The malware analysis service VirusTotal is getting “the most significant upgrade” in its 14-year history. Alphabet’s Chronicle today announced the launch of VirusTotal Enterprise, which includes three big features: Private Graph, advanced malware search, and enterprise user management.
Google acquired VirusTotal in September 2012. While Google restructured itself by forming parent company Alphabet in August 2015, Chronicle, a security company that uses big data to detect vulnerabilities and aims to sell software to Fortune 500 companies, only arrived this year in January.
Chronicle’s big bet is that machine learning can sift and analyze massive amounts of data to detect cyber threats more quickly and precisely than traditional methods. In short, that means identifying issues in seconds or minutes, instead of hours or days. It follows that if Chronicle, which now owns VirusTotal, is targeting enterprises, the service needs a big upgrade. VirusTotal Enterprise is that upgrade, with pricing starting at $10,000 per year (it goes up depending on usage, you can request a demo or trial by pinging firstname.lastname@example.org).
Private Graph allows enterprises to plug their own data into VirusTotal for the first time. This lets you run analysis against the billions of malware samples stored on VirusTotal to visualize connections between malware strains and company assets such as machines, people, departments, and emails.
Although enterprises can see their internal infrastructure and users in a graph, Chronicle promises it will keep their most sensitive investigations private:
- Private graphs allow you to include information about your own enterprise assets within a graph.
- Unlike normal VirusTotal graphs, private graphs are not shared with or visible by public VirusTotal users.
- Private graphs enable secure team collaboration, as part of an incident investigation.
- Private graphs can automatically extract commonalities from nodes, to identify indicators of compromise.
While VirusTotal allows anyone to create a graph, VirusTotal Enterprise allows you to keep it private or share it only within your organization. That’s useful for general research across almost an industry, but it’s especially critical when corporations are performing security incident response work internally.
“The thing we heard from enterprises was ‘hey, when we have some sort of security incident and we want to investigate it, we don’t necessarily want people to see what we’re looking at. And we want to be able to attach machine names and things from our internal environment, and we don’t want anyone to see that,'” Chronicle CMO Rick Caccia told VentureBeat. “And in the stuff we launched earlier for [VirusTotal] Graph that was all public; you couldn’t control it. So the Private Graph allows you to keep this stuff private, allows you to create access groups, maybe with security people inside, maybe with your lawyers, maybe with law enforcement, where people can’t see what’s going on. As you can imagine, if you think you’re breached and you’re a large corporation, you want to be able to investigate and get all the facts.”
Advanced Malware Search
VirusTotal Enterprise can search 100 times faster than VirusTotal. Furthermore, it also lets enterprises filter through more data with an expanded set of variables (common icons across files, spam baits sharing a common visual layout, and so on).
Here’s the rundown for this feature:
- VirusTotal Enterprise increases search speed by 100x using new malware n-gram content searches.
- It also improves search accuracy, using additional parameters such as common icons across files, spam emails sharing a common visual layout, etc. For example, you can extract an icon from a fake application, and ask VirusTotal Enterprise to return all malware samples that use the same icon file.
- Malware analysis is more powerful, showing new details about uploaded files, including embedded domains, IP addresses, interest-ranked strings, etc.
- A single, unified interface across the free and paid VirusTotal sites.
Speeding up search 100 times is exactly why Chronicle was spun out of Google as an Alphabet company. A typical search using YARA, a language created by one of the VirusTotal engineers to classify malware samples, in VirusTotal that takes a couple hours is handled by VirusTotal Enterprise in a couple seconds.
“This is a fundamental shift in how systems work,” Chronicle CSO Mike Wiacek told VentureBeat. “It actually is building indexes over raw bytes to help facilitate these types of searches. Previous searches with YARA and systems like that — they are very equivalent to: Imagine if you did a Google web search and there was no index, but you searched for the words ’49ers football’. You would have to go over and look at every single webpage Google has ever seen and scan them looking for the word ’49er football’ versus saying ‘oh, what are all the webpages containing 49er and football’ and you have that pre-indexed. So actually trying to index raw binary blobs of data to facilitate a rapid search is just a big data problem that Alphabet happens to be uniquely positioned to try and solve.”
Enterprise user management and security
Since this is an enterprise product, Chronicle is naturally promising corporate access to VirusTotal. A lot of companies want the ability to integrate Virus Total Enterprise’s account directory with their existing identity provider.
Virus Total Enterprise specifically includes two new additions in this area:
- Improve security by using your existing two-factor authentication to access your VirusTotal Enterprise account.
- New API management of corporate groups helps keep your internal user directory synced with VirusTotal, for better user management.
This is Chronicle’s first attempt to expand the search and analysis capabilities of VirusTotal using
Google’s Alphabet’s infrastructure. But it’s just the start — more VirusTotal features for enterprise security analysts are on the way, the new security company promises.