The final two security levels are analyst and observer. An analyst account is designed to be used by outside auditors who are responsible for verifying the integrity of network security. This is required by some government agencies. An auditor can see most things happening on the HawkEye G protected network, but can't make any changes.
An observer account is designed for C-level bosses who would like to see an overview of everything happening on their network from a very high level using dynamic charts and graphs. HawkEye G will show observers how many attacks are occurring, how many systems have been infected and healed and other general information. Observers have no power to change or modify anything and aren't shown granular information.
In addition to the different account types, the other thing most users will notice right away is the current cybercon level. Cybercon is a play off the word DEFCON, the defense readiness condition indicator used by the armed forces. Unlike account types, what each cybercon level means is completely definable by the user. However, by default, Hexis technicians recommend and help most customers install the system based on increasing threat levels.
So at cybercon level five, indicating the least amount of threat, HawkEye G may only be allowed to detect problems. Moving down to cybercon level three would enable detection, engagement of threats and automatic removal of offending malware. Cybercon level one is designed as a sort of panic button, and more or less locks down all protected systems until a threat can be completely contained. Humans need to manually change the cybercon level, and a cybercon one condition would likely only get used in extreme circumstances. For these tests, everything was set to cybercon level three, which allowed HawkEye G to automatically combat threats.
The first test of HawkEye G was malware installed on a protected system. As the malware tried to contact its botnet handler, it was caught because the URL it was trying to reach was on the list of known threats, as downloaded to the system from the Hexis support center. At that point, all traffic from that client was instead routed to the bot trap.
Had there not been a sensor on that client, HawkEye G would still have prevented the malware from spreading. But because a sensor was also in place, HawkEye G was able to take several automatic actions, which were visible from the administration window when logged in as an operator. These processes didn't require any intervention on the part of the user, but since our test network was small, it was easy to see activity occurring.
The first thing that was checked was if a human had typed in the restricted URL, or if it were done by a program. If a human did it, there are several steps that could be taken based on the cybercon level. A warning could be issued at one end of the spectrum all the way up to the revoking of user privileges at the other. But since this was being done by a program, that step was skipped.
Sign up for CIO Asia eNewsletters.