Automated Incident Response: Must-Have Technology

By Golan Ben-Oni

It is not abnormal for an organization to experience thousands of new security incidents every day. Given all that noise, it easy to understand how attacks can go undetected until it’s too late. Security operations centers (SOCs) and cyber-incident response teams (CIRTs) are simply overwhelmed and, frankly, ill-equipped to handle the volume of threat activity they face.

This is primarily because investigating and responding to any one of these events consists of many labor-intensive elements (collecting information, creating trouble tickets, sending emails and generating reports, etc.) that can end up wasting 80 percent of your resources. As a result, it takes much longer than it should to address attackers in your network.

To increase the effectiveness of your SOC, you need solutions that can do much of the heavy lifting for you by automating event investigation and remediation, so your team can focus on things that require human intelligence and interaction. That’s the conclusion we came to at IDT, and that eventually led us to work with Hexadite.   

Its automated response tools enable us to quickly determine whether alerts are benign or real threats and, if they are real, we can respond to contain the threat. The software automatically investigates each alert and fills in the blanks of what’s happening, which saves our people from having to collect and analyze data. Even more important, it works in seconds rather than hours.

It takes employees a lot of time to figure out what’s going on with the alert and to make changes to contain any infections—and that’s assuming that a staff member is there when an alert lands in the SOC. The reality is that humans are inconsistent, not only in their knowledge and skills, but also in the amount of time they can spend to deal with an issue.

If a security operations center gets an alert, an employee may be able to look at it only at a cursory level, or that individual may not know where to start or what to do with an alert. That means there’s a lot of room for error, which can be costly when dealing with sophisticated cyber-attacks.

The cyber-analyst needs to quickly figure out what is going on and how to contain an immediate threat, but that can take hours. When endpoints are involved, the analyst may need to meet with the help desk, launch a remote session, talk to the user of the affected device, and look around to figure out what the attack has touched and done, etc. Yet, these efforts may not turn up anything if the attacker is skilled or the analyst doesn’t know exactly what to look for in the specific situation.

Responding to All the Variables

Hexadite helps us respond to all the variables associated with an investigation, while saving us a lot of time. The system can log into affected systems milliseconds after an alert is generated to look for an impropriety. No agents need to be installed with this self-contained system. We simply define which systems need to be protected, and the software will automatically log into the system that has a problem and do an analysis.

The system automatically looks for new files, searches Windows event logs, and compares them to other systems, threat feeds, etc. When the investigation is complete, it goes away, leaving no trace on the system. In a best-case scenario, it could take your team eight hours to do that manually, but Hexadite handles it in seconds or minutes.

Once an attack is identified and contained, much work is needed to remediate it. You need to forensically image the system, enrich your available data with external sources, do malware analysis, threat analytics, etc. This can take an administrator several hours, or longer. You also have to reimage the endpoint to clean it up, which means it could be a couple of days before users get their systems back.

Hexadite can automate this remediation process, which will get our users up and running quickly. Using this system enables us to address those widespread spray attacks that try to infect many people at once.

For example, a hacker may send a phishing attack, via email, to hundreds of people in an organization to see who will bite. No individual security analyst can investigate and quickly contain hundreds or thousands of systems, but this software’s automation enables us to do that and scale to protect our entire organization.

The software helps us get consistent coverage, which is absolutely essential. It enables us to automate and streamline our incident response to close the gap between attack identification and remediation. This is the true power of automation, and it explains why the software has become a necessity in our security arsenal.

Golan Ben-Oni is the chief security officer and senior vice president of network architecture at IDT, a provider of telecommunication, entertainment and financial services.