ReversingLabs extracts malicious files from network traffic
ReversingLabs announced the N1000 Network File Threat Sensor appliance that employs Active Decomposition and Predictive Detection technologies to detect threats in files contained in email, web and file transfer traffic.
These innovations don’t rely on symptoms of a threat but analyze internal threat indicators in files. The result is defense against zero-day, targeted and polymorphic file threats. The solution extracts all files from supported network protocols and provides visibility into threat indicators in a broad array of file types. In addition, this solution integrates with SIEM and Big Data analytics solutions.
ReversingLabs has developed Active Decomposition and Predictive Detection technologies to address the limitations of today’s malware protection products and provide new levels of malware detection across a wide variety of executable platforms.
Active Decomposition unpacks each file to reveal thousands of internal threat indicators that are invisible to convention products. Predictive Detection uses specialized hashing algorithms to calculate a file’s similarity to known malware or other unknown threats. These technologies process files in milliseconds to enable the N1000 to operate on a network at a full line rate.
ReversingLabs malware detection does not rely on executing files so it can thus process a diverse set of file types including: Windows, Linux, OS X, Android, iOS, Windows Phone, popular document formats and firmware.
“Over the last 5 years, ReversingLabs has developed file threat analysis technologies to level the playing field for defenders against cyber criminals,” said Mario Vuksan, CEO at ReversingLabs. “These technologies are now available as plug-and-play appliances, such as the N1000, that provide ground breaking file threat mitigation solutions.”
The N1000 connects to a SPAN port and extracts all files from SMTP, SMB, HTTP and FTP traffic. The appliance can be configured to inspect inbound, outbound and/or internal traffic. Source and destination information for files is also collected. An advanced rules engine classifies each file’s threat level and disposition.
Customers can configure their own YARA based rules to match their specific requirements. The N1000 integrates with industry leading SIEMs and analytics solutions (e.g. Palantir) to support threat mitigation. Suspicious files can be archived to NAS or external storage for further analysis.
“ReversingLabs has an innovative set of technologies and solutions to address the new class of cyber adversaries,” said Marc Eisenbarth, ASERT Research Manager & Architect at Arbor Networks. “Arbor Networks consider flow a critical component for modern security implementations. As conventional defenses do not work, we need to expand our efforts from tracking Open Flow and protocol based anomalies to actual file payloads.”
The N1000 File Flow Sensor appliance is available today as a 1U hardware appliance or a virtual appliance (VDMK) compatible with major hypervisor and cloud service providers.