Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
This week I spoke to Eran Barak, the cofounder and CEO of Hexadite. Hexadite, like Resilient Systems (see my interview with cofounder and CEO John Bruce) operates in the emerging incident response market. Hexadite’s unique selling point is its automation; since the product performs many of the time intensive tasks involved in responding to incidents, such as collecting and analyzing data, companies can respond to incidents more quickly and with fewer analysts. Hexadite is used by such companies as telecom and payments provider IDT, whose CSO talked about how he uses Hexadite in the Wall Street Journal. In the interview below, Eran and I discuss the different tasks that Hexadite automates and how it differs from the competition.
Could you talk a little bit about your background and how you came to start Hexadite?
Before Hexadite I worked in both the private and the public sectors, including serving in the Intelligence Corps of the Israeli Defense Force. Directly prior to Hexadite I ran the Cyber Training and Simulation team at Elbit Systems–the 29th biggest defense contractor worldwide. There, we established all of the cybersecurity training systems that Elbit sold to the public and private sectors, and trained hundreds of analysts. After training all of these analysts, we began to see the gap between detection and resolution and recognized that we needed an automation tool to respond to incidents once we identified them. As a result, we established Hexadite, which now has 20 employees. We’re based in the U.S. and we have an R&D center in Israel.
What are the actual steps that Hexadite takes when it identifies an incident?
Since starting almost two years ago, we have developed a huge library of automated actions to take to respond to incidents. An action can mean anything from collecting, analyzing or resolving data surrounding an incident, to automatically performing the investigation and resolution.
When the system receives an alert from any detection solution, it finds the device that triggered the alert, hits the log repository, and then investigates that device. Our solution integrates with any detection solution–from basic antivirus to next-gen detection solutions–so that everything that a cyber analyst would typically do manually, the system will do automatically and at scale. Based on all of this data, the system decides whether the threat is real and then depending on whether you are using the semi-automated or the fully-automated mode, the system will resolve threats by itself. The system can quarantine files, terminate processes, close a connection to an unknown IP and provide other forms of resolution.
What are your future plans for your product?
In incident response there are two angles. One is where companies provide incident response workflows without the necessary logic and know-how, and the other is our angle, where the product does the work for you. This includes performing the investigation and resolution, adding the logic and the know-how out of the box. What we have developed is a solution that will understand that something has happened, it will then analyze the best course of action (investigation) and based on that will act (resolve) accordingly.
As for future plans we are working on extending our analysis engine and investigation logic, as well as on integrating with more security solutions. In addition, we are working on connecting to ticketing systems to provide a more comprehensive solution for our customers.
There are a few other companies like Resilient Systems and DFLabs that focus on incident response. Do they fall into that first category of companies that provide incident response workflows?
Both companies are more focused on providing workflows than automation. With their products, you still need a team of specialized cyber analysts, because the products don’t do the investigative work for you. Our product allows teams to shift their resources to focus on other activities, effectively multiplying your workforce and demonstrating a clear ROI right off the bat. Additionally, the employees that remain don’t need the same amount of specialized training, because our product completes the investigation and resolution process for you.
How do companies that don’t have a product like yours respond to incidents?
It depends on the size. Big organizations have cyber incident response teams and SOC teams and many of them have written some basic scripts for incident response. The smaller companies often just ignore many of the alerts because many of them are false positives. Problems arise when a true incident comes along.
You mentioned that you help determine whether incidents are real. Are you worried about providing false positives?
False positives are more of an issue for detection solutions. They represent less than a quarter of one percent, but that’s worth explaining. It is incredibly rare that we’ll identify a file or process as being malicious when it is not. Because we’re using a combination of our own proprietary algorithms with the best tools commercially available, we’re able to identify both known and previously unknown threats with great accuracy. There are occasions, however, where we’ll investigate a file or process that has all indications of being malicious, but the file or process is something custom to the customer. In that case we can allow the customer to create a whitelist entry to ensure that the exception doesn’t result in a false positive going forward.
You’ve been getting a lot of attention from VCs; why do you think investors are so interested?
I think that part of it is that the incident response space is very new and growing rapidly. When we started two years ago, there was almost no one else doing incident response. Furthermore, people didn’t think that automation in incident response was possible; now they see that it is and they’re very interested. Furthermore, investors can easily understand the ROI from our product. Cyber analysts cost anywhere from $70-150k per year and our product can do the work of many of them.
What gets you interested in a VC?
I think that most of the VCs in the valley are now familiar with Hexadite and we are looking for top tier VCs that can bring a lot of connections in the cybersecurity domain. We want a VC who has made other investments in cybersecurity because there is a steep learning curve in the space and we don’t want them beginning that learning curve with us.
- Cisco’s VP of Corporate Development says that Jasper is the “largest internet of things service platform of scale today.” The transaction is the largest for Cisco since they purchased SourceFire in 2013 for $2.7 billion.
- The firm has now raised $138 million in total. The company, which provides network visualization and intelligence, has just 120 employees.
- Norse’s cofounder responds to allegations that Norse is a “scam.” Will be interesting to see how this unfolds.
- Area 1’s cofounder and CEO compares the experience of today’s CISOs to that of Alice in her quest through Wonderland.
- Due to poor earnings results, Barracuda’s shares have plummeted by two thirds in the past 12 months and are now valued at just $615 million.