Solving the cybersecurity capacity problem

Editor's Notes

• #5: At the center of our philosophy is this: Hexadite’s goal is to help organizations go from alert to remediation in minutes at scale. As a post-detection tool, whenever a detection system kicks off alerts about potential threats, we want to investigate, decide, and take action as quickly as possible simultaneously at enterprise scale. Questions If you were able to automatically investigate every alert from all your detection systems, how valuable would it be for you? Out of curiosity: do you know how long it takes on average from the time an alert is received to the time your team starts investigating? On average, our customers usually say it takes between an hour and a week. It’s a large range. ==================================================== Slide Purpose: In one sentence, tell {Company}our value proposition. Slide Goal: Get the prospect thinking about how valuable it would be if they were able to perform investigations and remediation actions automatically without man hours. Questions: If you were able to automatically investigate every alert from all your detection systems, how valuable would it be for you? Out of curiosity: do you know how long it takes on average from the time an alert is received to the time your team starts investigating? On average, our customers usually say it takes between an hour and a week. It’s a large range.
• #6: In the next few slides we’ll take a look at some of the Incident Response Challenges we’re seeing with our customers. ==================================================== Slide Purpose: Introduce what we’re seeing from our customers. Slide Goal: Demonstrate that we understand the business problem. Questions: N/A
• #7: When we talk to our customers, we hear about the same challenges over and over, and we can divide them into three buckets: People – With 1 million unfilled cybersecurity jobs causing a cyber skills gap, companies see a huge variance in their team’s skills. We often hear them ask: How can I attract, train, and retain tier 1 and 2 analysts? When it comes to retention, there was just a study (http://ubm.io/2dH923N) that showed 50% of cybersecurity professionals get approached by a recruiter at least once a week. When it comes to training, a funny story: we were just talking with a grocery store chain, and the CISO told us that he can’t find experienced security candidates within his budget, so he pulls cashiers off the checkout line to become security staff. So he solved one part of the problem, but he’s now spending more on training inexperienced staff to do the job. How can I hire enough people with rising costs and the same budget? – A recent piece on ComputerWeekly showed that cybersecurity salaries have gone up 14% just in the last year. Q: Has your security budget increased at the same rate? Process – The time it takes to investigate an alert and remediate it is too long. We see process as the connection between people and technology, and even with a decent-sized staff, security professionals often spend more time on things like emails, meetings, trouble tickets, seeking approval, getting access, reporting and audits. When you look at the time spent, you’ll see that the majority of the time isn’t actually spent doing security. How can I investigate better and faster in an ever-changing environment? How much of your time is spent just keeping up rather than progressing? How do I reduce human error when people are always at 100% capacity? Q: Most of our customers haven’t updated their policies and procedures in quite some time. I’m curious: how often do you update your security policy? Technology – We constantly hear that customers have a patchwork collection of security products with some customers having over 90 tools at any one time. And those tools are creating too many alerts to handle. Our customers ask: How do I enable the business and get the most out of my existing security investments? We’ve seen from customers that they only investgate their high fidelity alerts, for example, they don’t do further investigation on their AV alerts. Is that true in your environment? Q: {SE Name} – Do you remember the example we had with a customer related to McAfee EPO? A good example of business enablement comes from another customer, Bloomberg BNA. They need to access Tor and WikiLeaks to do their jobs, but there are some sites they visit known to be malicious. The security team could have said you can’t visit this site. Instead, they use Hexadite AIRS to do an investigation after anyone visits a site that could be malicious. How do I know that everything is being investigated? We see the majority of our customers who can’t handle their alert volume tuning down their detection systems and prioritizing alerts. When they knew they couldn’t follow up, prioritization was the only solution. But prioritization is just a conscious decision about what you’re going to ignore. Once you have the ability to investigate everything, you no longer need to prioritize.  Q: Have you tuned your detection systems to match your capacity? ==================================================== Slide Purpose: Demonstrate that we understand the problems they face. Slide Goal: Determine whether {Company}has the same challenges we see at customers in order to understand whether we’d be a fit. Questions: Which do you see as the biggest challenges at Rolex? Any good war stories? Relevant Examples: We see a lot of our customers that have invested in security solutions but they’re not getting the full value of those tools because they’re totally overwhelmed. A good example was a customer that was constantly getting hit by cryptolocker. They went into McAfee EPO and created a rule that raised an alert any time a dll was created that also created an .html file. Only problem was they got so many alerts they just turned it off.
• #8: All these challenges lead to the problem: customers have too many alerts with too few resources. We recently commissioned a survey with research firm ESG, which found that 55% of companies get more than 5,000 alerts per month. A full 85% of companies see more than 1,000 alerts per month. When you see these kinds of numbers, you have to ask what’s being missed…. Q: Looking at these buckets, where do you fit in terms of alert volume? If you look at what one cyber analyst can handle in a day, you’ll see that one analyst can handle roughly 10 alerts per day, one-at-a-time. Doing the quick math, that’s 300 per month, so you’d need 50 analysts working 7 days a week to handle current alert volume. {Situationally dependent: I’m guessing you don’t have 50 analysts} Q: Help me understand what your SOC looks like (# of analysts, how it’s divided by tiers)? Does that 10 alert per day number match what you’re seeing at Rolex? What happens if you have {# of analysts}+1 alerts? [If they ask about the 10 number, explain that it’s a blended average between tier 1, 2, and 3 analysts that we’ve seen at our customers. Tier 1 can do more, but they’re mainly triaging alerts. The higher up the chain, the fewer the alerts they can actually investigate] Finally, when we talk with our customers, these are the big three metrics that they want to be able to measure: Mean time to alert – How long does the alert sit there before someone takes action on it? Mean time to investigation – How long does it take from the alert being received until an investigation starts? Then, how long is the investigation duration? Mean time to remediation – What is the full process duration from the alert through the investigation, all the way to remediation action Q: Do you have good metrics on what you’re currently seeing for mean time to alert, investigate, or remediate? We’re seeing a huge range from hours to weeks, and we’ll show you how that can change dramatically. ==================================================== Slide Purpose: Show that {Company}isn’t alone in the challenges they face. Slide Goal: Get {Company}to talk about their capacity challenges, and establish Hexadite as experts. Questions: Looking at these buckets, where do you fit in terms of alert volume? Does that 10 alert per day number match what you’re seeing at Rolex? Do you have good metrics on what you’re currently seeing for mean time to alert, investigate, or remediate?
• #9: Let’s show you our approach. ==================================================== Slide Purpose: Introduce the next part of the presentation. Slide Goal: Transition Leading Questions: N/A
• #10: At a very high level, this is the Hexadite approach, and the idea is to do exactly what a cyber analyst would do at machine speed. Hexadite AIRS connects to any detection system that can produce an alert, and starts querying data from relevant data sources (SIEM, log repositories, network appliances, and even your endpoints), to start an investigation. This isn’t a big data solution and is very light weight. The system then compares the information against our threat intelligence cloud, and determines whether a threat is known good, known bad, or unknown, and Makes a decision about what action to take. Hexadite AIRS can quarantine a file, terminate a process, add a firewall block rule, and perform dozens of other remediation actions The system can either execute remediation actions automatically without human intervention, or in semi-automated mode requiring approval. Before moving on, what are you currently using for a SIEM or EDR tool? ==================================================== Slide Purpose: Show our step-by-step approach to automation and orchestration Slide Goal: Walk {Company}through what they’re about to see in the demo, breaking down the steps. Questions: Is your current process similar to this? Anything different?
• #11: A good example is Nuance communications is market leader in changing the ways people interact with technology. Since they are all about AI, they want to be innovative about their approach to cybersecurity. Challenges People: Before automation, they were spending a lot of time, man hours, and costs on dispatching IT techs to deal with security incidents. This not only took away from the ability to drive value to the business, but it was an unattainable business model to scale with people. Process: At remote offices, Nuance doesn’t have dedicated security staff, so whenever a machine was infected, they would ship it to headquarters to be re-imaged. That led to productivity loss. Technology: Nuance’s CISO said “It’s easy to end up in a cycle where one buys more tools, gets more alerts and, despite working hard to correlate those alerts, still find the volume of resulting actions staggering. Companies need to find ways to break this cycle or turn down the volume of alerts, as there will never be enough staff bandwidth to properly process every alert“ Requirements: Nuance had 2 requirements: First, the product must be a force multiplier for efficiency, and not give someone else more work to do. Secondly, the tool must automate what is currently being done by people. RESULTS From Nuance’s CISO: “When we first saw the technology from Hexadite, it seemed too good to be true. We tried the product, and it all came true—it solved our problems and greatly reduced costs..” People – Nuance is seeing a 95% automation rate for actionable alerts, letting people drive value to the business. Process –Rather than pulling machines from being used, shipping, and then re-imaging from around the world, they no longer have disruption. Instead, they let Hexadite AIRS investigate and remediate automatically. Technology – Nuance continues to add new use cases, letting their existing tools send alerts to Hexadite AIRs. ==================================================== Slide Purpose: Tell the customer’s story Slide Goal: Get the prospect to identify with the challenges and seek the same results Questions: Are you performing re-imaging as part of your IR process? If so, are you aware of the cost of re-imaging each machine? We see between $400-$800 in downtime and the cost of IT time at our customers
• #12: IDT is a publicly traded telecommunications company with 16,000 endpoints. Challenges People: Their team was bogged down investigating what they knew to be a high rate of false positives. The problem is that if 80% of alerts are actually benign, which are the 80 and which are the 20? If you don’t know, you have to follow up on everything. Process: IDT tried to build their own automation scripts, but found it unmanageable. Technology: IDT had a SIEM, but it took about 15 minutes to get a correlated alert. Too slow. That’s a lifetime. Requirements: They wanted something that wasn’t persistent on the endpoint, could be rolled out quickly and scale without effort. RESULTS From IDT’s Global CISO: “Hexadite was able to go in right away, give us results and help me solve my security problems.” People – Rather than having people spend all their time on work that is repetitive, they were able to let people focus on what people will always do better than machines. Process – IDT replaced their own scripts with full automation and a product off the shelf. Technology – – IDT is now able to investigate all alerts in less time than it took to get an alert before. ==================================================== Slide Purpose: Tell the customer’s story Slide Goal: Get the prospect to identify with the challenges and seek the same results Questions: Have you done any scripting yourself to try to automate manual security tasks? If yes, how do you manage and maintain them?
• #13: Now let’s look at another customer who asked to remain anonymous. The customer receives between 850 and 1,000 alerts per day. They have 6 full-time analysts on staff with an average annual salary of $170K. They’re a highly sophisticated team and can investigate about 15 alerts per day on average. Given those inputs, we can see that: They spend $1 million+ annually to investigate just 10% of their alerts. That equates to paying $44.97 for every alert they investigate. If they wanted to get to 100% of Alerts Investigated by hiring more people: They would need 59 analysts Which would cost more than $10 million per year Adds up to just over $31 per investigated alert Instead, if they moved to automation, they would be able to investigate all alerts. Given just a ballpark number of automation costing 10% of what it would cost to hire enough analysts: The cost of automation would be just over $500,000 And if you add the cost of the analysts they have ($1 MILLION+) plus the cost of automation, they would drop the cost per investigated alert to $4.69 ==================================================== Slide Purpose: Show actual, verifiable value in real numbers Slide Goal: Get the prospect to see that the value of the product is easily quantifiable and a no-brainer. Questions: Do you know any companies that can spend $10 million on a team of analysts? If you’d like to give me your inputs here, I’d be happy to send you the results anonymously.
• #14: So why should I buy Hexadite AIRS (Why Hexadite )? Hexadite Threat Intelligence Cloud – With Hexadite AIRS solution you will get access to the Hexasite’s Threat Intelligence Cloud, We provide our own threat intel cloud which is a framework used to determine if an entity is good or bad.  It has a lot of our own logic as well as integration with market-leading solutions.  We can determine if something is known good (for example: based on a certificate or whitelist provider like NSRL, Microsoft MSDN library, etc.), known bad (Multi-AV solutions like our own HexaAV, Virustotal, Meta-Scan and a wide array of other open-source intel), or, if it’s unknown, analyze it with our custom-made logic. Q: Do you have your own Threat Intelligence? Q: How much are you paying for you Threat Intelligence? Advances Cross Platform endpoint collection and remediation capabilities – The Hexadite’s unique probe is purpose-built for IR and allows our system more granular control of data being collected, as well as the remediation being performed. It also provides greater agility, as new features can be added quickly due to its non-persistent nature. The probe’s advantages are also highlighted during remediation, where EDRs can be limited, often focusing on containment rather than addressing the root cause.  Namely, the probe has direct file system and memory access, so can do things like close file handles, delete parts of memory and quarantine locked files.  For this reason, plus its small footprint and seamless operation, even those Hexadite customers that have an EDR choose to use the probe. The probe supports Windows, Mac OS X and Linux. Hexadite Visualization Framework - Hexadite’s Visualization framework allow the analyst a comfortable and insightful access to Investigated entities and easy pivoting between all connected entities; Hexadite AIRS built for Incident Responders by Incident responders, so the goal was to find a way to make the life of the SOC analyst/IR easier by creating the Hexadite’s Visualization framework. Get the most value out of your eco system – Organization has spent time and effort to integration different cyber security solution between them EDR solutions, Log repositories, SIEM solutions, Advanced malware detection, etc. Hexadite's approach is a best-of-breed to leverage what the organization implemented to maximize the overall value Out of the box investigation and remediation logics logics Time to value (Days) – Hexadite AIRS is offered as a turn-key solution the goal is to provide the customer a fast time to value, this is done by providing an advanced investigations and remediation logics so the customer wouldn’t need to codify his own. ==================================================== Slide Purpose: Recap the product value. Slide Goal: Few bullets points that can be used by the customer to justify why he should by Hexadite AIRS, we should also like to put it out there so the customer could use it later on when comparing value with our competitors Questions:
• #15: So what do customers get? Increased capacity – By automating the investigation function, they’re effectively adding a team of analysts working 24x7 Lower costs – Customers immediately drive down the cost per investigation and remediation, investigating every cyber alert in minutes at scale. What’s also important to note is that our customers are able to retain their tier 1 and 2 analysts by giving them more interesting and important work….things that humans will always do better than machines Immediate ROI– Rather ignoring their low fidelity alerts to match capacity, customers are able to get the full value of detection systems and people, and they can be up and running in hours or days, not weeks and months. ==================================================== Slide Purpose: Recap the value. Slide Goal: Push the prospect to see that this is a need-to-have now rather than a nice-to-have later Questions:
• #16: It’s easy to talk about the soft benefits, but we take it one step further and actually show the ROI in real-time within the product. ==================================================== Slide Purpose: Show that ROI is immediately and always available right in the UI Slide Goal: Show how they can quantify the value within the product. Questions: Do your other security tools provide this kind of information? If they say no: Wouldn’t this information be valuable to you? If they say yes: Which tools?
• #17: ==================================================== Slide Purpose: Slide Goal: Leading Questions: