HEMLOCK methodology - Identify security threats faster

The security analytics framework and how it makes analysts more methodical in their approach leading to better/faster threat identification. 


It seems that cyber threats are everywhere these days, and protection from these threats relies upon more than just the collection of data—it depends on the collection, correlation, and interpretation of data from numerous sources. With threats that utilize multiple attack surfaces over longer periods of time, it’s especially true. We need a security analytics framework that allows better and faster threat identification.


HEMLOCK.pngJim Goddard, Managing Principal, Security Intelligence and Operations Consulting, HP Enterprise Security, created a new whitepaper, to explain how HP uses a method of analysis termed the HEMLOCK framework. This is modeled from Richard J. Heuer’s seminal paper titled, “Psychology of Intelligence Analysis” and is used to train analysts on how to properly interpret notable security events. The framework relies upon a hypothesis-driven approach and allows organizations to achieve a higher degree of assurance that they are able to pinpoint true security breaches.


“SIEM technology is great at detecting potential threats, but at the end of the day, analysts still need to interpret the output and understand the extent of a compromise.  There is no substitute for effective human analytics, ” states Goddard. “We have used the HEMLOCK process to train analysts across numerous SOCs.  I like to think of HEMLOCK as a framework for creative analysis, but with enough boundaries to force logic and get to a consistent result.  The framework also helps eliminate human cognitive bias.”


To learn more about HEMLOCK, read the whitepaper, “Identify Threats Faster.”

Tags: HP| security
Labels: Hemlock| HP| security| SIEM
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.