Dell SecureWorks speeds up endpoint intrusion detection, response

Dell SecureWorks is launching Advanced Endpoint Threat Detection (AETD) Red Cloak, a fully-managed SaaS solution that can slash the time required to detect and respond to cyber-attacks from months or weeks to hours or minutes.

Too often, attackers go undiscovered within a victim’s IT infrastructure for months or even years. In one instance, the Dell SecureWorks Incident Response team deployed AETD Red Cloak in a client’s environment and within 48 hours was able to discover threat actors had compromised the environment 14 months earlier.

This fully-hosted endpoint security solution is powered by up-to-the-minute threat intelligence provided by experts from the Counter Threat Unit (CTU) research team, as well as global visibility that comes from protecting more than 4,100 clients in 61 countries.

“Historically, Red Cloak was used by our Incident Response (IR) team when it went out on IR engagements to uncover undetected malicious activity taking place in organizations’ IT environments,” said Aaron Hackworth, senior distinguished engineer with Dell SecureWorks’ CTU team. “However, Red Cloak was so successful in rooting out the threat actors that our Incident Response clients insisted we leave the Red Cloak solution installed in their IT environment to alert them to any future malicious activity. Those successes are what drove us to enhance the solution and make it available to help organizations around the world fight stealthy cyber-attacks.”

The Red Cloak solution is especially critical for catching attacks that don’t use malware. Once inside a network, attackers are continuing to evade traditional endpoint security controls often by leveraging compromised credentials and tools native to the target’s environment, such as remote access services, endpoint management platforms and other legitimate system tools. This tactic is called “living off the land,” and was used to gain entry in more than half of the cyber-espionage incidents Dell SecureWorks responded to last year.

To give organizations the earliest possible warning of compromise, AETD Red Cloak’s sensors search for forensic evidence of malicious activity while continuously collecting information about what is happening on the device, such as what programs are running, what commands are being executed, network connections, thread injection, memory inspection and more. The sensors send the collected data to the Counter Threat Platform, hosted off-premise, where it is analyzed using intelligence from Dell SecureWorks’ CTU researchers to spot attacker behavioral patterns and threat indicators.

“The cyber attacker has to set off just one of the tripwires, which we have installed in our clients’ environment, in order to trigger an alert,” said Hackworth. “By focusing on threat actor behavior and not just the tools and infrastructure they use, we can identify and flag suspicious activity that bypasses firewalls, antivirus, intrusion prevention and detection devices and other traditional security controls. With the depth of monitoring we offer, we can put that activity in a larger context to quickly determine the scope of an intrusion.”

The solution blends multiple views of system activity to see beyond static indicators such as IP addresses and domain names and uncovers the behaviors and techniques of cyber adversaries. AETD Red Cloak has been deployed on more than 3,500,000 endpoint devices, including desktops, servers, and laptops.

Because AETD Red Cloak is a SaaS solution, it easily scales to meet the needs of a growing organization. Currently, AETD Red Cloak supports endpoints running the Windows operating system. Support for other operating systems is planned for the near future.

The Security Analysis Team Cyber Threat Analysis Center will provide an electronic notification within 15 minutes of the determination that activity constitutes a security incident. Targeted or high-impact incidents are forwarded on to the Senior Intrusion Analyst Team, with a response guaranteed within 24 hours of the determination.

AETD Red Cloak builds upon Dell SecureWorks’ endpoint security portfolio, which already features the endpoint monitoring capabilities of the AETD Carbon Black service. AETD Carbon Black provides strong malware detection capabilities and focuses on file execution, the system registry and network connections. It also includes an onsite management console.

AETD Red Cloak is currently available in the North America, Latin America, EMEA and the ANZ regions. Language support is only in English at this time.