When it comes to incident response (IR), enterprises end up wasting 80 percent of their resources because it takes much longer than it should to address attackers in their networks. This is because they’ve been trying to utilize people in ways that systems can automate instead of having them focus on the tasks that truly require human intelligence and interaction.
IDT Corporation’s IT environment is somewhat unique in that it’s at the nexus of three very highly targeted industries – telecom, energy and oil, and banking and finance. The responsibility always lands squarely on the security team to keep the organization up and running and the critical resources in our varied cloud and data center environments protected. The environment is made up of best-in-breed network, endpoint, systems, storage and database solutions. The problem was none of the systems worked together, so we had a fragmented view of what was going on. We had to use people in between all these systems.
When we would get an alert from any of our systems generating indicators of compromise (IOCs), it went to our live event stream and was loaded into our SIEM. Best case scenario, it would take 15 minutes for the SIEM to correlate everything it needed to generate an alert for the SOC. Then someone in the SOC had to see it and decide to act, which meant they had to pick up the phone and start calling the user or the network manager to get them to manually shut off the laptop or deal with the switch. If it all worked well, we could contain the infection in 30 minutes. The problem is attackers can get in and exfiltrate data in mere minutes.
Service level response times from leading managed security service providers (MSSPs) are two hours for a high-level threat targeting vulnerable assets; it only gets worse for other attacks, and the reality is most organizations don’t even see the problem until it gets out of hand.
Once an attack is contained, there is a list of steps needed to remediate it; it could be a couple days before a user might get their system back. We needed a faster way to figure it out and then do automatic remediation—a real-time system that could provide us access to real-time alerts.
Duo Security RSAC 2015 – Register to win a free Quadcopter
There are several solutions we evaluated that automated portions of the incident response process. We had even built some of our own scripts and capabilities to get better visibility and response times, but we kept looking for something that could really help us address our issues. When I met with Hexadite, I didn’t have to explain our pain points; they just got it. Hexadite was able to go in right away, give us results and help solve our problems.
Hexadite AIRS can automatically investigate and contain attacks in seconds. It’s designed to handle multiple investigations and remediate large scale events impacting multiple systems in parallel. It provides out-of-the box incident response logic that implements industry best practices to ensure an organization can efficiently and effectively respond to an attack from day one. The solution is able to proactively collect and analyze data from the IT security infrastructure, endpoints, threat feeds, log repositories and more to provide the intelligence and response capabilities organizations need to confidently address the threats they are facing.
My team at IDT liked that the solution supported multiple platforms and was extremely lightweight, agile and simple to use. Unlike other solutions that need a client to be installed and managed on every endpoint, Hexadite doesn’t require the organization to download any agents.
Rolling out Hexadite is simple. For the implementation, all we had to do was create inclusion lists, grant access to our identity and access systems and tell Hexadite AIRS to do automatic investigations. Hexadite simply logs into a system when there is a problem, deposits itself to do its analysis and then deletes itself and goes away. We were able to go from 1000 systems to 3000 systems protected by Hexadite in one day.
We started doing automated investigations on alerts for the areas we were most concerned with, such as the workstation environment in our corporate offices in New Jersey. We quickly rolled it out across the U.S., then to Europe, the Middle East and Africa, and Central and South America.
We take the IOCs from a variety of sources and feed them into Hexadite, which is integrated with many systems throughout the network to improve overall analysis and efficiencies. When we know something bad has happened but are not sure what it is or have an incomplete alert, Hexadite will immediately launch an investigation and fill in the blanks of what just happened.
The solution is able to discover the critical information that is missing from most alerts, which we used to get manually. Because Hexadite automatically goes out and looks at every threat, we immediately know what the threat level really is. We may start at 15 percent confidence, but after Hexadite looks and comes back to us, we know it is really much higher. Hexadite enables us to save our people from having to do that.
Hexadite is also able to address those widespread, spray attacks that try to get a whole bunch of people. There is just no way for an individual to investigate and quickly contain hundreds or thousands of systems. Hexadite’s automation enables us to scale.
By immediately pulling in data directly from Splunk and all these components in seconds, Hexadite already eliminates the 15 minutes we used to have to wait for the SIEM to correlate alerts. Plus, by automating, we gain the 15-30 minutes that it takes someone to contain an infection.
The fact is, it takes people time to figure out what’s going on and make any necessary changes to try to contain an infection; it could be 4-5 hours that are saved through automation. That’s assuming that someone is there when an alert lands in the SOC. Humans are inconsistent in their knowledge, skills and time; they may or may not know where to look or what to do for a particular alert, which means there is a lot of room for error.
Hexadite saves us a lot of time with the ability to log in milliseconds after the alert to look for impropriety. Hexadite can automatically look for new files, search Windows event logs and make comparisons to other systems, threat feeds, etc. during the course of their investigation, which manually could run you eight hours.
Hexadite helps us get consistent coverage, which is absolutely essential and enables us to deliver across the entire organization, rather than just the parts that are most critical.
The threat landscape is evolving, and Hexadite is able to adapt and translate requirements into iterative enhancements. The combination of people and technology at Hexadite is really something special. The automation they enable frees up resources, so that our people can work on the kinds of problems that really need people.
By Golan Ben-Oni, CSO and SVP of network architecture, IDT Corporation
BIO : Golan Ben-Oni is Chief Security Officer (CSO) and SVP of Architecture for IDT Corporation. Golan oversees IDT’s Security and Architecture Program in its three vertical markets, Telecom, Finance and Energy where he is responsible for Security (Law Enforcement and Investigations, Security Operations, Legal and Compliance), Architecture and Networking (Hybrid Cloud and Software Defined Data Center, Big Data and Analytics), Research and Development (Software Defined Security and SDN), and Provides Executive Leadership for Startup Security Vendors. Golan also heads IDT’s Computer Security and Networking College in Newark, NJ in order to create the next generation of Security engineers to meet the need of our current and future security challenges.
About IDT Corporation
(IDT) is a multinational holding company with operations primarily in the telecommunications and payments industries. The Company has three reportable business segments, such as Telecom Platform Services, Consumer Phone Services, and Zedge Holdings, Inc. (Zedge). Telecom Platform Services provides retail telecommunications and payment offerings as well as wholesale international long distance traffic termination. Consumer Phone Services provides consumer local and long distance services in certain United States. Telecom Platform Services and Consumer Phone Services comprise the Company’s IDT Telecom division. Zedge owns and operates an online platform for mobile phone consumers interested in obtaining free games, apps and mobile phone customization including ringtones, wallpapers and notification sounds. All other businesses of the Company include real estate holdings and other, smaller businesses.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.