Tim MalcomVetter
Co-Founder / CEO
That’s Not Ransomware
Cybersecurity is full of alert fatigue. Imagine the stress a security engineer would feel when an alert comes in declaring potential ransomware! In Wirespeed MDR, we get second, third … even Nth opinions of components of the data in alerts we triage. Today’s success story is actually a success that we do routinely, many times a week: we dismissed an alert that Sentinel One classified as “malicious” and “ransomware.”
It’s no secret that detection vendors are liability driven, meaning they err on the side of over-alerting rather than under-alerting, so that customers can never say the product was at fault and missed an actual intrusion that resulted in damages.
In this example, you can see the raw JSON from SentinelOne, with the category as Ransomware and confidence of malicious.
In this case, we enriched the detection with our file reputation integration and confidently used our third-party opinions to dismiss the alert as benign. We can clearly see this is a legitimate application from Lenovo. True to our Wirespeed name, we were able to process the entire alert with all of our enrichments and decisions in just under a half second (482ms) and our customer could stay focused on things that mattered that day—not chasing fake ransomware!
Also, because everything we do is completely transparent, our customer can see our case, see why we dismissed it, and if they need receipts, they even have the nice narrative “story” about the executable from ReversingLabs as an extra touch.
Want to learn more about how Wirespeed can enable your MSSP? Contact us to start a FREE TRIAL today and get Service Provider pricing.