A major challenge for IT professionals is dealing with the vast number of alerts that stem from modern antivirus and antimalware software, firewalls and security appliances.
The advantage of these products is that they’re very good at finding and reporting suspicious activity, but they also generate a lot of false positives. In fact, the alerts generated by false positives far exceed the alerts generated by actual malicious activity.
The relatively high number of alerts that aren’t related to malicious actions can be so overwhelming that legitimate alerts go unnoticed. This alert fatigue will actually make it easier for attackers to break into a network because the IT staff doesn't notice the intrusion among all of the noise.
This is what happened in the Target breach in the fall of 2013 when Target’s security monitoring system produced an alert when the company’s networked point of sale systems were attacked, but the alert wasn’t noticed by the IT staff.
The way many companies deal with the false positives is to reduce the reporting levels so that only the most serious alerts get attention. The problem with this is that many of the worst breaches start out slowly, specifically to avoid such alerts. But if every alert could be investigated, then the breach would be found before the damage was done.
The intention of Hexadite’s software is to investigate every breach, and to automatically handle them where possible. This is why Microsoft decided to acquire the company.
Hexadite receives alerts from other security hardware and software, tracks data it has accumulated on its own, security data that’s accessible through the cloud and through network resources such as Active Directory to find out what actions suspected malware is taking. It can also autonomously stop those actions.
An example of how this works was provided by the company’s YouTube video in which the Hexadite software detected and stopped a ransomware attack. The actions of the ransomware were first detected by FireEye when it attempted to communicate with its command and control server.
Hexadite received the alert, determined which endpoint had the malware and the stopped a file encryption procedure in its tracks. Finally Hexadite finished the job of cleaning up the computer and made sure that the malware was quarantined.
Hexadite’s software performs similar functions with other types of malware or other intrusion attempts. Had it been available in 2013, Hexadite might have prevented Target breach.
The key to Hexadite's success, along with other types of systems that scan the output of other security devices is that they must scan the entire output. That means that they use automated processes to look at every alert, no matter how trivial and decide if it’s a real security risk. If the threat looks real the software takes action.