In the virtual arms race, attack tools and techniques get shared among a wide range of actors with different motivations. Today's zero-day attack is tomorrow's commoditized tool that can be deployed by a 'script kiddie.' From a defender's perspective, detecting these attacks can be challenging, but it is half the battle – action still needs to be taken in order to neutralize the attacker. Protection needs to be deployed rapidly and with minimal impact. KEYW has taken technology it acquired from Sensage and combined it with its own military intelligence expertise to form Hexis Cyber Solutions and its HawkEye family of products, which it believes can not only detect threats in real time, but can also offer immediate active defense capabilities. The company believes HawkEye has the potential to evolve at the same rate as the threat landscape.
The 451 Take We've seen SIEMs bought out before and pulled into a broad portfolio of the acquirer, and we assumed Sensage would resurface as an offering within the KEYW product range. However, KEYW appears to have had a master plan brewing to target enterprises. Hexis Cyber Solutions gives the appropriate focus to its new offerings and demonstrates its commitment to the enterprise sector. Additionally, while we've witnessed a number of vendors ditching prevention in favor of pure detection, Hexis is looking to complete the circle by undertaking remediation too. This move should grab the attention of not just threat-detection providers, but also anti-malware vendors.
KEYW has been on a strategic mission since around 2011. The company has deep technical expertise acquired from years of serving the US military intelligence community, but had ambitions to develop technology that could be deployed within enterprises and would be capable of detecting threats, in addition to a countermeasures package that could mitigate or remove threats automatically without human intervention.
To serve this purpose, in October 2012 KEYW acquired Sensage, which provided 'big data' security analytical capabilities and experience in commercial operations. Other acquisitions in 2012 included technologies acquired from Rsignia and Dilijent Solutions.
After a development period, the company made some significant hires, including Chris Fedde and Daniel Kuczkowski. Fedde is the former CEO of SafeNet; Kuczkowski was previously sales group VP for Oracle.
In July KEYW announced the formation of Hexis Cyber Solutions as a technology subsidiary led by President Chris Fedde. Its head office is in Hanover, Maryland, but product management and database development teams will primarily reside in San Mateo, California.
Hexis Cyber Solutions launched with its HawkEye family of products. This family includes HawkEye G, an active defense grid for countering threats, and HawkEye AP, an analytics platform (formerly the Sensage event data warehouse) for applications such as log management, call detail record, and risk and compliance applications.
The company's HawkEye G product is an active defense technology that can detect, investigate, remediate and remove threats within the network before they can compromise sensitive data. Although some may equate active defense with 'hacking back,' Hexis defines active defense more closely to how intelligence departments would, as in taking action 'within' the enterprise environment against an adversary. The methodology begins by detecting threats that may have a very small footprint by analyzing large quantities of data spanning months and combining this historic data with real-time correlation capabilities. Once a suspected malicious activity has been detected, HawkEye G engages the threat by gathering further information. This can involve pushing nonpersistent software to an endpoint in order to conduct a forensic scan of the device. Once a threat is positively identified, HawkEye G establishes a progressive strategy to engage and remove the threat, which can be automated or manually executed. The company refers to this process as 'full spectrum threat remediation,' which means containment, isolation, observation, investigation and removal. This differentiates the remediation concept from traditional methods that would typically quarantine infected files.
HawkEye AP, the analytics platform, is the advanced SIEM offering that was formerly a Sensage offering. It is positioned very much as a big-data security analytics warehouse, allowing agentless collection of any event with a timestamp. It claims an open architecture that is capable of interfacing with a variety of technologies, such as endpoints, network systems, storage, mobile products, other SIEMs, etc.
All of the data can be stored in its native form rather than metadata, an aggregation or a normalized form, thus maintaining the integrity of data for future use. HawkEye AP also claims to offer the ability to access terabytes of event data in real-time, allowing users to perform correlations and contextual investigations against this data over time. This includes looking for anomalies in behavior relating to user, network, host and log file analysis.
Hexis says that the use cases for the products do not end here. Due to the vast amount of information HawkEye collates about the environment, users can query the system for information not directly related to security, such as which users have a certain application installed, or to assist in standardizing software across the enterprise.
The HawkEye products cross over several areas of competition. The big-data security analytics side of the product will draw in competition from the likes of Boeing-owned Narus, BAE Systems-owned Detica (CyberReveal) and Red Lambda.
On the SIEM side, vendors such as LogRhythm, Hewlett-Packard (ArcSight), IBM (Q1 Labs), McAfee (NitroSecurity), RSA (enVision), Splunk, NetIQ (Sentinel), Trustwave, EventTracker and eIQnetworks will be compared with HawkEye AP. With its detection capabilities, we could see some overlap with anomaly-detection or network-monitoring providers such as RSA's NetWitness, Blue Coat Systems (Solera Networks) or AccessData Group.
However, while we've seen a trend of companies such as RSA ditching prevention in favor of detection, Hexis has adopted the approach of not only detecting threats, but also remediating and removing them where possible. This will put the company up against the likes of FireEye, Sourcefire, Damballa, Palo Alto Networks, Norman Shark, ThreatTrack Security or any company that provides a degree of malware detection and removal.
It's still early for Hexis, but it has the backing of KEYW and has built out a very well-rounded offering that goes beyond detection and provides remediation. If the product can perform as well as the company believes it can, it could cause other vendors to reconsider whether detection really is enough.
New offerings in the market lack any credible reference or case studies to back up their effectiveness, and the impact of big-data security analytics and preventive measures aren't easily gauged. Hexis may need to build up some reference customers before it can truly demonstrate its value.
A big-data platform has many uses, and although Hexis is selling its technology as a security product,we can envisage users utilizing the data and intelligence of the platform to extend its uses beyond security into more operational areas.
There are several vendors in this increasingly crowded space, many of which have had a chance to sink their hooks into sizeable market shares. Prying them off and capturing market share for itself may provide an uphill challenge for Hexis.
Reproduced by permission of The 451 Group; © 2013. This report was originally published within 451 Research's Market Insight Service. For additional information on 451 Research or to apply for trial access, go to: www.451research.com