infoTECH Feature

April 13, 2015

IDT Corporation Uses Hexadite to Accelerate Incident Resolution and Improve Security Operations

By TMCnet Special Guest
Golan Ben-Oni, CSO and SVP of network architecture, IDT Corporation

When it comes to incident response (IR), enterprises end up wasting 80 percent of their resources because it takes much longer than it should to address attackers in their networks. This is because they’ve been trying to utilize people in ways that systems can automate instead of having them focus on the tasks that truly require human intelligence and interaction.

IDT Corporation’s IT environment is somewhat unique in that it’s at the nexus of three very highly targeted industries – telecom, energy and oil, and banking and finance. The responsibility always lands squarely on the security team to keep the organization up and running and the critical resources in our varied cloud and data center environments protected. The environment is made up of best-in-breed network, endpoint, systems, storage and database solutions. The problem was none of the systems worked together, so we had a fragmented view of what was going on. We had to use people in between all these systems.

When we would get an alert from any of our systems generating indicators of compromise (IOCs), it went to our live event stream and was loaded into our SIEM. Best case scenario, it would take 15 minutes for the SIEM to correlate everything it needed to generate an alert for the SOC. Then someone in the SOC had to see it and decide to act, which meant they had to pick up the phone and start calling the user or the network manager to get them to manually shut off the laptop or deal with the switch. If it all worked well, we could contain the infection in 30 minutes. The problem is attackers can get in and exfiltrate data in mere minutes.

Service level response times from leading managed security service providers (MSSPs) are two hours for a high-level threat targeting vulnerable assets; it only gets worse for other attacks, and the reality is most organizations don’t even see the problem until it gets out of hand.

Once an attack is contained, there is a list of steps needed to remediate it; it could be a couple days before a user might get their system back. We needed a faster way to figure it out and then do automatic remediation—a real-time system that could provide us access to real-time alerts.

There are several solutions we evaluated that automated portions of the incident response process. We had even built some of our own scripts and capabilities to get better visibility and response times, but we kept looking for something that could really help us address our issues. When I met with Hexadite, I didn’t have to explain our pain points; they just got it. Hexadite was able to go in right away, give us results and help solve our problems.

Hexadite AIRS can automatically investigate and contain attacks in seconds. It’s designed to handle multiple investigations and remediate large scale events impacting multiple systems in parallel. It provides out-of-the box incident response logic that implements industry best practices to ensure an organization can efficiently and effectively respond to an attack from day one. The solution is able to proactively collect and analyze data from the IT security infrastructure, endpoints, threat feeds, log repositories and more to provide the intelligence and response capabilities organizations need to confidently address the threats they are facing. 

My team at IDT liked that the solution supported multiple platforms and was extremely lightweight, agile and simple to use. Unlike other solutions that need a client to be installed and managed on every endpoint, Hexadite doesn’t require the organization to download any agents.

Rolling out Hexadite is simple. For the implementation, all we had to do was create inclusion lists, grant access to our identity and access systems and tell Hexadite AIRS to do automatic investigations. Hexadite simply logs into a system when there is a problem, deposits itself to do its analysis and then deletes itself and goes away. We were able to go from 1,000 systems to 3,000 systems protected by Hexadite in one day.

We started doing automated investigations on alerts for the areas we were most concerned with, such as the workstation environment in our corporate offices in New Jersey. We quickly rolled it out across the U.S., then to Europe, the Middle East and Africa, and Central and South America.

We take the IOCs from a variety of sources and feed them into Hexadite, which is integrated with many systems throughout the network to improve overall analysis and efficiencies.  When we know something bad has happened but are not sure what it is or have an incomplete alert, Hexadite will immediately launch an investigation and fill in the blanks of what just happened.

The solution is able to discover the critical information that is missing from most alerts, which we used to get manually.  Because Hexadite automatically goes out and looks at every threat, we immediately know what the threat level really is.  We may start at 15 percent confidence, but after Hexadite looks and comes back to us, we know it is really much higher. Hexadite enables us to save our people from having to do that.

Hexadite is also able to address those widespread, spray attacks that try to get a whole bunch of people. There is just no way for an individual to investigate and quickly contain hundreds or thousands of systems. Hexadite’s automation enables us to scale.

By immediately pulling in data directly from Splunk (News - Alert) and all these components in seconds, Hexadite already eliminates the 15 minutes we used to have to wait for the SIEM to correlate alerts. Plus, by automating, we gain the 15-30 minutes that it takes someone to contain an infection.

The fact is, it takes people time to figure out what’s going on and make any necessary changes to try to contain an infection; it could be 4-5 hours that are saved through automation. That’s assuming that someone is there when an alert lands in the SOC. Humans are inconsistent in their knowledge, skills and time; they may or may not know where to look or what to do for a particular alert, which means there is a lot of room for error.  

Hexadite saves us a lot of time with the ability to log in milliseconds after the alert to look for impropriety.  Hexadite can automatically look for new files, search Windows event logs and make comparisons to other systems, threat feeds, etc. during the course of their investigation, which manually could run you eight hours.

Hexadite helps us get consistent coverage, which is absolutely essential and enables us to deliver across the entire organization, rather than just the parts that are most critical.

The threat landscape is evolving, and Hexadite is able to adapt and translate requirements into iterative enhancements. The combination of people and technology at Hexadite is really something special. The automation they enable frees up resources, so that our people can work on the kinds of problems that really need people.

IDT Corporation is an NYSE-listed company headquartered in Newark, New Jersey. Golan Ben-Oni, CSO and SVP of Network Architecture, IDT Corporation, is responsible for enabling and protecting the infrastructure of the telecommunications, payment, energy and oil businesses, which represent approximately 1,700 employees and 3,000 endpoints worldwide.


 


Edited by Stefania Viscusi
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers