hexis cyber solutions: rules of engagement for cyber security automation
TRANSCRIPT
Automated Threat Removal
Todd Weller VP Corporate Development
June 2015
What is Automated Threat Removal?
An integrated approach to threat detection and response
that leverages flexible, policy-‐based automation to
detect, verify, and remove threats before they do damage.
The Response Problem
Despite deploying lots of security technologies, organizations continue to experience multiple challenges responding to threats.
Not enough skilled people to respond fast enough
AV and Network Perimeter not blocking threats
1
Too many events and false positives to review
2 3
The Response Problem
Despite deploying lots of security technologies, organizations continue to experience multiple challenges responding to threats.
Response Visibility
1
Verification
2 3
Spending Shift to Detection and Response
Detection & Response
Prevention
§ Prevention is not 100% effective
§ Nature of attacks driving need for greater visibility
§ Response more top of mind
Move to Continuous Response
§ Attack environment resulting in increased investment in response
§ Continuous attacks driving shift from incident response to continuous response
§ Continuous response requires increasing use of automation
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 7
Why Automation is Necessary
Human Assets Are Tough to Find and Scale
Demand for Talent Outstripping Supply
Source: Burning Glass Technologies “Job Market Intelligence: Report on the Growth of Cybersecurity Jobs”
“The talent you’re looking for in incident response is absolutely the hardest I’ve seen to find in security in general”
-‐Christine Gadsby, Manager, Blackberry Product Security Incident response Team
Automated Attacks = Automated Defense
Forrester’s Call for Automated Response
“A call to action for a more automated threat response process based on developing a set of cyber rules of engagement”
“Security Automation is Inevitable”
Source: Forrester Research
Forrester Rules of Engagement Themes Better tools to detect breaches
Defining policy (rules of engagement) to facilitate of adoption of automation
Response index
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 13
What are essential ingredients?
Automated Response Visibility Verification
1 2 3
§ Ensuring environments are properly instrumented to detect today’s threats
§ Initial focus was network-‐based sandboxing solutions
§ Focus shifting to Endpoint Visibility & Control
Visibility 1
Advanced Threat Detection Frameworks
Takeaways
§ Sandboxing is important but it’s just one component of defense § Malware increasingly sandbox aware and evading sandboxes
§ Visibility on both endpoints and the network is required § Including correlation of activity
§ STRATEGIC: Corroboration and threat fusion to improve detection and prioritize investigation and response
§ TACTICAL: Solving “ghost alert” issue related to network security alerts
Verification 2
§ A collection of countermeasures that can be flexibly deployed based on policy
§ Ability to operate countermeasures in any combination of automated or machine-‐guided modes
§ Manual investigation capabilities
Automated Response 3
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 20
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 21
Mix ‘em up so they work together…
Automation Requires Integration
§ Visibility
§ Verification
§ Automated Response
Integration & Orchestration
HawkEye G Solves the Response Problem
1 2 3
Detect Verify Remove
Integrated platform: • Real-‐time endpoint agents • Network edge detection • 3rd party ecosystem
Host and Network correlation confirms the
threat to pinpoint where you really need to respond
Automation and machine-‐guided is a force multiplier to remove the threat before breach
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 24
HawkEye G Manager
Hexis Threat Feed
HawkEye G Network Sensor
Detect
Endpoints + Network
174 Heuristics 19 Threat Feeds
3rd Party Integration
Third-Party Integrations
FireEye® NX
PAN NGFW + WildFire®
19
HawkEye G Host Sensor
174
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 25
174
Verify
Introducing ThreatSync™
Hexis Threat Feed Third-Party Integrations
HawkEye G Network Sensor
Threat Fusion Threat Analytics
Indicator Scoring Device Incident Score
ThreatSync
FireEye® NX
PAN NGFW + WildFire®
HawkEye G Host Sensor
19
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 26
174
Hexis Threat Feed Third-Party Integrations
HawkEye G Network Sensor
Remove
Policy Manager Countermeasures
Kill
Quarantine
Block
Expire
Forensics
Future
ThreatSync
FireEye® NX
PAN NGFW + WildFire®
HawkEye G Host Sensor
Surgical Machine Guided
Automatic
19
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 27
Hexis Threat Feed Third-Party Integrations
HawkEye G Network Sensor
Report
Policy Manager Countermeasures
Kill
Quarantine
Block
Expire
Forensics
Future
ThreatSync
+
FireEye® NX
PAN NGFW + WildFire®
174
HawkEye G Host Sensor
19
Machine Guided Automatic
§ Detect, Verify, Remove
§ Endpoint + network
§ Improve detection effectiveness
§ Verify endpoint infections
§ Enable automated response
§ U.S. Intelligence Community reference architecture (SHORTSTOP)
§ Integrated Active Cyber Defense (ACD) solution
§ Includes Hexis, Palo Alto, FireEye, and Splunk
How Hexis is Embracing Integration
Architectures Integrated Platform ThreatSync™
Hexis Key Differentiators § Full arsenal of machine-‐guided and automated countermeasures that can be
flexibly deployed based on policy
§ Endpoint sensing capabilities – heuristics, real-‐time eventing
§ Endpoint + network including correlation
§ ThreatSync™ analytics fuses Hexis detection with 3rd party indicators
§ Integrated platform spanning detection, investigation, and response
§ Developed using military-‐grade cyber capabilities and state-‐of-‐the-‐art commercial technologies
Forrester’s Call for Automated Response
“A call to action for a more automated threat response process based on developing a set of cyber rules of engagement”
REVIEW
“Security Automation is Inevitable”
Source: Forrester Research
Forrester Rules of Engagement Themes Better tools to detect breaches
Defining policy (rules of engagement) to facilitate of adoption of automation
Response index
REVIEW
…totally in sync HawkEye G 3.0 vision
Security Automation Adoption
§ Crawl, walk, run
§ Early win automation use cases § Verification of network alerts § Automated removal of nuisance malware
§ Organizations can buy and operate their own automation platforms or consume via a managed service
Security Automation Benefits
§ Increase in response time = improved security posture § Narrow gap between time to detect and time to remediate
§ Automation can serve as a force multiplier for scarce human
security resources § Free up existing resources to focus on more meaningful alerts/issues § Efficiently scale response efforts
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 34
Questions?
Thank You!