The focus behind Hexadite’s security automation and orchestration (SAO) system is to tackle the security “alert fatigue.” It’s software designed to fully automate the investigation and remediation tasks typically handled by Tier 1 and Tier 2 security analysts.
And it goes against the tide of products aiming to prioritize alerts, thus reducing the number of alerts to investigate. It takes an “investigate everything” approach.
In training security analysts around the world, the founders realized that analysts spend 75 to 80 percent of their time responding to commodity malware, taking actions that could quickly be handled with an automated system, CEO Eran Barak told BetaNews.
Rival SAO startup Phantom likes to point to a Cisco report that found the average enterprise uses 56 different security tools.
“You have all this gear. It doesn’t interoperate. It’s throwing off tons of alerts. The team you have can’t keep up with it. With the shortage of security talent, can’t even hire enough people to deal with this. Automation is really the only way to approach it,” CP Morey, Phantom’s vice president of products and marketing, told The New Stack previously.
Hexadite maintains that a single analyst can investigate roughly 10 alerts per day manually, yet the security information and event management (SIEM) software and other security tools companies use are sending out alerts in the hundreds or even thousands per day.
Its demo video shows a client dashboard with time to remediation of 1 minute, 19 seconds. The company also likes to stress ROI on its dashboards, showing the number of analyst hours and estimated dollars saved.
Monitoring processes end-to-end to ensure all incidents are addressed was the top incident response issue in a survey from Enterprise Strategy Group, followed closely by the difficulty in keeping up with external threat intelligence and keeping up with the volume of alerts.
Citing soaring remediation costs, impact on customers and reputational damage from data breaches, Forrester Research has issued a call to action for developing more automated threat response processes.
Eran Barak, Idan Levin and Barak Klinghofer, all former incident response analysts with Israeli military intelligence, formed Hexadite in 2014. The company has its headquarters in Boston and engineering in Tel Aviv. They launched Hexadite Automated Incident Response Solution (AIRS) in March 2015.
AIRS integrates and communicates bidirectionally with more than 90 existing security tools. It uses artificial intelligence, the codification of best practices to investigate alerts and determine the best course of remediation. AIRS runs through 1,000 or more entity checks and decision points in the course of a typical 6-10 minute automated investigation and remediation cycle, according to 451 Research.
Clients can build their own playbooks, using their own business logic, and customize AIRS through a drag-and-drop interface. Rather than a strict if/then decision tree model, it tries to simulate human analysts and respond dynamically. It uses traditional rules and identifiers for alert correlation and can start new investigations dynamically based on findings.
Hexadite delivers the solution as a virtual appliance and provides cloud-based sandboxing and threat intelligence. It can perform tasks in parallel, increasing speed, and learns over time based on the investigations performed.
SAO tools enable incident response pros to automate processes without being skilled coders — coding skills being in high demand and short supply among security pros, a Forrester report noted. In an interesting aside, Texas A&M University reports the Vectra cybersecurity platform allows it to use security students for Tier 1 tasks.
Tier 1 analysts typically perform triage, for example, with a mailbox where suspected phishing attempts are reported. They decide whether it’s something requiring investigation, according to Nathan Burke, vice president of marketing at Hexadite. Tier 2 analysts perform investigations at endpoints, the network and elsewhere. Yet much of that work is routine. Automating those tasks frees analysts for higher-level work to thwart more sophisticated attacks, he said.
Even if the system encounters something unknown, it would know what to do next, Burke said. Finding something totally new is rare.
“The way we look at is: What would you do as a Tier 1 or Tier 2 analyst in an ideal scenario? We apply that at machine speed and with the rigor that a human wouldn’t have time to do. If they saw something [unknown], they’d detonate it in a sandbox, watch it and try to understand its behavior, then say, ‘Oh, I know what that is,’” he said.
Ready for Full Automation?
Of the company’s stance against prioritization, he calls that just a conscious decision about what you’re willing to ignore.
“You buy all these detection systems, then say, ‘I’m going to mash this down to match my capacity because there’s no way we can investigate everything.’ But with automation, you can do this with at machine speed, you can investigate everything,” he said.
Competitors in this space typically are focused on providing better information to analysts and/or improving workflow among analysts — pointing, in particular, Demisto’s use of a chatbot — rather than taking routine work off human analysts’ hands, Burke said.
Most SAO vendors launched in 2014 or later and have not gained widespread market acceptance, Forrester notes in a comparison of Hexadite, Demisto, Phantom, Swimlane and CyberSponse. It foresees likely buyouts of these and similar companies by larger vendors.
Burke concedes it’s been a tough sell, but by starting with semi-automation, in which analyst approval is required for the suggested actions, clients learn to trust the system. Even in full automation, it produces logs of every action. He says all its clients now use full automation for their endpoints — some with more than 500,000 endpoints — but prefer semi-automation on production servers.
In December, Hexadite launched the Automated Security Alliance Program (ASAP) to improve integration among vendors and advance security automation. Initial members included Carbon Black, Check Point Software, CrowdStrike, Cybereason, Cylance, Exabeam, HPE, Palo Alto Networks, and Securonix