Cloud-Based Sandboxing

It can be argued that the root of most security problems stems from the pervasive use and deployment of Default Allow architectures and security postures. Maximum security typically dictates that nothing should be trusted, and everything be scrutinized before a user is allowed to execute or open a file. This has such huge impacts on productivity that implementing such a policy is simply too difficult to achieve in the real world.

Cloud-Based Sandboxing Valkyrie
The Unique Solution

Introducing Valkyrie, Xcitium’s cloud-based, crowd-sourced threat intelligence and verdict-driven
analysis platform that fully implements a Default Deny architecture and security posture.

For the first time, organizations can totally eliminate the window of threat exposure and achieve
a “Zero Patient Zero” condition.

Cloud-Based Sandboxing Valkyrie Xcitium

Enterprise.comodo

Cloud-Based Sandboxing: AEP Takes File Analysis to the Cloud

Valkyrie, Xcitium’s cloud-based file analysis tool, correlates the local view of the file’s activity with a global view. This
avoids false positives and false negatives while providing an accelerated verdict to identify malware at the endpoint. The
result is that unknown files stay in containment for the shortest time of any containment solution on the market and are
usable while in containment. Valkyrie combines static, dynamic and human expert analysis with machine learning techniques to
deliver a verdict on more than 95% of the unknown files it sees in less than 45 seconds. Files needing more in-depth analysis
will undergo human analysis by security experts within Xcitium’s Threat Research Labs (CTRL)


Download white paper

Cloud-Based Sandboxing: Participation Increases Coverage and Visibility

With over 73 billion file queries and 300 million unique unknown files submitted annually, Valkyrie provides a verdict for over 200
million known and 1 million unique, unknown files each day, generating a huge knowledge base to allow for extensive file
verdiction, which speeds up decision time and reduces compute resources.

Now, the malware problem can be declared “solved,” and there is no longer a “patient zero.” Xcitium’s Default Deny platform
incorporating Valkyrie ensures that there are no unknown files able to inflict damage on unsuspecting users while allowing maximum
usability. The result is guaranteed protection without loss of time, money or user productivity.

Cloud-Based Sandboxing: Fast verdicts require a combination of advanced analysis methods

Static

Valkyrie performs comprehensive static analysis (discreet binary analysis) on every submitted Portable Executable (PE)
file. This analysis includes a rigorous interrogation of over 1,000 static analysis detectors comprised of more than
26 static detector groups. These detectors include binary level analysis, DLL libraries, code embedded system calls,
extractable links, support for more than 240 unpackers, string analysis and many others.

Dynamic

Additionally, the Valkyrie platform integrates dynamic virtual execution, or sandboxing, which leverages behavioral and
environmental analysis within a finely instrumented operating system. Valkyrie Dynamic Analysis can detect registry
and file system modifications, file executions and network communication attempts as wells as evasion techniques such
as anti-VM evasion, VM escape attempts, mass sleep commands and file system pollution, API system calls and responses,
as well as many other behavioral patterns to quick and accurately deliver verdicts.

Machine Learning

Valkyrie integrates the latest advances in Machine Learning techniques throughout the automated analysis process.
Machine Learning models ensure a high degree of accuracy without the overhead and management typically associated with
exploit validation and response. Some of the Machine Learning techniques Valkyrie employs include Support Vector
Machines, Naive Bayes, Decision Trees and Random Forest Classifiers. Additionally, Valkyrie will employ Linear
Discriminant Analysis, Stochastic Gradient Descents, Hidden Markov models and Neural Networks, just to name a few.
These advanced techniques all help Valkyrie provide an automated accelerated verdict that on average only takes 45
seconds, 5x’s faster than industry norms.

Reputation Analysis

Valkyrie takes the concept of reputation in a different direction. When analyzed malicious files receive a verdict,
embedded URLs are extracted and matched against known bad URLs (web blacklist), as well as correlated against all
known bad malware URLs to draw associations between polymorphic code, campaigns and threat actors. Helping to speed up
Valkyrie’s already industry-leading response time and providing additional data points when providing an accurate
verdict for any given file.

Manual Expert Human Analysis

For the 5% of incoming files where automated analysis could not determine an accelerated verdict, an expert human
malware researcher is required to accurately analyze the file. Valkyrie provides the industry’s only SLA-backed
advanced malware analysis platform with human analysis to ensure that 100% of unknown files receive a verdict.

Cloud-Based Sandboxing: Crowd Sourcing Global Intelligence

Xcitium’s position as the world’s largest certificate authority provides Valkyrie with unique insight into known good applications,
publishers and even OS level processes. Unlike simple whitelisting, Xcitium is directly involved in digitally signing and
validating the “known good” and shares that intelligence with Xcitium Advanced
Endpoint Protection
as well as with the Valkyrie File Analysis Platform. Inversely, Xcitium Threat Research Labs (CTRL)
leverages over 85 million endpoint installations across consumer and enterprise networks, providing excellent visibility into the
“known bad.” This combination allows for a low compute way to quickly detect and defend against known threats, freeing up compute
for advanced detection methods. When an unknown file or process is submitted to Valkyrie through the Valkyrie Portal or Xcitium
AEP, the resulting analysis – and Accelerated Verdict – provide global coverage and the elimination of patient-zero

Endpoint Detection

Endpoint Detection and Response