An organization might have all the right tools in place, but without trained personnel, even the best-equipped facility could find itself at a disadvantage against today's vast army of cyberthieves. On top of that, even experienced IT security personnel cannot stay on top of all the alerts and data flooding onto their logs.The IT environment of IDT, a Newark, N.J.-based telecommunications company, is somewhat unique in that it's at the nexus of very highly targeted industries – telecom, energy and oil, and banking and finance. The responsibility always lands squarely on the security team to keep the organization up and running and the critical resources in their varied cloud and data center environments protected.
“We have all seen what happens when you can't quickly contain and address an attack in your network,” says Golan Ben-Oni, chief security officer and senior vice president of network architecture at IDT, which employs more than 1,250 people, earned revenues in excess of $1.6 billion and operates in 21 countries. He points to the major breaches that have occurred recently as reason enough to employ automation to ensure his company could react effectively to all alerts it was seeing on its varied systems.
Ben-Oni explains it became necessary to improve the effectiveness of IDT's security operations center (SOC). “We were looking to automate much of the heavy lifting so our people could concentrate on the things they really needed to be doing,” he says. “Our environment is made up of best-in-breed network, endpoint systems, storage and database solutions, but none of them worked well together, so we had only a fragmented view of what was going on.”
He was spending a lot of time and money training and staffing the SOC to make all the technologies work. But, he realized that what was needed was a way to cut down on these systems and get to the point where the SOC could get an alert, respond and remediate in minutes, not hours (or sometimes even days).
Even with eight people on its IT staff, when an alert came in from any of its systems – it could be Palo Alto Networks, FireEye, Fidelis or any number of solutions that generate indicators of compromise (IOC) – it went to a live event stream and was loaded into the company's SIEM to determine if it was a real thing the IT staff was going to have to deal with. In a best-case scenario, Ben-Oni explains, it would take 15 minutes for the SIEM to correlate everything it needed to generate an alert for the SOC. Then, someone in the SOC had to see it and decide to act, which meant they had to pick up the phone and start calling the user or the network manager to get them to manually shut off the laptop or deal with the switch. “If it all worked well, we could contain the infection in 30 minutes,” he says. “The problem is: Attackers can do a lot in 30 minutes. They can get in and exfiltrate data in mere minutes.”
Ben-Oni (left) was the primary decision-maker when IDT began evaluating solutions to enable automated portions of its incident response process. His team had even built its own scripts to get better visibility and response times, but they kept looking for a solution that could help them address issues. After testing a few possibilities, the IT team found Hexadite.
“When we met with Hexadite, we didn't have to explain our pain points, they just got it and could help us solve our problems,” says Ben-Oni. “We deployed the Hexadite Automated Incident Response Solution (AIRS) and right away we saw results.”
Using Hexadite's proprietary SWAT Technology, Hexadite AIRS automates cyber alert investigations from an organization's layered security solutions, including network and endpoint systems, as well as identity (authentication) and third-party log repositories, says Eran Barak, co-founder and CEO, Hexadite. “With a proprietary approach that doesn't require the customer to install any agents, Hexadite quickly collects and analyzes all relevant incident information and then remediates attacks found on potential hosts.”
As a result, he explains, organizations can quickly investigate evolving threats, identify and remediate impacted systems and then verify the effectiveness of that remediation. Incident response (IR) best practices are codified in the advanced decision tree logic of the solution and can be automatically applied to optimize the effectiveness of existing resources and reduce the need for specialized IR skill sets and training. On-demand reports ensure the team is able to easily demonstrate the effectiveness of all its IR activities, he says.