Hexis, Others Put Security Response On Autopilot

Hexis and several other makers of advanced threat-detection platforms are promising fully automated incident response capabilities, but security experts tell CRN that some organizations may disconnect the autopilot.

Like intrusion-prevention systems, which promised automatic blocking and tackling, the promise of a fully automated incident response is years away, said Jon Oltsik, senior principal analyst at Milford, Mass.-based Enterprise Strategy Group. Organizations require a responder to identify how the infection happened and remediate the configuration weakness, policy breakdown or vulnerability to prevent another threat from using the same pathway, Oltsik said.

"A lot of these platforms offer a great amount of promise, especially for organizations that have overburdened IT teams," Oltsik said. "The noise level from alerts has increased significantly and as previous breaches have demonstrated, it's difficult to identify and investigate the alerts that pose the biggest risk to the organization."

[Related: Firms Lack Malware Analysis, Incident Response Expertise: Study]

Customer demand has prompted managed service providers to add advanced threat and incident response services to their monitoring and alert offerings. Hexis has turned to the channel with its HawkEye G platform, which uses sensors to detect threats in the network, automate threat investigation and automatically remove them from the network.

Other vendors promise full automation. Intel Security (formerly McAfee) introduced an Advanced Threat Defense appliance this year designed to integrate with the rest of its product portfolio to detect zero-days and other custom malware, immediately "freeze the threat" and identify other vulnerable machines, then automate a fix or remediation actions. Other vendors include Damballa, LightCyber and Hexadite.

"You have to start building algorithms that are accurate enough that automation is comfortable for you," said Intel Security CTO Michael Fey in an interview with CRN. "We have automation in our brakes in our cars, yet we do not have the ability to delete a file that is fully recoverable if you are wrong? Yes. It's time to change."

Organizations may not choose to fully automate the process for the most critical systems, but it can be restricted to fully automate other areas of the network to free up already overburdened incident responders, said Dewayne Adams, chief technology officer at Patriot Technologies, a Frederick, Md.-based solution provider and Hexis partner.

’Almost everything that is out there is about alerting you to a malware issue,’ Adams said. ’There is real interest in the automation, and its analysis can trigger the remediation or issue an alert to a first responder.’

NEXT: Critical Systems Get Human Incident Responders, Says Hexis

Hexis said its early customers use "machine-guided mode" to manage business-critical servers. The company is still having great success speeding up the process of plowing through alerts generated by network security appliances and other breach-detection systems, said Chris Fedde, president of Hexis Cyber Solutions, a KEYW Holding Corp. company.

"We've got one set of customers that say, 'I've got alerts coming out of my ears,'" Fedde told CRN. "We fundamentally have a different approach than other vendors. We find [malware] and kill it, and we don't care where it came from. We don't need to know what its behavior is because, by definition, the behavior is unknown. We don't have staff to spend a lot of time doing the forensics on the threats that we find and remove. It's not part of our business model. We kill it, and that's the end of it."

In fully automated mode, the platform can detect and remove a threat in half a minute, Fedde said. In machine-guided mode, the process can take as long as 10 minutes from the time malware is detected, he said, adding that it is still enough time to stop the infection from compromising the rest of the network."

Fedde said over a three-month time period at an organization with more than 5,000 users, Hexis detected custom malware on 27 Windows devices, which evaded detection from myriad next-generation firewalls, intrusion-prevention systems and other breach-detection platforms, he said. The company stores six months of network heuristics to identify the often slow pace of advanced threats and retrain its analytics engine.

Fedde compared the platform's remediation like a spell checker. Once a threat is identified, a kill command is triggered and the malware self-destructs, he said. "If a threat is really resisting being excised or resisting self-destruct commands, then we take more serious and more intrusive behaviors and countermeasures," Fedde said.

PUBLISHED OCT. 29, 2014