The document discusses challenges with detecting, verifying, and responding to cyber threats. It notes that despite security investments, organizations still experience difficulties keeping up with threats due to a lack of skilled personnel, ineffective prevention tools, and too many alerts to review. It introduces HawkEye G as an integrated platform that uses endpoint detection, network monitoring, and third-party integrations to detect threats, verifies them using correlation techniques, and enables automated and machine-guided responses to threats. Key benefits include reducing time spent on manual verification of alerts and enabling remote response capabilities. Case studies show HawkEye G reducing time spent on verification by 50% and enabling full removal of infections across endpoints.
6. The Problem
Despite significant investment in security, organizations continue to
experience challenges detecting, verifying & responding to threats.
Not enough skilled people
to respond fast enough
AV and Network Perimeter
not blocking threats
1
Too many events and false
positives to review
2 3
8. Spending Shift to Detection and Response
Detection & Response
Prevention
Prevention necessary but not 100%
effective
Nature of attacks is changing
Response more top of mind
12. Increasing adoption of behavior- based detection
Initial focus = network-based sandboxing
Focus shifting to Endpoint Detection & Response
DETECTION
No. I just want to get the bad guys, but if I can't see them I can't shoot them.
“You got some kinda savior complex?”
-American Sniper
16. Security Talent Shortage
Source: Burning Glass Technologies “Job Market Intelligence: Report on the Growth of Cybersecurity Jobs”
“The talent you’re looking for in incident response is absolutely
the hardest I’ve seen to find in security in general”
- Christine Gadsby, Manager, Blackberry Product Security Incident response Team
20. STRATEGIC: Corroboration and threat fusion to improve
detection and prioritize investigation and response
TACTICAL: Solving false positive issue related to network
security alerts
VERIFICATION
23. An integrated approach to threat detection, verification, and
response that leverages flexible, policy-based responses to
remove threats before they do damage.
INTEGRATED DETECTION. AUTOMATED RESPONSE.
24. HawkEye G = “Defender’s Advantage”
1
DETECT
Integrated platform:
• Real-time endpoint agents
• Network edge detection
• 3rd party ecosystem
2
VERIFY
Host and Network
correlation confirms the
threat to pinpoint where
you really need to respond
3
RESPOND
Automation and
machine-guided is a force
multiplier to remove the
threat before breach
29. Detect, Verify, Respond
Endpoint + network
Improve detection
effectiveness
Verify endpoint infections
Enable automated
response
U.S. Intelligence
Community reference
architecture (SHORTSTOP)
Integrated Active Cyber
Defense (ACD) solution
Includes Hexis, Palo Alto,
FireEye, and Splunk
Tackling Integration on Multiple Fronts
ArchitecturesIntegrated
Platform ThreatSync™
30. “How do I stop an active campaign before
compromise or breach?”
“I’ve got no clear picture of threat actor activity,
malware or infection spread across my enterprise”
“I’m wasting time and resources chasing down network
alerts to confirm if my hosts are infected”
“My antivirus isn’t working and I need better
visibility into activity on my endpoints”
“How do I respond more effectively and
efficiently?
HawkEye G Common Use Cases
31. Real-world Deployment Metrics
Feature Customer A Customer B Customer C
Host sensor
distribution
(initial)
1,872 host sensors
(out of 30,000 total)
400 host sensors
(out of 1,000 total)
20 host sensors
(out of 2,000 total)
Prevention Security
Technologies
in-place
Cisco ASA
FireEye
McAfee AV
Malwarebytes
Cisco ASA/IPS/SSM
OpenDNS
TrendMicro AV
Palo Alto
FireEye
McAfee AV
Infection %
637 infected hosts
36% infection
50 infected hosts
12% infection
20 infected hosts
(89 malicious binaries)
100% infection
Value-add
Automated verification of ghost
FireEye alerts
Reduce manual verify and
remove by 50%
Machine-guided removal on
remote devices
32. Hexis Key Differentiators
Integrated platform to detect, verify, and respond
Endpoint + network including correlation
Endpoint sensing capabilities – heuristics, real-time eventing
ThreatSync™ analytics fuses Hexis detection with 3rd party indicators
Full arsenal of machine-guided and automated responses that can be flexibly
deployed based on policy
Developed using military-grade cyber capabilities and state-of-the-art
commercial technologies
RESPOND
33. Key Takeaways
Cyber defense requirements are driving increased investment in
detection & response
Efficient and effective detection & response requires verification
Verification benefits are both strategic and tactical
Integration and automation are critical in your efforts to detect,
verify, and respond to threats before they do damage