RiskVision v2.0.0 Features

52081 | Release Notes | TRITON RiskVision | 24-Sep-2015

TRITON RiskVision offers administrators:

A simple, one-appliance deployment

Fast and easy setup

A flexible, plugin-based architecture for extensibility and interoperability

Detailed insight into malicious software activity in HTTP and SMTP traffic

Data loss and data theft detection

Read on for more detailed information about the features and tools offered in this release.

Interactive incident investigation

The RiskVision Transaction Viewer is an interactive tool that administrators can use to find and investigate high-priority incidents in their network. The tool offers:

Filtering, grouping, and sorting capabilities to help administrators to identify the incidents with most potential to cause harm

A comprehensive details pane to help administrators assess the threat

The Transaction Viewer combines the information returned by both local and cloud-based analysis tools, giving administrators detailed insight into why a malicious or suspicious incident was identified within a transaction.

Comprehensive local analysis

When RiskVision processes a transaction, it uses several analytic tools on the appliance to determine whether the transaction contains any malicious or suspicious characteristics. Together, these analytics are grouped together under the term Local Analysis.

URL lookup is used to determine whether HTTP requests are going to sites already known to pose a security risk

Content analysis uses Websense Advanced Classification Engine (ACE) technologies to find malicious and suspicious behavior within an HTTP or SMTP transaction

Data analysis uses data loss and data theft policies to detect sensitive data leaving the network via HTTP or SMTP transactions

Cloud app analysis is used to identify traffic to cloud applications that may present malware, compliance, or data loss risks to the organization

YARA analysis is provided for organizations that already use YARA for malware classification. When enabled, the RiskVision YARA Plugin tries to match YARA rules within each transaction to find evidence of malware.

RiskVision also offers the ability to send incident information to a third-party SIEM tool or syslog for further investigation.

Cloud-based file sandboxing

When RiskVision Local Analysis does not find malicious characteristics in its file analysis, it may recommend that the files go through further investigation from the Websense File Sandbox.

When a file is flagged for sandboxing, the File Sandbox Processor contacts the File Sandboxing service in the cloud to find out if the file has been analyzed previously.

If so, File Sandbox Processor requests the analysis results.

If not, the file is uploaded to the sandbox environment, where it can be run and examined to determine whether its behavior is consistent with malicious activity.

File Sandbox Processor polls occasionally for results.

When File Sandboxing has completed its analysis, it creates an online report that details its findings. File Sandbox Processor retrieves a link to the report, and adds it to the RiskVision incident record.