A major challenge for IT professionals is dealing with the vast number of alerts that stem from modern antivirus and antimalware software, firewalls and security appliances.
The advantage of these products is that they’re very good at finding and reporting suspicious activity, but they also generate a lot of false positives. In fact, the alerts generated by false positives far exceed the alerts generated by actual malicious activity.
The relatively high number of alerts that aren’t related to malicious actions can be so overwhelming that legitimate alerts go unnoticed. This alert fatigue will actually make it easier for attackers to break into a network because the IT staff doesn’t notice the intrusion among all of the noise.
This is what happened in the Target breach in the fall of 2013 when Target’s security monitoring system produced an alert when the company’s networked point of sale systems were attacked, but the alert wasn’t noticed by the IT staff.
The way many companies deal with the false positives is to reduce the reporting levels so that only the most serious alerts get attention. The problem with this is that many of the worst breaches start out slowly, specifically to avoid such alerts. But if every alert could be investigated, then the breach would be found before the damage was done.
The intention of Hexadite’s software is to investigate every breach, and to automatically handle them where possible. This is why Microsoft decided to acquire the company.
Hexadite receives alerts from other security hardware and software, tracks data it has accumulated on its own, security data that’s accessible through the cloud and through network resources such as Active Directory to find out what actions suspected malware is taking. It can also autonomously stop those actions.
An example of how this works was provided by the company’s YouTube video in which the Hexadite software detected and stopped a ransomware attack. The actions of the ransomware were first detected by FireEye when it attempted to communicate with its command and control server.
Hexadite received the alert, determined which endpoint had the malware and the stopped a file encryption procedure in its tracks. Finally Hexadite finished the job of cleaning up the computer and made sure that the malware was quarantined.
Hexadite’s software performs similar functions with other types of malware or other intrusion attempts. Had it been available in 2013, Hexadite might have prevented Target breach.
The key to Hexadite’s success, along with other types of systems that scan the output of other security devices is that they must scan the entire output. That means that they use automated processes to look at every alert, no matter how trivial and decide if it’s a real security risk. If the threat looks real the software takes action.
Hexadite follows specific procedures to investigate potential risks, using artificial intelligence and machine learning to decide what’s normal for a particular network and what constitutes a threat.
Because Hexadite uses information provided by other security systems, it’s obviously supposed to be deployed in the enterprise where those devices exist. However, it’s not going to be deployed as a stand-alone service. Instead, Microsoft intends to put the Hexadite technology into the company’s existing enterprise security software, Windows Defender Advanced Threat Protection (WDATP).
WDATP is a cloud-based security suite that Microsoft sells to enterprise users. The addition of Hexadite’s Automated Incident Response System to WDATP would significantly enhance the effectiveness of Microsoft’s product.
A Microsoft spokesperson briefly explained the company’s plans. “Hexadite develops agentless, automatic incident investigation and remediation solutions that increase productivity of security resources,” the spokesperson said to eWEEK in an email. “This acquisition will build on the work we’re already doing to make Windows 10 the most secure Windows ever. Hexadite’s technology and talent will enhance our existing capabilities and strengthen our ability to add new tools and services to Microsoft’s robust security offerings,” the email statement said.
By acquiring Hexadite Microsoft is attempting to deal with an unfortunate fact in today’s enterprise, which is the reluctance of some companies to expend the resources to make their networks more secure. This coupled with the significant shortage of employees who have the skills necessary to detect, investigate and remediate cyber-attacks means that some form of automation is essential.
However, integrating Hexadite into WDATP isn’t enough by itself. Even when it works quickly, Hexadite takes a minute or so before it can halt the malicious activity. Ransomware can encrypt a lot of files in a minute or two.
Malware can take a variety of actions and Hexadite can stop them, but there’s always a slight delay. What this means is that you will still need security applications that can handle such attacks instantly.
A good example of the types of faster-acting software that you’ll still need to consider include software from Cybereason with its Total Endpoint Protection software, or Malwarebytes and its anti-malware software. By using those you can kill the malware instantly giving Hexadite time to finish the job.
When fighting malware or other cyber-attacks, a successful defense is measured in seconds. Products that can perform investigations and remediation quickly will play a critical role in keeping your network safe.
But in situations when even a minute is too long, you need protection at multiple levels. Hexadite’s software clearly fills an important need, but only when it works in concert with other security defenses.