The latest FireEye Helix release (2020.1) marks a milestone for our security platform. It features the debut of OS change reports from appliances, deeper FireEye Endpoint Security integration, advanced FireEye Email Security reporting and so much more. But perhaps the most exciting capabilities introduced in 2020.1 are aggregated risk scoring and entity-based alert correlation.
Aggregated Risk Scoring
A new way for customers to assess, size and scope threats in their environments—and to respond to those threats—is through aggregated risk scoring.
Threats are correlated using Helix rules, intelligence matching, and analytics. Alerts with entities are grouped by entity, total risk is assessed by Helix, and a risk score is assigned to each entity (see Figure 1). This simplifies and streamlines the approach to addressing alerts and risks. Users can simply click an entity to view its detections, click an alert, and then immediately triage and close the alert.
Figure 1: Entity dashboards present a prioritized table of entities and risk scores, as well as pivots to view entity profiles, to identify the highest risk user and host entities
Entity-Based Alert Correlation
A native security detection and analytics module within the Helix platform, entity-based alert correlation applies machine learning to determine a normal behavior baseline. Helix can then alert on risky deviations from the baseline that may suggest insider threats, lateral movement, or attacks at the end of the cyber kill chain. This capability expands on the myriad advanced detection and analytics capabilities already being offered by Helix today.
Entity-based alert correlation applies advanced detection and analytics, allowing security teams to:
- Identify profiles of users and entities tracked by Helix to highlight potential threats
- Correlate views on entities and alerts
- Capture detections by asset type and assign an appropriate severity and risk score
With the increased visibility provided by entity-based alert correlation and aggregated risk scoring (as well as the many other updates featured in 2020.1), Helix customers can go beyond alerts, analyzing their environments through the lens of the users and the entities.