“Hackers are increasingly using endpoints to enter companies’ infrastructures to steal valuable data,” said Jane Wright, senior analyst and engagement manager for security at Technology Business Research. “To detect and shut down the hackers’ activities right away, companies need more frequent, expert vigilance to quickly spot suspicious activity and behaviors on their endpoints. For many companies, a blend of managed and consulting-style services that combines continuous monitoring with personalized threat hunting and immediate incident response is an efficient and effective way to protect their data and other IP from cyberattacks.”
With AETD Red Cloak, Dell SecureWorks is bringing to market a fully-hosted endpoint security solution powered by up-to-the-minute threat intelligence provided by experts from the Counter Threat Unit TM (CTU) research team as well as the global visibility that comes from protecting more than 4,100 clients in 61 countries. Red Cloak was initially developed to support the company’s Targeted Threat Hunting and Response professional services teams.
“Historically, Red Cloak was only used by our Incident Response (IR) team when they went out on IR engagements to uncover undetected malicious activity taking place in organizations’ IT environments,” said Aaron Hackworth, senior distinguished engineer with Dell SecureWorks’ CTU team. “However, Red Cloak was so successful in rooting out the threat actors that many of our Incident Response clients insisted we leave the Red Cloak solution installed in their IT environment to alert them to any future malicious activity. Those successes are what drove us to enhance the solution and make it available to help organizations around the world fight the stealthy cyber-attacks.”
The Red Cloak solution is especially critical for catching attacks that don’t use malware. Once inside a network, attackers are continuing to evade traditional endpoint security controls often by leveraging compromised credentials and tools native to the target’s environment, such as remote access services, endpoint management platforms and other legitimate system tools. This tactic is called “living off the land,” and was used to gain entry in more than half of the cyber-espionage incidents Dell SecureWorks responded to last year.
To give organizations the earliest possible warning of compromise, AETD Red Cloak’s sensors search for forensic evidence of malicious activity while continuously collecting information about what is happening on the device, such as what programs are running, what commands are being executed, network connections, thread injection, memory inspection and more. The sensors send the collected data to the Red Cloak Analytics system, hosted off-premise, where it is analyzed using intelligence from Dell SecureWorks’ CTU researchers to spot attacker behavioral patterns and other indicators of compromise.
“The cyber attacker has to set off just one of the tripwires, which we have installed in our clients’ environment, in order to trigger an alert,” said Hackworth. “By focusing on threat actor behavior and not just the tools and infrastructure they use, we can identify and flag suspicious activity that bypasses firewalls, antivirus, intrusion prevent and detection devices and other traditional security controls. With the depth of monitoring we offer, we can put that activity in a larger context to quickly determine the scope of an intrusion.”
The solution blends multiple views of system activity to see beyond static indicators such as IP addresses and domain names and uncovers the behaviors and techniques of cyber adversaries. AETD Red Cloak has been deployed on more than 3,500,000 endpoint devices, including desktops, servers, and laptops.
Because AETD Red Cloak is a SaaS solution, it easily scales to meet the needs of a growing organization. Currently, AETD Red Cloak supports endpoints running the Windows operating system. Support for other operating systems is planned for the near future. The Security Analysis Team Cyber Threat Analysis Center will provide an electronic notification within 15 minutes of the determination that activity constitutes a security incident. Targeted or high-impact incidents are forwarded on to the Senior Intrusion Analyst Team, with a response guaranteed within 24 hours of the determination.
AETD Red Cloak builds upon Dell SecureWorks’ endpoint security portfolio, which already features the endpoint monitoring capabilities of the AETD Carbon Black service. AETD Carbon Black provides strong malware detection capabilities and focuses on file execution, the system registry and network connections. It also includes an onsite management console.
AETD Red Cloak is currently available in the North America, Latin America, EMEA and the ANZ regions. Language support is only in English at this time.