An organization might have all the right tools in place, but without trained personnel, even the best-equipped facility could find itself at a disadvantage against today's vast army of cyberthieves. On top of that, even experienced IT security personnel cannot stay on top of all the alerts and data flooding onto their logs.The IT environment of IDT, a Newark, N.J.-based telecommunications company, is somewhat unique in that it's at the nexus of very highly targeted industries – telecom, energy and oil, and banking and finance. The responsibility always lands squarely on the security team to keep the organization up and running and the critical resources in their varied cloud and data center environments protected.
“We have all seen what happens when you can't quickly contain and address an attack in your network,” says Golan Ben-Oni, chief security officer and senior vice president of network architecture at IDT, which employs more than 1,250 people, earned revenues in excess of $1.6 billion and operates in 21 countries. He points to the major breaches that have occurred recently as reason enough to employ automation to ensure his company could react effectively to all alerts it was seeing on its varied systems.
Ben-Oni explains it became necessary to improve the effectiveness of IDT's security operations center (SOC). “We were looking to automate much of the heavy lifting so our people could concentrate on the things they really needed to be doing,” he says. “Our environment is made up of best-in-breed network, endpoint systems, storage and database solutions, but none of them worked well together, so we had only a fragmented view of what was going on.”
He was spending a lot of time and money training and staffing the SOC to make all the technologies work. But, he realized that what was needed was a way to cut down on these systems and get to the point where the SOC could get an alert, respond and remediate in minutes, not hours (or sometimes even days).
Even with eight people on its IT staff, when an alert came in from any of its systems – it could be Palo Alto Networks, FireEye, Fidelis or any number of solutions that generate indicators of compromise (IOC) – it went to a live event stream and was loaded into the company's SIEM to determine if it was a real thing the IT staff was going to have to deal with. In a best-case scenario, Ben-Oni explains, it would take 15 minutes for the SIEM to correlate everything it needed to generate an alert for the SOC. Then, someone in the SOC had to see it and decide to act, which meant they had to pick up the phone and start calling the user or the network manager to get them to manually shut off the laptop or deal with the switch. “If it all worked well, we could contain the infection in 30 minutes,” he says. “The problem is: Attackers can do a lot in 30 minutes. They can get in and exfiltrate data in mere minutes.”
Ben-Oni (right) was the primary decision-maker when IDT began evaluating solutions to enable automated portions of its incident response process. His team had even built its own scripts to get better visibility and response times, but they kept looking for a solution that could help them address issues. After testing a few possibilities, the IT team found Hexadite.
“When we met with Hexadite, we didn't have to explain our pain points, they just got it and could help us solve our problems,” says Ben-Oni. “We deployed the Hexadite Automated Incident Response Solution (AIRS) and right away we saw results.”
Using Hexadite's proprietary SWAT Technology, Hexadite AIRS automates cyber alert investigations from an organization's layered security solutions, including network and endpoint systems, as well as identity (authentication) and third-party log repositories, says Eran Barak, co-founder and CEO, Hexadite. “With a proprietary approach that doesn't require the customer to install any agents, Hexadite quickly collects and analyzes all relevant incident information and then remediates attacks found on potential hosts.”
As a result, he explains, organizations can quickly investigate evolving threats, identify and remediate impacted systems and then verify the effectiveness of that remediation. Incident response (IR) best practices are codified in the advanced decision tree logic of the solution and can be automatically applied to optimize the effectiveness of existing resources and reduce the need for specialized IR skill sets and training. On-demand reports ensure the team is able to easily demonstrate the effectiveness of all its IR activities, he says.
Ben-Oni and his team were pleased with the implementation. “I cannot stress enough how easy it is to roll out Hexadite,” he says. “We don't have to touch endpoints or use our application distribution platform to roll out software, and we don't have to worry about whether it installed properly. All we have to do is create inclusion lists, grant access to our identity and access systems and tell Hexadite AIRS to do automatic investigations on systems. Hexadite simply logs into a system when there is a problem, deposits itself to do its analysis and then deletes itself and goes away. We were able to go from protecting 1,000 systems to 3,000 systems in one day.”
His first efforts with the technology were concentrated on doing automated investigations on alerts for the areas he was most concerned with, such as the workstation environment in IDT's corporate offices in New Jersey. “We quickly rolled it out across the U.S., then to Europe, the Middle East and Africa, and Central and South America.”
Hexadite AIRS immediately pulls in data directly from Splunk and all these other systems in seconds, says Ben-Oni. “When we know something bad has happened, but are not sure what it is, or have an incomplete alert, such as we know a user downloaded something malicious, but don't know if they executed it, Hexadite will immediately launch an investigation and fill in the blanks of what just happened.”
In fact, he says, the offering is able to find out the critical information that is missing from most alerts, which he used to have to go and get manually. “Because Hexadite automatically goes out and looks at every threat, we immediately know what the threat level actually is,” says Ben-Oni. “We may start at a 15 percent confidence level for a specific alert, but after Hexadite looks and comes back to us, we know it is really much higher. Hexadite enables us to save our people from having to do that, eliminating the 15 minutes we used to have to wait for the SIEM to correlate alerts, right from the start.”
Plus, by automating, his team gains the 15 to 30 minutes that it takes someone to contain an infection in a best-case scenario, he adds. The fact is, it takes people time to figure out what's going on and make any necessary changes to try to contain an infection. It could be four to five hours that are saved through automation, he say. “That's assuming that someone is there when an alert lands in the SOC. Humans are inconsistent in their knowledge, skills and time. They may or may not know where to look or what to do for a particular alert, which means there is a lot of room for error.”
But, he says, that's not the end of it. When the immediate threat is contained, there is still a lot of work to do. “A system administrator may need to get together with the help desk, launch a remote session, talk to the user, start looking around, etc. That can take hours, and they may not even find anything. So Hexadite saves us a lot of time there too, with the ability to login milliseconds after the alert to look for impropriety.”
The solution, he adds, can automatically look for new files, search Windows event logs, make comparisons to other systems and threat feeds during the course of its investigation, which manually could run eight hours.
“Hexadite helps us get consistent coverage, which is absolutely essential,” says Ben-Oni. “There is just no way for an individual to be able to investigate and quickly contain hundreds or thousands of systems. Hexadite's automation enables us to scale.”
Further, the solution assists with compliance regulations. “It enables us to investigate each and every alert that crosses our desk, with auditable logs and reports,” Ben-Oni says.
The threat landscape is evolving and Hexadite seems to be able to adapt and translate requirements into iterative enhancements, Ben-Oni says. “Because we have a presence in industries which are high-value targets, we have to do everything we can to be prepared and able to respond. We are now really focused on driving automation, so we can improve the productivity of our people and the overall security of our organization.”
Alert: Auto pilot
Eran Barak, CEO of Hexadite, says his company delivers several unique capabilities:
Out-of-the-box logic: Proprietary, intelligent algorithms and tools are able to automatically investigate each and every cyber alert. The Hexadite SWAT technology codifies IR best practices within the logic of the system to ensure organizations can effectively investigate, contain and remediate a breach out of the box.
Open architecture: Developed from the ground up to integrate with any system or endpoint, means the solution can quickly collect information from any detection system, log repository, endpoint device, etc. The solution is also open to allow administrators to customize.
Agentless deployment: Admins don't need to deploy or maintain agents. The solution will automatically install a light probe on endpoints that need to be analyzed during an investigation and then will automatically remove itself once the investigation is complete.