deny_tree ' + event.atom, 'history_dump' ] ) and report( name = 'wanacry' )
Security Experts already named the Community Edition of this game-changing Project as the "Open-Source CarbonBlack"! We would rather say that it is going above any expectation for a stack that will include free tiers also in its Enterprise Edition.

Low prices and the coming-soon free-tiers for private users who want to try the impressive stability and flexibility of the Enterprise edition of the project, are not the only characteristics that make it worth to have a look at and consider to protect your business or develop your cyber security application:

⇒ Fully Hosted or On Premise
⇒ Create extremely powerful rules on the fly to automate detection, mitigation or general endpoint management:

	Match:
	event.Process( pathEndsWith = '@wanadecryptor@.exe' )
	Action:
	sensor.task( [ 'deny_tree ' + event.atom, 'history_dump' ] ) and report( name = 'wanacry' )
	
⇒ Output the data where you want it and for however long you want it. Maintain ownership of your data, decide the retention.
⇒ REST interface allowing you to manage multiple backends using a single interface.

Instant sketch in of helper functions both in detection and action, for example:

⇒ virustotal (hash) to get a VirusTotal report for a hash (dictionary of AV engines reporting Bad).
⇒ geolocate (ip) to get information on the geolocation of an IP as reported by ip-api.
⇒ malwaredomains (domain) to get information on a domain from malwaredomains.com.
⇒ coinblockerlists (domain) to know if a domain is present in the lists from CoinBlockerLists.


A detailed quick start guide can be foundhere.

See the experts' statement (Video)

Copyright © 2018 MALWARELAB.co.uk