This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
It has become fairly clear that one of the largest data breaches of 2013 occurred, in part, because no one followed up on an automated alert from a breach detection system. Like many other companies, this organization was overwhelmed by incident alerts that come by the hundreds or thousands every day.
It can take hours, days and sometimes even weeks to thoroughly investigate and remediate an event that is raised by an alert. Moreover, the skills needed to respond to a security alert are fairly high. Many organizations are in desperate need of a way to respond to at least some of their alerts in an automated way in order to free up their highly skilled people to address the most serious and complex incidents.
This is a role that the new cyber security company Hexadite wants to fill. According to Hexadite CEO Eran Barak, there is a significant amount of time between when an incident triggers an alert and when someone responds to it — assuming anyone responds at all. This gap is a dangerous time when an attacker can be taking liberties with your network. The security company aims to fill that gap with the Hexadite Automated Incident Response Solution (AIRS).
Hexadite AIRS is not a detection system itself. Instead it integrates with your existing detection tools SIEM, IDS, anti-virus, DLP, etc. to take the alerts those systems generate and follow-up on them. When AIRS receives an alert, it first tries to determine whether or not it's a false alarm by collecting data from the relevant devices and endpoints using on-demand proprietary tools.
Hexadite considers these on-demand proprietary tools a point of differentiation from other incident response solutions. Unlike an agent that must be installed on endpoints, these temporary tools are only used when needed and only collect the data they need to investigate a specific incident. This means low overhead and no need to store lots of data that would be collected by a pervasive agent.
Once the relevant data is collected, Hexadite analyzes it using proprietary algorithms to determine the best course of action for remediation. The remediation phase can be fully automated or semi-automated, meaning the action is held until a human makes a decision and approves AIRS' actions. The various remediation options are devised according to your organization's policies and procedures. For example, you might choose to isolate a device with suspicious activity, block a user from network access, temporarily lower the privileges allocated to a user's account, kill specific processes running on an endpoint, and so on.
Sign up for CIO Asia eNewsletters.