Security teams are inundated with increasingly sophisticated phishing, ransomware and other attacks. To combat each new threat, a new tool is deployed that may solve the problem short term, but in the long run just adds another layer of complexity, a new alert source, and needed expertise. The fact that these tools often provide alerts without needed context or prioritization only compounds the issue.
To solve this, many organizations are collecting their threat data into centralized stores or data lakes and using security information and event management (SIEM) and security orchestration, automation and response (SOAR) to sort through the data. While these systems help, without correlation or knowledge of the attacks, they can only do so much.
Security professionals need a systematic approach that unifies the threat information, correlates indicators into alerts, and prioritizes alerts to take corrective action.
Enter FireEye Endpoint Security 5.1 and FireEye Helix
With this release of FireEye Endpoint Security 5.1 and FireEye Helix, security operations are streamlined and contextualized. Helix provides a single unified view for threat detection, investigation and response to uncover threats across attack surfaces. Endpoint Security not only provides protection, detection and response, but also acts as a data collection and streaming source for Helix. Combining Helix and Endpoint Security enables detection, correlation of information, and prioritization of alerts.
Endpoint Security 5.1 builds upon the modular architecture introduced in Endpoint Security 5.0 by easing the management of modules and introducing new modules, providing greater detection to decrease the response time to a new threat. Additionally, Endpoint Security health status can now be displayed in Helix, reporting the health and running status of critical services.
With the prior release, deploying a new module meant Endpoint Security customers had to go to the FireEye Market to download and install the module before activation. Now, there is a new module tab in the Endpoint Security console where customers may choose whichever module they would like to activate and add it to their deployment. When modules become generally available, they will show up on the console (Figure 1) and an admin can deploy them seamlessly without additional steps.
Figure 1: Endpoint Security module availability in the console
Detection and investigation of threats can be centralized with a new Indicators of Compromise (IOC) Streaming module. With IOC Streaming, customers may now stream the metadata they would like back to Helix and store it for as long as needed to fully investigate a potential threat. This allows full threat hunting across multiple endpoints at the same time to ensure a threat is fully remediated.
This streamed data is available to use as part of an investigation that can be visually displayed in Storytime for Helix (Figure 2). Storytime provides a historical view of an alert and all the metadata events of the threat origin. With this view, security responders can trace the attack back to patient zero, find the cause and remediate. Once the threat is fully understood, the indicators can be used to find the footprints of the attack across the entire organization and clean up before the attacker can complete their mission. Streaming modules and Storytime for Helix are supported for Windows, macOS, and Linux endpoints.
Figure 2: Storytime visualization
FireEye customers using both Endpoint Security and Helix now have a powerful platform with detection and response across all endpoints that unifies the threat information, correlates indicators into alerts, and prioritizes alerts to enable security responders take corrective action.