Automating incident response lets IDT take battle to the enemy

By automating the incident response process, IDT was able to reduce the time before the infection was quarantined, shorten the remediation cycle, reduce investigation time, and free up security staff to go after the bad guys themselves

1 2 Page 2
Page 2 of 2

Automation was needed here, as well, and now IDT turned to another vendor,  Hexadite.

Today, Hexadite receives the alert within a second after it comes in, and sends behavioral data to Palo Alto and other sandboxes for analysis.

A full behavioral alert is ready within 18 seconds, and other information is collected in the next 40 to 60 seconds, he said.

The entire alert investigation process now takes a total of one and a half minutes, and those alerts that turn out to be significant are funneled into the automated remediation process.

For user workstations, a confidence level of 95 percent or so knocks it off the network and sends it in for automatic reimaging. For production systems, that happens at a confidence level of around 30 percent, since it's easier to rebuild them quickly.

There are still occasions when real people need to get involved, Ben-Oni added.

"But what they're looking at right now is a clearer storyboard of what actually happened," he said. "They get the results of a full automated investigation on their screen."

Hexadite came in about six months ago, he said. It took about a week to get started with the first set of 20 to 30 machines, Ben-Oni said. The system was extended to cover the rest of the company's infrastructure in stages.

At the end of the day, automation was not a choice, but a necessity, he said.

"As a public organization, it's incumbent on me to do this," he said.

Not everyone is ready to go this far in automating their security response, however.

"It's not practical in a business setting," said Andy Woods, director of commercial cybersecurity at BAE Systems. The company provides outsourced incident response services.

The big risk, he said, is overreacting to false positives and trying to re-image too many desktops at once.

"It could take down your network," he said. "You could be performing a DDOS on yourself."

In addition, he said, attackers are always innovating and threat indicators change constantly.

It takes a trained analyst to tell whether a threat is real or not, and to adjust indicators as needed, he said.

"Most security professionals are wary of enabling automated 'active' responses that could cause an interruption the very services they're chartered to protect," said Mike Paquette, vice president of security products at Prelert, a security analytics company.

But many organizations are already using automation, such as to automatically block network traffic to known bad sites, or sandboxing networks to detect and block malicious executables.

"I predict that we'll see accelerating adoption of automated incident response over the coming years, guided by the combination of machine learning and human expertise," he said.

That's where Hexadite comes in, said CEO Eran Barak, whose company has been training security analysts for many years.

That deep knowledge of the security analysis process allows the company to go beyond simple rules and indicators to a complex decision tree based on an extensive library of actions.

"What you do as a cyberanalyst, we do it automatically and faster," he said. "We close the loop in seconds instead of hours or days or months."

Barak said that his company has customers for whom it processes hundreds of alerts daily, and others with thousands of alerts. In addition, Hexadite also offers a semi-automated system, where the user has the ability to control the remediation process instead of the appliance triggering it automatically.

Automation has another benefit as well, said Paul Nguyen, CEO at CSG Invotas, another security automation vendor.

"Automation significantly reduces human error which is responsible for 52 percent of data breaches," he said.

Engage the enemy

Meanwhile, at IDT, Ben-Oni said that his security organization is now able to do more than simply react to incoming attacks -- and hope that nothing gets missed.

There is now time to do more, he said. "Maybe on the other side of this, the action side, or the attribution side, learning more about our adversary to better iterate or protect the organization going forward."

And that's just the start, he said.

"We can then enable our security operations center to take the next step, work on attribution and eliminating the source of the threat by working with law enforcement," he said. "And that's where we're going to go into the future."

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies