Latest Helix Release Features Entity-Based Alert Correlation and Aggregated Risk Scoring

FireEye.News

The latest FireEye Helix release (2020.1) marks a milestone for our
security platform. It features the debut of OS change reports from
appliances, deeper FireEye Endpoint Security integration, advanced
FireEye Email Security reporting and so much more. But perhaps the
most exciting capabilities introduced in 2020.1 are aggregated risk
scoring and entity-based alert correlation.

Aggregated Risk Scoring

A new way for customers to assess, size and scope threats in their
environments—and to respond to those threats—is through aggregated
risk scoring.

Threats are correlated using Helix rules, intelligence matching, and
analytics. Alerts with entities are grouped by entity, total risk is
assessed by Helix, and a risk score is assigned to each entity (see
Figure 1). This simplifies and streamlines the approach to addressing
alerts and risks. Users can simply click an entity to view its
detections, click an alert, and then immediately triage and close the alert.


Figure 1: Entity dashboards present a
prioritized table of entities and risk scores, as well as pivots to
view entity profiles, to identify the highest risk user and host entities

Entity-Based Alert Correlation

A native security detection and analytics module within the Helix
platform, entity-based alert correlation applies machine learning to
determine a normal behavior baseline. Helix can then alert on risky
deviations from the baseline that may suggest insider threats, lateral
movement, or attacks at the end of the cyber kill chain. This
capability expands on the myriad advanced detection and analytics
capabilities already being offered by Helix today.

Entity-based alert correlation applies advanced detection and
analytics, allowing security teams to:

  • Identify profiles of users and entities tracked by Helix to
    highlight potential threats
  • Correlate views on entities and
    alerts
  • Capture detections by asset type and assign an
    appropriate severity and risk score

With the increased visibility provided by entity-based alert
correlation and aggregated risk scoring (as well as the many other
updates featured in 2020.1), Helix customers can go beyond alerts,
analyzing their environments through the lens of the users and the entities.

We are very excited to see the release of these new capabilities.
Check out our FireEye Helix
page for more information and learn even more by taking a tour
of Helix.