This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
It has become fairly clear that one of the largest data breaches of 2013 occurred, in part, because no one followed up on an automated alert from a breach detection system. Like many other companies, this organization was overwhelmed by incident alerts that come by the hundreds or thousands every day.
It can take hours, days and sometimes even weeks to thoroughly investigate and remediate an event that is raised by an alert. Moreover, the skills needed to respond to a security alert are fairly high. Many organizations are in desperate need of a way to respond to at least some of their alerts in an automated way in order to free up their highly skilled people to address the most serious and complex incidents.
This is a role that the new cyber security company Hexadite wants to fill. According to Hexadite CEO Eran Barak, there is a significant amount of time between when an incident triggers an alert and when someone responds to it--assuming anyone responds at all. This gap is a dangerous time when an attacker can be taking liberties with your network. The security company aims to fill that gap with the Hexadite Automated Incident Response Solution (AIRS).
Hexadite AIRS is not a detection system itself. Instead it integrates with your existing detection tools SIEM, IDS, anti-virus, DLP, etc. to take the alerts those systems generate and follow-up on them. When AIRS receives an alert, it first tries to determine whether or not it's a false alarm by collecting data from the relevant devices and endpoints using on-demand proprietary tools.
Hexadite considers these on-demand proprietary tools a point of differentiation from other incident response solutions. Unlike an agent that must be installed on endpoints, these temporary tools are only used when needed and only collect the data they need to investigate a specific incident. This means low overhead and no need to store lots of data that would be collected by a pervasive agent.
Once the relevant data is collected, Hexadite analyzes it using proprietary algorithms to determine the best course of action for remediation. The remediation phase can be fully automated or semi-automated, meaning the action is held until a human makes a decision and approves AIRS' actions. The various remediation options are devised according to your organization's policies and procedures. For example, you might choose to isolate a device with suspicious activity, block a user from network access, temporarily lower the privileges allocated to a user's account, kill specific processes running on an endpoint, and so on.
The automated responses can be granular based on your own parameters. For instance, you would want to treat an executive's account and computer differently than you would treat a lower level worker. Moreover, the system can work on numerous incidents in parallel, so even if you have hundreds or thousands of alerts in a day, AIRS can work them simultaneously to shut down threats before they can do damage.
When the system is in fully automated mode, it typically takes just minutes from the time the detection system raises an alert to the time an incident is remediated. Hexadite's CEO says the Automated Incident Response Solution can shorten the time to problem resolution up to 95%.
AIRS is deployed as a virtual appliance. If there are remote offices or multiple segments to the network, Hexadite offers virtual relay servers to provide better coverage. Proprietary tools are deployed on-demand so there is no need to install anything on the endpoints. Overall AIRS looks to have been built from the ground up to be a lightweight solution that can integrate via API with most detection systems.
As attacks become more frequent and threats grow more serious, the only way that organizations will be able to stay on top of security is with automation. You already use automated detection tools; the next logical step is to deploy automated responses as a complement to your human Computer Incident Response Team.