1.
Security Orchestration and Automation
Orchestration Investigation Resolution

2.
Agenda and Time Check
About Hexadite
Why Incident Response is Failing Today
Improving IR with Intelligent Automation
Use-Case Review
High Level Architecture and Demo
Q&A
Wrap-Up and Next Steps
CONFIDENTIAL
Security Orchestration and Automation
hexadite.com

3.
The Hexadite Mission
Hexadite is changing the way cyber incident response
is done with the first security orchestration and
automation solution that automatically investigates
and resolves all cyber security alerts in minutes
instead of weeks.
Security Orchestration and Automation
hexadite.com

4.
Hexadite was founded in 2014 to address the shortcomings of traditional IR.
Led by ex-military intelligence IR experts, who have been running SOCs/CIRTs and
training cyber analysts in the public and private sector for over a decade.
Created to narrow the gap between detection and response and streamline
operations to reduce costs and boost security.
Launched Hexadite Automated Incident Response Solution (AIRS™) – March 2015
Customers include large scale organizations in the U.S. and Israel.
AIRS™ is being used to protect more than 500K devices around the world.
About Hexadite
Security Orchestration and Automation
hexadite.com

5.
Why Incident Response is Failing Today
Complex Environment - Many different systems to know, manage, and use
Inconsistency of Expertise – Difficulty training and retaining Tier1/2 analysts
Too Many Alerts – Companies receive thousands of alerts daily that need to be
investigated; 90%+ are benign
Bureaucracy – Organizations spend the majority of time on emails, meetings,
trouble tickets, seeking approval, getting access, reporting and audits, etc.
Human Lethargy and Error – Massive opportunity for error as analysts prioritize,
investigate triage, remediate
CONFIDENTIAL
Security Orchestration and Automation
hexadite.com

6.
The Answer: Intelligent Automation
Automated Incident Response Solution (AIRS™)
Security Orchestration and Automation
hexadite.com

7.
Seamlessly Works with the Ecosystem
Integrateswith
existingsecurity
solutions
– alerts trigger
investigations;
can proactively
query
logs/databases
Security Orchestration and Automation
hexadite.com

8.
Antiquated vs. Automated IR
Antiquated IR
Automated IR
Min. Hr. Hr.
Sec. Min. Sec.
Mean Time to Initiate
Mean Time to Validate
Mean Time to Contain
CONFIDENTIAL
Security Orchestration and Automation
hexadite.com

9.
Some Use Cases
Malicious file was downloaded
Malicious was found and removed
Malware callback detected AKA C&C Connection
Suspicious host activity
Suspicious network activity (e.g. Port Scanning)
Malicious network activity (IPS alert)
Compromised indicators and Lateral movement investigations
(Authentication flow)
Suspicious phishing email
Suspicious activity Honey-Pot alert
Security solution tampering (e.g. Host IDS)
Proactive Hunting
CONFIDENTIAL
Security Orchestration and Automation
hexadite.com

10.
Connecting the dots…
Databases
Mail
Servers
Servers
SIEM
Network
Devices
Firewalls
Endpoints
CONFIDENTIAL
HTTPS
Syslog / eMail
Security Orchestration and Automation
hexadite.com

11.
11

12.
PC2
Semi
Auto
PC1
Fully
Auto
Proxy Logs
SIEMs
ProactiveQuery
& Remediation
Threat
Intelligence
Detection
Systems
Hexadite@org.com
Alerts
Network
Logs
Authentication
Logs
MS- AD
Proactive Data
Collection
Data
Threat Intelligence
Cloud
Hexadite Demo Scenario
Security Orchestration and Automation
hexadite.com

13.
PC1
Hexadite@org.com
PC1
PC1
Auth.
Logs
SIEMs
Network
Logs
Proxy
Logs
PC2
PC2
Joesmith@org.com
PC1 is Protected by
Hexadite AIRS in Fully-
AutomatedMode
PC2 is Protected by
Hexadite AIRS in Semi-
AutomatedMode
PC1 & PC2
Alert Sent to
Hexadite AIRS
on Malicious
File on PC1 –
Automatically
Launches
Investigation
AIRS
Investigates
PC1 – Detects
Trojan
AIRS
Automatically
Remediates
Trojan -
Removing/
Stopping All
Processes /
Files
AIRS Takes What
It Learned About
the Trojan and
Proactively Looks
for
OtherImpacted
Systems in the
Environment
AIRS Analyzes
the Trojan’s
behavior–
leveraging the
Threat
Intelligence
Cloud
AIRS Finds the
Trojan on PC2
– Initiates an
Investigation
of PC2
Since PC2 is
in Semi-
Automated
Mode, AIRS
Sends Email
to Admin to Get
Approval to
Remediate
Trojan
Once Approved,
AIRS
Remediates PC2
Threat Fully
Remediated
& Contained
Hexadite
Threat
Intelligence
Cloud
Example: Malicious File Identified
Security Orchestration and Automation
hexadite.com

14.
Demo

15.
Thank You!