ii

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

The Vanishing Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

New Generations of Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

The Manpower Shortage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iv

Chapter 1 The Role of the Security Operations Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

What is a SOC? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Should Your Organization have a SOC? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

You don’t have to do it alone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Chapter 2 Requirements and Challenges in the SOC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The Landscape: Dealing with the Cyber Talent Shortage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The Landscape: The Quest for Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 3 Integrated Detection and Automated Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Continuous Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Endpoint Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 4 The HawkEye G and HSOC Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Defend Yourself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Getting the Most from Your Installed Security Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Managed Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

About Hexis Cyber Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

iii

I N T R O D U C T I O N

The State of Cybersecurity

The stakes in cybersecurity have never been higher, with more data, money and jobs at risk from online attack than ever before.

Exact figures are difficult to determine, but one recent study by Kaspersky Lab puts the average cost for a security breach at well over $500,000 for large enterprises, and more than $45,000 for small and medium sized businesses. This is money that organizations can ill-afford, and is only the tip of the iceberg. These figures do not include intangible costs such as damage to brand reputation, loss of confidence, or the long-term impact on customers and citizens from the theft of personally identifiable information (PII) and the risk of identity theft and financial fraud.

And a data breach can be a career-ending event for executives. Consider Amy Pascal, former Sony co-chair, and former director of the U.S. Office of Personnel Management Katherine Archuleta, to name only two.

As the stakes of cybersecurity increase, the odds are increasingly against organizations that do not have experienced analysts manning a security operations center (SOC) to provide around-the-clock threat detection and response

This growing risk comes from the convergence of several significant trends in the cyberthreat landscape.

The Vanishing Perimeter

The proliferation of mobile computing and the growth of broadband access for home-based devices has created an expectation by customers, citizens and workers of access to online resources from any device, from any place, at any time. The increasing growth of mobile access has blurred, if not obliterated, the perimeter that once was the primary line of defense for the enterprise. Rather

than depending on static perimeter defenses, organizations must address the security of geographically dispersed endpoints that are out of its immediate control and the unmanaged networks over which they are connecting.

There is also a growing volume of data—much of it sensitive—being held by organizations of all kinds. The expectation that all services will be available online, coupled with the desire of organizations to gather and leverage consumer data from online activities, has made data centers high-value targets within all organizations. Multinational companies and large defense contractors have always been attractive targets for online attackers, but the movement of almost all business online has put even small organizations into the sights of increasingly sophisticated attackers.

New Generations of Attackers

The volume of online attacks is hard to measure. Federal agencies are required to report security incidents to the U.S. Computer Emergency Readiness Team, however, and the number of incidents reported increased from 5,503 in fiscal 2006 to 67,168 in fiscal 2014, a jump of more than 1,000 percent.

To be fair, some of this increase is the result of better monitoring of IT systems. But there is no denying that attacks are increasing and becoming more sophisticated with each day. In addition to recycled attacks exploiting well-known vulnerabilities, enterprises of all sizes must be ready to defend themselves against Advanced Persistent Threats.

Adversaries have evolved from individual hackers to organized criminal gangs taking advantage of a burgeoning underground market where criminal services and information are bought, sold and bartered. More alarming is the emergence of nation states as players in this arena, fielding

iv

highly-motivated, well-resourced teams of hackers and cyber warriors. Some nations, such as China, make little distinction between military, political and economic espionage, putting both public and private sector networks at risk.

Although well-known attacks and exploits continue to be used, there is an inexorable trend toward more sophisticated, stealthy and multi-stage attacks that often leverage zero-day vulnerabilities. Increasingly global supply chains allow attackers to exploit a compromise in one organization to attack a trusted partner. This means that an organization must ensure not only the security of its own enterprise, but of all of its partners and suppliers.

The Manpower Shortage

Staffing is essential to success in any mission; recruiting, training and retaining skilled personnel is always a challenge. But the challenge in cybersecurity is amplified by the fact that there are not enough trained professionals to meet the need.

As organizations realize that cybersecurity is a people problem, as well as a technology problem, competition for talent is increasing. Unfortunately, professional security practitioners are not being created fast enough to keep up with the growing demand. Experienced analysts—those who can sift the grain from the chaff in the SOC and turn data into actionable intelligence—are in even shorter supply. Efforts are being made to get more people into the cybersecurity manpower pipeline, but this takes years to produce results and even more time is required for workers to gain the experience needed to become real security professionals.

One response to this challenge is to automate threat detection, verification and response as much as possible, freeing humans to analyze, understand and anticipate threats. Managed security services can be force multipliers in this process, giving organizations access to experienced analysts and state-of-the-art technology without the up-front expense of equipment and personnel.

A modern SOC can provide the visibility needed to counter today’s cyberthreat landscape, and managed services can leverage best-of-class technology for:

¡ Analyzing suspicious files; ¡ Reducing the number of false alerts staff must

respond to; ¡ Responding to alerts at machine speed; ¡ Monitoring network security status on a continuing

basis; ¡ And keeping policies up-to-date and ensuring that they

are enforced.

Effective threat mitigation and remediation requires not only the ability to detect, but also to verify threats and to respond at machine speed. No single product can do all of this, and integration across products is needed to get the full value from your cybersecurity investment.

Hexis Cyber Solutions can help you leverage your existing security infrastructure to detect, verify and respond with its HawkEye G security platform. Hexis Managed Services can also provide experienced security analysts to help you protect your enterprise and ensure that you receive the full value of each dollar you invest in cybersecurity.

Professional security practitioners are not being created fast enough to keep up with the growing demand. Experienced analysts—those who can sift the grain from the chaff in the SOC and turn data into actionable intelligence—are in even shorter supply.

“The average cost for a security breach at well over $500,000 for large enterprises, and more than $45,000 for small and medium sized businesses.”

1

C H A P T E R 1

The Role of the Security Operations Center

Protecting networks, IT systems and the information they support against the growing threats from hackers, criminals and hostile nations is essential to the survival of any enterprise. But you can’t protect what you can’t see and you can’t defend against threats that you don’t know about. For many organizations, a Security Operations Center (SOC) provides the visibility into the enterprise and the threats it faces, enabling you to defend yourself in an increasingly hostile cyber landscape.

Establishing a SOC and overseeing its growth and evolution can be an expensive and resource-intensive task. For this reason, SOCs have been seen primarily in large, high-profile organizations with high-value targets requiring additional layers of protection. But the world has changed. As critical business and operational activities have moved online, data centers now represent the corporate crown jewels, and these resources are accessible around the clock from anywhere in the world. These shifts make the SOC essential to the security posture of organizations of any size.

Being small is no longer a guarantee of protection. Even small and medium-sized organizations need the resources of a SOC to defend themselves, their customers and their intellectual property from highly motivated, well-resourced adversaries. With the interconnectivity of partners in global supply chains, you must consider not only your own security but also guard against becoming a gateway for attacks on your suppliers and customers, and against attacks coming through your partners.

Although the challenges of effective cybersecurity can be daunting, the technology and service offerings have matured so that the benefits of a dedicated SOC are not out of reach for any organization.

What is a SOC?

Every organization should have some cybersecurity component, and a growing number have chief informa-tion security officers to oversee it. What distinguishes a SOC from these existing security programs is a dedicated facility, providing a centralized location with the technology to see and defend the entire enterprise as well as trained teams to monitor, analyze and re-spond to threats. It is a hub for security operations with security as its only job.

Centralizing security operations helps you get the most from your investment in technology and in people by leveraging them across the entire enterprise. Bringing security information and personnel together in one place makes it possible to analyze data so that threats can be anticipated and identified, while providing a central location for mitigation and response.

A SOC enables:

¡ Visibility into the enterprise, so the security status of all systems can be monitored and maintained

¡ Full-time, 24X7 protection ¡ Coordination of incident response ¡ Better logging of events and documenting

of actions ¡ Uniform enforcement of security policy

2

The creation of a SOC depends on specific organizational needs. In a geographically distributed organization the physical facility could be almost anywhere, although locating it centrally at headquarters might make sense for logistical and organizational reasons. At a minimum, the facility must have the space and equipment necessary to support an adequate staff, and the power and wiring to accommodate a high-performance computing environment.

The backbone of the SOC traditionally has been the security information and event management (SIEM) system, which provides analysis of alerts and other data generated by network hardware and software. But analysis of log data no longer is enough. Adequate security requires the ability to gather and analyze outside threat indicators for continuous, automated response.

Should Your Organization have a SOC?

Cybersecurity is essential to every organization. That said, the decision of whether to invest in a SOC is a matter of risk management. This requires an understanding of your threat profile, your tolerance for risk and the budget available for security.

Your threat profile depends on the likelihood of an attack, the value of the target, and your security posture. As pointed out, you do not have to be a large organization to have high value targets. Corporate business plans, intellectual proper-ty, classified government data and databases of employee and customer information are all eagerly sought by criminals and nation states. And minor suppliers to major contrac-tors can be attractive targets to be used as beachheads from which to launch an attack against the main target.

To assess your security posture, you must determine the current level of security in place, the desired state of security, and what efforts need to be made to bridge the gap between the two.

Understanding your threat profile and security posture allows you to understand your risk, and to make a decision about the amount of risk you are willing to accept. Because absolute security is impossible, most organizations must accept a certain level of risk, covering at least part of it through insurance. But there is a level beyond which the remaining risk must be eliminated or mitigated. Organizations must address risk beyond this acceptable level by improving the security posture.

A SOC can be a powerful and cost-effective tool in improving your organization’s overall security.

You don’t have to do it alone

Although no organization is too small to be a target, small organizations with limited budgets can find it difficult to afford a dedicated facility with the state-of-the-art technology and trained personnel needed to quickly detect and respond to threats. Fortunately, you do not have to establish this capability on your own.

You probably already have much of the security infrastructure needed to provide visibility into your enterprise. Intrusion detection and prevention systems, firewalls, networking equipment and other security tools such as sensors provide alerts, logs and other indicators for situational awareness. You might already have a SIEM tool to gather and analyze this information. The challenge for the SOC is to integrate these elements, combine it with outside threat indicators, normalize all of this data so that it can be analyzed quickly, and then enable its use in machine-speed response.

But your organization does not have to invest large amounts of capital for equipment and personnel to achieve this. Managed SOC services are available to serve enterprises of all sizes. These services can provide the technology and expertise to leverage your existing security investments, providing a new level of situational awareness, mitigation and response without the up-front costs.

Acquiring managed services will not be the choice of every organization. Because security is a mission-critical function, some will opt to retain all aspects of it in house. But for those organizations that want to take advantage of a wider view of the threat landscape and automate rapid response, managed SOC services are a valuable tool for getting the most from your security dollar.

Understanding your threat profile and security posture allows you to understand your risk, and to make a decision about the amount of risk you are willing to accept.

3

C H A P T E R 2

Requirements and Challenges in the SOC

Typically, only some of the largest companies have had the resources to build and staff a dedicated security operations center. These companies have built incident response organizations, hiring and training security analysts to provide around-the-clock protection from an array of threats.

Unfortunately, demand for skilled cybersecurity workers outstrips supply. The pool of qualified analysts and SOC personnel is limited and this trend will only worsen as cybersecurity threats increase.

Moreover, as IT organizations and SOC personnel struggle to gain visibility into all aspects of their IT enterprise – network and endpoint traffic–security analysts often are inundated with a flood of alerts from a slew of security systems, many of them false alarms. This impedes their ability to filter out and analyze security data and threat indictors for the serious threats attacking their organizations.

That is why organizations of all sizes – those that are well-resourced and those that are not – are looking to either supplement their security operations by outsourcing to a managed security services provider or turning their operations entirely over to an outsourced security operations center.

To be sure, providers of managed SOCs face some of the same resource management, staffing and

technology issues companies and government organizations face. However, leveraging manpower and automated technology in a centralized facility allows a modern managed service provider to quickly identify and respond to threats without being overwhelmed by routine alerts and false positives.

The Landscape: Dealing with the Cyber Talent Shortage

Recent studies have revealed that there’s a serious shortage of talent to fill cybersecurity positions around the world at a time when organizations are coping with more threats.

For instance, according to a study by ISACA and RSA Conference, 82 percent of security professionals surveyed expect their organizations to be attacked in 2015, and they are relying on a talent pool they view as largely unqualified and unable to handle complex threats or understand their business.

Thirty-five percent of those polled–one in three–are unable to fill open positions, according to The State of Cybersecurity: Implications for 2015, which is based on a global survey of 649 cybersecurity and IT managers or practitioners.

Seventy-seven percent experienced an increase in attacks in 2014, while 82 percent view it as likely or very likely that their enterprise would be attacked in 2015. However, only 16 percent feel at least half of their applicants are qualified. Fifty-three percent said it can take as long as six months to find a qualified candidate; and more than a third are left with job openings they cannot fill.

Organizations looking for cybersecurity talent face a unique challenge because the profession is still relatively new. Most existing industries have

82 percent of security professionals surveyed expect their organizations to be attacked in 2015, and they are relying on a talent pool they view as largely unqualified.

4

developed their organizational structures and professions over decades while many cybersecurity needs and skill sets are still evolving. Given the present threat environment, there is an insatiable demand for talented analysts specializing in malware, incident response, threat monitoring and intelligence.

What does this mean for SOC managers who must ensure that their operations are covering your network 24 hours a day? Many SOC managers might assume that effective coverage entails a 24/7 human presence. However, given the cyber talent shortage it’s important to explore other approaches to bridge the resource productivity gap. For instance, by finely tuning existing security monitoring tools and services SOC personnel can prioritize alerts and automate more routine, repetitive tasks.

The first step, though, is to make sure the SOC has operational structures, procedures, and policies in place. You must also define the specific needs the SOC will meet for the client organization. Is it detecting external attacks, compliance monitoring, checking for insider abuse and/or incident management, or all of the above?

You will want to use the SOC team as effectively as possible. After determining the day-to-day tasks each member performs, you can better tune alerts to specific environments and team members. Additionally, automating manual tasks can free up senior staff to tackle more advanced threats.

At the RSA Conference 2015, Chris Young, General Manager and Senior Vice President of Intel Security, Intel Corp.’s security group, said information security departments should automate far more of their basic work—up to 98 percent of work, such as responding to alerts, to allow analysts time to concentrate on the bigger threats.

You might be surprised to learn that today there are a lot of manual processes being performed by senior SOC staff that could be automated, such as the sifting through alerts to detect false alarms, generating responses to help tickets, and creating reports that give information about key metrics such as detection success or false-positives.

By leveraging technology and automation, you can better distribute the SOC teams’ workload, putting senior staff to work on more advanced threats, and fostering the recruitment of top talent.

A word of advice for IT and SOC managers seeking cyber talent: Go where the cyber experts are. For instance, the FBI needs people with technical expertise for a variety of career paths – from special agents to intelligence analysts and computer scientists. So, the law enforcement agency had a booth at the Black Hat USA cybersecurity conference held in Las Vegas in early August 2015, which is attended by some of the most skilled information security people in the country.

By finely tuning existing security monitoring tools and services, SOC personnel can prioritize alerts and automate more routine, repetitive tasks.

5

The Landscape: The Quest for Visibility

At their core, SOCs focus on correlating and analyzing data on what is occurring within an organization, with an emphasis on timely detection. To achieve this, SOC teams need a high-level of “visibility,” or a clear, unobstructed view of the security operations and controls in place to defend an organization’s IT enterprise.

Many organizations probably already have much of the data needed to enable visibility. The real job is to aggregate and normalize it so that it can be effectively used for defense.

Most applications, networking devices, security tools and other systems generate logs with a record of the activity and behavior of those systems as well as the activity of users and their transactions. For instance, database audit logs can show how data has been changed and who made the changes. Syslog data from your routers, switches and network devices is useful for troubleshooting, analysis, and security auditing.

This data can be aggregated into a central repository that is accessible to security analysts. SOCs often deploy Security Information and Event Management Systems (SIEMS) to consolidate data and provide initial analysis.

One approach to data analysis is a scorecard and a corresponding dashboard that can give analysts a view

of the data, enabling them to compare new data with historical data to get a picture of trends and activities. This level of situational awareness is essential for SOCs to address current threats and prepare for future attacks.

But better visibility into your IT environment comes with a cost: more alerts. This makes it imperative that there are mechanisms in place to verify which alerts are important for the analysts to spend time on.

But log data alone is not enough to give you total visibility into your enterprise. In many successful attacks the initial breach of security arrived on a network through a compromised endpoint device, such as a desktop or laptop computer. With the proliferation of mobile devices that could also include, tablets or mobile phones on the network periphery, which can connect to the main network.

It is critical to have endpoint protection that easily integrates with existing network security protection. To be effective, the endpoint protection has to provide heuristic, real-time information about what is going on in the endpoint.

Integration with network sensors that monitor the flow of traffic in and out of an IT infrastructure, as well as SEIMs and other threat detection tools, should give analysts more of an in-depth picture of the threats, applications, and attack vectors that impact networks today.

6

C H A P T E R 3

Integrated Detection and Automated Response

The increasing velocity, frequency and variety of cyberattacks targeting private sector enterprises and government agencies have forced many security operations teams to rethink how they defend against and respond to attacks.

It can take an attacker less than five minutes to penetrate your network after reconnaissance for vulnerabilities that can be exploited. But, unfortunately, it takes defenders more than 200 days on average to determine that their networks have been breached, according to a Mandiant report. What’s worse, the breach is usually discovered by a third party, such as a law enforcement agency, security company or customer.

Typically, after a security team learns their organization has been breached, they bring in a security company to investigate how they were breached and what systems have been compromised. But attacks are continuous, and even after the vulnerability is fixed there is a high probability the organization will be hit again.

Consider the breach of the U.S. Office of Personnel Management (OPM) reported in March 2014. OPM moved quickly to strengthen security, adding more advanced detection tools. However, a year later OPM officials discovered systems were compromised again and the personal information of more than 22 million people inside and outside the government was stolen.

This is the reality of the present day cyber-battlefield. We have moved into the era of advanced persistent threats (APTs) where attackers can leverage the compromise of a low-level endpoints within an organization to move laterally or deeper into the network. They will try to elevate their privileges and

create a command and control capability to either slowly steal targeted data or open up holes for more advanced malware.

Many companies have also extended their networks to customers (business-to-customer e-commerce) or business partners (business-to-business e-commerce), opening up more avenues for adversaries to exploit weaknesses. The use of personal devices at work and the push toward the Internet of Things, in which a variety of appliances and devices are embedded with sensors, software and network connectivity, means that attacks can come from anywhere.

It takes defenders more than 200 days on average to determine that their networks have been breached.

7

Because attacks are continuous, security teams must adopt a continuous monitoring and response mentality. For example, the Homeland Security Department is overseeing the Continuous Diagnostic and Mitigation (CDM) program for government agencies, which puts an emphasis on procedures and technology that continually monitors networks for vulnerabilities and anomalies. CDM-compliant tools will alert network managers to attacks and intrusions, enabling faster responses.

Continuous Response

Already many companies and government agencies have invested significant money in detection solutions and SIEM systems. But to increase network visibility and

counter advanced threats, organizations need to deploy more advanced detection, analytics and automated response capabilities.

So the next logical step is to also switch your security mindset from “incident response” to “continuous response,” in which systems are assumed to be compromised and require continuous monitoring and remediation.

Historically, response has been event-driven and reactive. With continuous response, you use processes and technology that give constant visibility to respond to attacks that are occurring continuously.

A key to continuous response is automation. Attackers are leveraging automation to attack your endpoints and network, so automation is required to fight attacks. Moreover, automation is also required to address a major challenge that large and small companies face – the significant shortage of cybersecurity skills.

As stated in Chapter 2: You will want to use the SOC team as effectively as possible. After determining the day-to-day tasks each member performs, you can better tune alerts to specific environments and team members. Automating routine manual tasks can free up senior staff to tackle more advanced threats.

By deploying a full arsenal of automated, continuous response capabilities, SOC teams can tune their detection and protection systems to automatically stop malware from executing, prevent its persistence, and remove the threat to eliminate future execution attempts.

In addition to the automated response capability, you will want to implement an integrated detection platform that fuses multiple sources of information, including endpoints and network devices, threat feeds, cloud malware verification services, and threat indicators from third parties. Integrating these capabilities can give you a much better view of what’s threatening your IT infrastructure.

A key to continuous response is automation.

8

Endpoint Detection

Endpoint security is undergoing a major transformation as a new generation of products and services move from relying solely on signature-based protection to behavior-based analysis and incident response.

To take full advantage of this shift, endpoint security systems need to easily integrate with existing security protection. They also need to achieve three main goals, otherwise, attackers can still find ways to slip into networks.

¡ Detect all threats, especially previously unknown ones, based on multiple factors including the analysis of processes, changes on endpoints and network connections;

¡ Verify that detected threats are actually malicious, by correlating endpoint and network activity and using threat intelligence feed for validation when possible;

¡ Automatically respond to threats at machine speed with the capability of restoring endpoints to secure states – all without disrupting user activities.

Threat Intelligence

The goal of threat intelligence is to provide actionable information on adversaries by correlating data from multiple sources such as SIEM tools, network devices, as well as third-party data feeds on vulnerabilities and attacks. But are security operations personnel actually getting value from their data?

Too often, organizations don’t have a clear sense of what threat intelligence is. “At this point, every vendor with any kind of aggregation of real-time information has slapped the label of threat intel on it, thereby confusing the heck out of buyers,” according to an article in Dark Reading, a web site for the information security community.

Backed by recent surveys and reports from IDC and the Ponemon Institute, the article lists five reasons why organizations aren’t getting value out of threat intelligence: they don’t know what it is, data is not actionable, they’re fixated on external feeds, they’re not turning internal

incident information into contextual clues about threat behavior, and many companies don’t have a dedicated team to manage threat intelligence.

According to the IDC report conducted on behalf of SecureData, 90 percent of the IT security leaders surveyed in the U.K. were familiar with the term threat intelligence. But only 35 percent understood that threat intelligence is shared information provided within the security community. Only 11 percent connected behavior analysis with threat intelligence activities.

According to the Ponemon report only about a third of IT security leaders said the threat intelligence they receive has a high level of effectiveness.

These findings echo comments from security experts at various sessions at the Black Hat USA 2015 in Las Vegas, who acknowledged that in many cases organizations receive raw data, but real filtering and analysis of the data is not being done. Too often many analysts are working in siloes, copying and pasting data and collaborating by email, doing little more than passing IP addresses and log data around.

Analysts need tools to assist them with prioritizing alerts and advanced intelligence analysis. A platform with integrated endpoint and network detection indicators that also pulls in third-party threat indictors is crucial. Ultimately, an integrated detection and automated response platform will enable SOC teams to measure the effectiveness of an external threat and properly respond to that threat.

9

C H A P T E R 4

The HawkEye G and HSOC Solution

Even a small enterprise can be a high-value target for hackers, and organizations of all sizes need the protection that can only be offered by a dedicated Security Operations Center (SOC) providing the speed and visibility they must have to counter today’s highly motivated, well-resourced adversary.

For those without the resources to fully man and operate their own SOC, a managed service combines the advantages of best-of-breed technology with experienced personnel, without capital expense. These economies make it an attractive option for both small and large organizations.

HawkEye G from Hexis Cyber Solutions enables detection, verification and response, either on its own or in concert with security products already deployed in your enterprise. Hexis Security Operations Center (HSOC), the Managed Service for HawkEye G, leverages this security platform and adds the protection of experienced security analysts for continuous management, monitoring, reporting and incident response. Armed with HawkEye G, and using your organization’s security policies and procedures, HSOC can quickly detect, verify and respond to any threats against your enterprise.

Defend Yourself

In today’s threat landscape, it is not if, but when you will become the victim of a cyberattack. Most victims do not realize that they have been compromised until after the fact, and often only when they are alerted by a third party, which delays effective response. In all likelihood, your network and systems are being probed regularly for vulnerabilities, whether you are a high-profile multinational organization or a small link in the supply chain.

No organization can afford the costs of becoming a vic-tim or the loss of confidence from a data breach, and no executive is immune from accountability. Recent history has shown that data breaches can become career-end-ing events for government and corporate officials.

HawkEye G is the only cybersecurity solution that can effectively protect organizations of all sizes against today’s threats and within today’s constrained budgets. It can detect, verify and respond to threats regardless of their origins without disrupting operations, and is available in a managed service offering that delivers next-generation security.

Getting the Most from Your Installed Security Infrastructure

Today’s cyberthreats demands that security products work together to ensure the full protection of the enterprise. Organizations have deployed numerous tools to monitor and gather information on their networks, and HawkEye G’s ability to integrate these through their proprietary technology, ThreatSync, as well as SIEMs, differentiating HawkEye G from single-point security products.

Although HawkEye G is an effective standalone monitoring tool, it provides the greatest value when working in conjunction with the rest of your security infrastructure. It pushes its own lightweight sensor agents to each endpoint to monitor 175 static and dynamic indicators of endpoint activity, detecting and analyzing all changes and restoring any compromised device to the proper configuration if unauthorized changes are detected.

10

HawkEye G also integrates directly with leading vendors’ products including next-generation firewalls and network-based sandboxes, and indirectly with other tools. Hexis’ ThreatSync, an open framework for threat fusion and analytics, verifies alerts generated from feeds and prioritizes actual threats. This separates the real threats from the background noise and allows HawkEye G to respond at machine speed rather than requiring human analysts to wade through thousands of false alerts.

With Hexis Managed Services, all actions and data on endpoint processes, registry files, .dlls and suspicious outbound network connections are logged and sent to professionals in the HSOC. Because HawkEye G can automate incident response, Hexis professionals are freed to analyze data and better understand and anticipate complex threats, providing better situational awareness.

Gathering this data requires little bandwidth and does not degrade network performance, even over low-speed links from remote locations. Low bandwidth requirements and the ability of HawkEye G to manage software agents at multiple geographic locations on the network provide cost-effective security at only a few dollars per endpoint.

The level of automation in the response to security incidents depends on the needs of the customer. Response can be fully automated to take humans out of the loop and maximize speed and efficiency, or HawkEye G can alert and provide guidance to personnel with recommended, one-click actions. It can provide a mix of these options based on policy, depending on the nature of the operations involved and the customer’s comfort level.

Hexis Managed Service for HawkEye G maximizes your cyber defenses with next-generation threat detection and re-sponse delivered as a service. It gives you not only advanced technology, but experienced cybersecurity professionals to manage it with no large capital expenses. It allows you to:

¡ Investigate and analyze suspicious files to find known and unknown threats, while reducing false positives and ghost alerts;

¡ Respond automatically to threats at machine speed, mitigating threats before compromise;

¡ Guide your security posture with ongoing policy management as your business operations change;

¡ Monitor system health, software upgrades, and backups around-the-clock;

¡ Operate the system securely from the Hexis Security Operations Center (HSOC); and

¡ Receive up-to-date reports on threats and security activity.

HawkEye G offers flexible deployment models supporting single office locations or enterprises with distributed locations. The Network Sensor models scale from 40-Mbps network throughput up to 1-Gbps and 10-Gbps connections. The Host Sensor deploys on Windows desktops, laptops, and servers and is centrally managed by the HawkEye G Manager.

Managed Service

Hexis Full Managed Service provides the HawkEye G platform and our trained security professionals, and includes management and maintenance. An add-on subscription also is available on platforms already deployed in the enterprise. Both offer you Continuous Detection and Response as a Service.

Hexis Managed Service for HawkEye G pairs our platform with the expertise and human-element that provides your enterprise unparalleled security, while reducing your capital and operational costs. Flexible subscription terms, easy installation and threat response policies deliver fast time-to-value. It’s simply the best and most efficient choice for protection in today’s advanced threat landscape.

To learn more about HawkEye G Managed Service, contact Hexis.

Hexis Managed Service for HawkEye G maximizes your cyber defenses with next-generation threat detection and response delivered as a service

11

About Hexis Cyber Solutions

Hexis Cyber Solutions Inc. is a team of cybersecurity experts delivering solutions that enable organizations to defend against and remove cyber threats at machine speeds before they do damage. Hexis’ advanced security solutions use real-time endpoint sensors, network detection, and threat analytics to provide organizations with an intelligent and automated threat detection and response solution. Hexis solutions deliver improved visibility into the network and endpoints, threat verification, and automated threat removal capabilities for organizations of all sizes. Hexis Cyber Solutions, Inc. is a wholly-owned subsidiary of The KEYW Holding Corporation (KEYW), based in Hanover, Maryland with engineering offices in Columbia, Maryland and San Mateo, California. Hexis’ solutions were developed leveraging KEYW’s expertise in supporting our nation’s cybersecurity missions.

Copyright © 2016 All rights reserved. Hexis Cyber Solutions,ThreatSync and HawkEye are protected by U.S. and international copyright and intellectual property laws and are registered trademarks or trademarks of Hexis in the United States and/or other jurisdictions. Hexis Cyber Solutions is a wholly-owned subsidiary of The KEYW Corporation.

Hexis Cyber Solutions | 7740 Milestone Parkway, Suite 400 | Hanover, MD 21076 | info@hexiscyber.com | 443.733.1900