While many security vendors allow developers to access threat intelligence APIs as part of licensing their overall platforms, Sophos is taking a more free-wheeling approach.
The new SophosLabs Intelix threat intelligence as-a-service API allows developers to embed security features into their solutions as needed via a cloud-based, pay-as-you-go service without requiring a broader commitment to the Sophos platform.
The most important features are:
- Real-time lookups to get fast answers on known good or bad files. This can filter out the majority of malicious files by accessing its database of known malicious and good files.
- Static file analysis combines predictive machine learning with deep file inspection to provide additional classification for previously unseen threats or to expose file metadata that can assist in classification decisions or incident response.
- Dynamic file analysis. This service provides an in-depth analysis of extremely difficult scenarios and zero-day attacks with the option of creating a full detonation environment to execute potential malware outside of the network, observe its behavior and provide a verdict.
Developers can use the service in many ways. Developers may choose to automatically submit objects encountered by their platform to a different type of analysis, depending on their needs and security posture. Developers also can choose to first look up a file hash or URL against the reputation database to get a quick verdict on known files. In addition, they can opt-in to submit files for a more in-depth static or dynamic analysis to obtain classification verdicts and intelligence on zero-day threats, said Dmitry Samosseiko, director of threat research at SophosLabs.
"The API response comes back in a JSON or HTML report and is easy to integrate with existing solutions," he explained. If a 'malicious' verdict is returned, it’s recommended that any access to the object is denied and further remediation action is taken. Moreover, the solution may present rich information on the analyzed object to explain the decision and provide further details to a human expert, if required."
Dave Gruber, a senior analyst at ESG, said offering threat intelligence-as-a-service is an opportunity for application developers to build security controls into some of the more vulnerable areas of their applications by leveraging the powerful sandbox capabilities and threat intel offered by Sophos.
"There are so many potential use cases for these API-based services," he said. "Software applications or vendors that want to dynamically verify that uploaded files or URLs are valid and are not contaminated with malware; security products and vendors that lack their own powerful threat intel or sandbox capabilities; large-scale, well-funded security teams that supplement their security stack through custom tools development; and IT administrators, researchers, security analysts or students who are doing trend analysis or broader research to understand the threat potential within a more specific dataset."