Today is a big day for Deepviz!
We worked incredibly hard in the past weeks to make this happen, but I can officially say that starting from now we are in public beta. What does this mean? I will go through some things that you need to know to quickly become friend with Deepviz.
Deepviz is a fully integrated threat intelligence platform, powered by a cloud-based automated malware analyzer environment and a fully scalable, cloud-based, threat intelligence database which processes and correlates the feed of data extracted from the malicious samples analyzed by the malware analyzer environment. The whole infrastructure is based on OpenStack (designed to be AWS compatible) and it has been implemented to quickly and easily scale as needed.
The malware analyzer platform – described here more in detail – can process up to 80.000 samples per day. The biggest thing here, anyway, is that we have designed the platform to scale horizontally in a matter of minutes and thus the possibility to add more processing nodes and increase the number of processed samples. The platform’s ability to extract relevant details and behaviors from malicious samples is simply awesome if you want to fully understand the malware behavior, both from a filesystem perspective and a network perspective, but we also wanted to give our users a short and quick answer to the final question: is the uploaded sample a malware or not?
The malware analyzer platform is backed by a self-learning / machine learning classifier which is costantly retrained with both malicious and good samples. In our internal tests the classifier was able to succesfully identify and block new malware which already bypassed many antivirus solutions.
The threat intelligence platform instead is a fully scalable engine powered by a cluster of ElasticSearch nodes which are indexing the malware analyzer’s feed of data in realtime, doing automatic data correlation and aggregating results to spot new malware families and similarities between processed samples.
We are really proud of the threat intelligence platform because we built it to make its usage as easy as possible but at the same time powerful enough to allow users building up their own queries and search rules.
This is the reason why we built a threat intelligence UI to allow the usage without the need to implement one single line of code, but we also built a set of REST APIs that you can implement in your own code and use the threat intelligence as you prefer.
The Threat Intelligence UI can be reached at intel.deepviz.com, and it will be available for free for all the users registered with a Deepviz account until the end of the public beta. Since then, it will be available only with a subscription – but we will also have a dedicated free plan for people who will help us by submitting malicious data.
We have prepared two simple dashboards, reachable by the left side bar: network activity and malware overview.
In the network activity dashboards we show the recently registered domains contacted by the malware succesfully processed in a 6 hours / 24 hours / 3 days / 7 days time frame. The same is for individual IPs contacted by malware.
By right-clicking on the domain or IP and clicking on “Search for samples” it is possible to retrieve the actual MD5s which tried to connect to it.
In the malware overview, in the first chart, we highlight the samples we consider to be most interesting, sorted by an Identification score and by matched rules. Identification score is a threat score, the matched rules are the number of rules matched by our malware classifier. The samples with lower threat score and higher number of matched rules are the more interesting samples because they could be a new malware.
In the lower chart we correlate the data related to all the processed samples in a specific time frame to spot new malware families.
Of course the UI will allow you to search for specific MD5s, domains and IPs. More advanced search queries will be available in the next days when we’ll release an advanced search form. However, if you can’t wait and you already want to use our advanced threat intelligence search, you can implement our APIs in your code and start immediately using them.
At api.deepviz.com it’s possible to retrieve the list of available APIs along with related examples about how to use them. All the APIs are reachable by a simple HTTPS JSON request and the implementation should be straightforward – anyway if you get stuck into any issue please feel free to get in touch with us and we’ll assist you step by step.
One last thing: please keep in mind that while we’re in public beta we’re still fixing many minor things, adding new features, changing here and there. If you find any error, any discrepance, or just some slowdown/downtime, it shouldn’t happen but it does 🙂 Just let us know and we’ll do all we can to provide you with the best experience possible.
I don’t want to make this blog post any longer, what I just want to say is: feel free to register for an account at www.deepviz.com , play around with it, feel free to contact us either publicly or privately through our support page and make your own suggestions, let us know your ideas, pose your questions.
We will be there waiting for you, to try and build up together your powerful tool against cybercrime.