The document discusses challenges with detecting, verifying, and responding to cyber threats. It notes that despite security investments, organizations still experience difficulties keeping up with threats due to a lack of skilled personnel, ineffective prevention tools, and too many alerts to review. It introduces HawkEye G as an integrated platform that uses endpoint detection, network monitoring, and third-party integrations to detect threats, verifies them using correlation techniques, and enables automated and machine-guided responses to threats. Key benefits include reducing time spent on manual verification of alerts and enabling remote response capabilities. Case studies show HawkEye G reducing time spent on verification by 50% and enabling full removal of infections across endpoints.

1. Mission Possible
Taming Rogue Ghost Alerts
Ethan Hunt aka Todd Weller
VP Corporate Development
July 2015

2. Cyber = The Newer Battlefield

3. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 4
Cyber Attacks from All Angles
• Casual Hackers
• Hacktivists
• Cyber criminals
• Corporations
• Nation states

4. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 5
Your Mission:
Should you choose to accept it…
…is to increase your ability to detect, verify, and
respond to threats efficiently and effectively.

5. Focusing on Threats vs. Chasing Ghosts

6. The Problem
Despite significant investment in security, organizations continue to
experience challenges detecting, verifying & responding to threats.
Not enough skilled people
to respond fast enough
AV and Network Perimeter
not blocking threats
1
Too many events and false
positives to review
2 3

7. Blind to the Breach
Source: Mandiant, Verizon

8. Spending Shift to Detection and Response
Detection & Response
Prevention
 Prevention necessary but not 100%
effective
 Nature of attacks is changing
 Response more top of mind

9. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 10
AUTOMATED
RESPONSEDETECTION VERIFICATION
1 2 3
Critical Cyber Defense Elements

10. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 11
DETECTION
VERIFICATION
AUTOMATED
RESPONSE
Verification is the Critical Link

11. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 12
Visibility Is The First Step

12.  Increasing adoption of behavior- based detection
 Initial focus = network-based sandboxing
 Focus shifting to Endpoint Detection & Response
DETECTION
No. I just want to get the bad guys, but if I can't see them I can't shoot them.
“You got some kinda savior complex?”
-American Sniper

13. Visibility is Eye Opening…

14. …and Overwhelming
Source: Ponemon Institute

15. The Response Challenge

16. Security Talent Shortage
Source: Burning Glass Technologies “Job Market Intelligence: Report on the Growth of Cybersecurity Jobs”
“The talent you’re looking for in incident response is absolutely
the hardest I’ve seen to find in security in general”
- Christine Gadsby, Manager, Blackberry Product Security Incident response Team

17. Attack Velocity Increasing

18. Shift to Continuous Response
Velocity Continuous Automation

19. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 20
The Double Whammy

20.  STRATEGIC: Corroboration and threat fusion to improve
detection and prioritize investigation and response
 TACTICAL: Solving false positive issue related to network
security alerts
VERIFICATION

21. Cyber Defense Requires an Integrated Approach
Automated
Response
Detection Verification
Integration Orchestration Automation

22. Cyber Defense Requires an Integrated Approach

23. An integrated approach to threat detection, verification, and
response that leverages flexible, policy-based responses to
remove threats before they do damage.
INTEGRATED DETECTION. AUTOMATED RESPONSE.

24. HawkEye G = “Defender’s Advantage”
1
DETECT
Integrated platform:
• Real-time endpoint agents
• Network edge detection
• 3rd party ecosystem
2
VERIFY
Host and Network
correlation confirms the
threat to pinpoint where
you really need to respond
3
RESPOND
Automation and
machine-guided is a force
multiplier to remove the
threat before breach

25. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 26
HawkEye G
Manager
Hexis
Threat Feed
HawkEye G
Network Sensor Third-Party Integrations
FireEye® NX
PAN NGFW + WildFire®
19
HawkEye G
Host Sensor
174
Detect
Endpoints + Network
174 Heuristics
19 Threat Feeds
3rd Party Integration

26. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 27
174
Hexis
Threat Feed Third-Party Integrations
HawkEye G
Network Sensor
ThreatSync
FireEye® NX
PAN NGFW + WildFire®
HawkEye G
Host Sensor
19
Introducing ThreatSync™
Threat Fusion
Threat Analytics
Indicator Scoring
Device Incident ScoreVerify

27. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 28
174
Hexis
Threat Feed Third-Party Integrations
HawkEye G
Network Sensor
Policy Manager
Countermeasures
Kill
Quarantine
Block
Expire
Forensics
Future
ThreatSync
FireEye® NX
PAN NGFW + WildFire®
HawkEye G
Host Sensor
19
Surgical
Machine Guided
Automatic
Respond

28. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 29
Hexis
Threat Feed Third-Party Integrations
HawkEye G
Network Sensor
Policy Manager
Countermeasures
Kill
Quarantine
Block
Expire
Forensics
Future
ThreatSync
+
FireEye® NX
PAN NGFW + WildFire®
174
HawkEye G
Host Sensor
19
Machine Guided
Automatic

29.  Detect, Verify, Respond
 Endpoint + network
 Improve detection
effectiveness
 Verify endpoint infections
 Enable automated
response
 U.S. Intelligence
Community reference
architecture (SHORTSTOP)
 Integrated Active Cyber
Defense (ACD) solution
 Includes Hexis, Palo Alto,
FireEye, and Splunk
Tackling Integration on Multiple Fronts
ArchitecturesIntegrated
Platform ThreatSync™

30. “How do I stop an active campaign before
compromise or breach?”
“I’ve got no clear picture of threat actor activity,
malware or infection spread across my enterprise”
“I’m wasting time and resources chasing down network
alerts to confirm if my hosts are infected”
“My antivirus isn’t working and I need better
visibility into activity on my endpoints”
“How do I respond more effectively and
efficiently?
HawkEye G Common Use Cases

31. Real-world Deployment Metrics
Feature Customer A Customer B Customer C
Host sensor
distribution
(initial)
1,872 host sensors
(out of 30,000 total)
400 host sensors
(out of 1,000 total)
20 host sensors
(out of 2,000 total)
Prevention Security
Technologies
in-place
Cisco ASA
FireEye
McAfee AV
Malwarebytes
Cisco ASA/IPS/SSM
OpenDNS
TrendMicro AV
Palo Alto
FireEye
McAfee AV
Infection %
637 infected hosts
36% infection
50 infected hosts
12% infection
20 infected hosts
(89 malicious binaries)
100% infection
Value-add
Automated verification of ghost
FireEye alerts
Reduce manual verify and
remove by 50%
Machine-guided removal on
remote devices

32. Hexis Key Differentiators
 Integrated platform to detect, verify, and respond
 Endpoint + network including correlation
 Endpoint sensing capabilities – heuristics, real-time eventing
 ThreatSync™ analytics fuses Hexis detection with 3rd party indicators
 Full arsenal of machine-guided and automated responses that can be flexibly
deployed based on policy
 Developed using military-grade cyber capabilities and state-of-the-art
commercial technologies
RESPOND

33. Key Takeaways
 Cyber defense requirements are driving increased investment in
detection & response
 Efficient and effective detection & response requires verification
 Verification benefits are both strategic and tactical
 Integration and automation are critical in your efforts to detect,
verify, and respond to threats before they do damage

34. Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 35
Questions?
Thank You!