The process of investigating cyber alerts has traditionally taken the form of a linear, checkbox-oriented playbook. The approach is similar to a providing a recipe to follow: provide a list of actions for a cyber analyst to perform, and when the list is complete the job is done.
However, taking a linear approach to cybersecurity incident response only deals with the threat being dealt with presently. The “incident response cookbook” method ignores previous investigations in the face of new threats. With new malicious threats identified every minute, organizations need a feedback loop between newly identified threats and the ability to run new investigations based on historic information.
Results Informing New Investigations
With Hexadite AIRS, the result of one investigation can kick off multiple, parallel investigations. For example, an investigation can uncover malware on one endpoint that is communicating with a known malicious IP address. Hexadite AIRS will immediately launch parallel investigations, looking for any other endpoints with connections to the IP address.
When Hexadite AIRS incriminates a file or process that was previously determined to be benign, the system automatically investigates and remediates endpoints with the malicious entity present.
Attacks Move and Morph Quickly
When Hexadite AIRS identifies malware, a CNC connection, ransomware, or any other threat, it assumes that the single instance on one endpoint isn’t the extent of the attack. Instead, Hexadite AIRS looks for lateral movement, other machines exhibiting suspicious behavior, and rigorously investigates all systems to understand the full extent of the threat.