Identifying User, Data, and Application Behavior from behind the Red Cloak

As the illusion of the impenetrable perimeter fades, rapid detection of malicious behavior becomes key to prompt incident response, improved cyber security, and decreased digital risk.

Dell SecureWorks announced during the 2016 RSA Cyber Security Conference the availability of Red Cloak, a new Advanced Endpoint Threat Detection (AETD) tool designed to help speed the identification of cyber threats based on behavioral patterns of attack. This is an approach that is becoming the preferred method of threat detection across the cyber security landscape.

The Changing Face of Cybersecurity

Cybersecurity has long been built around the ability to detect, and thwart, attacks based on malware signatures at the perimeter of the network. But threat actors today are increasingly employ attack strategies that bypass the traditional malware approach. As a result, enterprises must now address new challenges:

• The changing nature of attacks: Threat actors are looking for new creative methods that grant them undetected access to the inside of a network. This has placed a tremendous burden on cyber security teams to shift their focus from detecting signature-based malware toward detecting behavioral anomalies that indicate potential risk (such as traffic flow, combinations of applications running concurrently, repeated attempts to access restricted areas, location/time-variations in access, etc.).

• The pain of dwell time: Most enterprises are fairly skilled at identifying minor threats. But as the complexity of an attack increases, so too does the typical time to detect. Delayed detection means additional dwell time for an attacker (the amount of time they are undetected in the system) and an increased risk of lateral expansion within an organization.

• The increase of “insider” attacks: A significant portion of cyber attacks depend on an insider or stolen credentials. These attacks lack a detectable “breach” and are frequently only identified through user behavior and/or data/application patterns. Variations on the insider attack can include seemingly legitimate acquisition/sharing of information prompted by a well-coordinated phishing attack (spear phishing).

SecureWorks is aggressively positioning Red Cloak as a solution to help address these challenges head on.

Next Steps for Dell SecureWorks

Originally developed to support the SecureWorks Incident Response team, Red Cloak is intended to augment the malware-based Carbon Black offering and has already been implemented throughout portions of the SecureWorks client base. A true SaaS offering, Red Cloak leverages threat intelligence from a wide network of SecureWorks clients as well as from its own Counter Threat Unit.

Cyber threats will increasingly be identified by patterns of user, data, and application behavior.

We’re intrigued by Red Cloak’s ability to combine forensics with analytics to discover and learn not just the vector of an attack but potential precursors as well. The Red Cloak “time to detect” statistics are impressive, as is the history of spotting long-term breaches that had previously been undetected.

SecureWorks is leveraging the real-world experience of its forensics and incident response teams, allowing them to customize Red Cloak while on-site (and then vetting those improvements for rapid inclusion in the core Red Cloak code).

But there are a few weak spots. Red Cloak currently only supports Windows endpoints. There are also limitations on the breadth of behavioral analysis including the ability to more closely track behavioral patterns at the discrete user level. Ultimately, we’d expect to see a stronger focus on cognitive and machine learning applied to the analytics, as well as a more formal focus on orchestrated responses.

Next Steps for the Enterprise

Red Cloak is as much an indicator of the evolution of cyber threat detection and response across the enterprise as an offering from Dell SecureWorks. As we wrote in our wrap RSA’s 2016 Cyber Security Conf: “Tech, Tech, Tech, Analytics & Tech”, the future of cyber security is heavily rooted in analytics. Red Cloak is worth a look for SecureWorks clients, as well as CISO’s looking to better understand the nature of threat detection.