Review: Dell SecureWorks AETD Red Cloak

Product Review: Dell SecureWorks AETD Red Cloak

Scaling out to create the perfect data management center and system capable of all the storage and capacity needed for an organization does nothing for a company if all of it can be easily compromised.

Related: Log and Event Manager, monitors log data from devices and applications on the network. Alerts and takes action against suspicious and malicious activities detected

The biggest bonus of Red Cloak is that if any new threats are detected by them even in a different customer system, once they learn, understand and create a solution, the update is available immediately to all customers in their own RC endpoint security.

Technological attacks are all too prevalent in many systems because adversaries spend long periods in systems undetected. According to Ponemon Institute’s “2015 Cost of Data Breach Study”, the attacks analyzed in the report took an average of 256 days to identify and then 82 days to contain. The average — not the worst, more aggressive attacks — attack numbered over two-thirds of a year to just identify! And then it requires another few months to contain.

Related: Log and Event Manager, monitors log data from devices and applications on the network. Alerts and takes action against suspicious and malicious activities detected

No business has the time or flexibility to spare numbers like those. Secure Works’ Advanced Endpoint Threat Detection Red Cloak is a SaaS, fully managed solution that focuses on minimizing that response timeline down from weeks and months to hours and minutes by providing a constantly monitoring, modularly designed system.

Related: Virtualization Manager, helps administrators manage resources, capacity and performance in the virtual environment

The development for the product stemmed from observations collected by researchers and analysts that work in the SecureWorks Counter Threat Unit (CTU). They noticed increasing amounts of malicious attacks that didn’t utilize malware or so little that it was nearly undetectable. Red Cloak’s development was also triggered by the increasing concern that attacks are vigorously persistent.

Review: Dell SecureWorks AETD Red Cloak - YourDailyTech
Dell SecureWorks AETD Red Cloak Benefits

Detecting this atypical use of normally helpful tools and techniques requires more data and a deeper insight into what are defined as “normal uses”. SecureWorks began to apply these insights and developed the Red Cloak system involving multiple modules designed to collect very detailed information to then send it to Dell for correlation with other endpoint data, information collected across the network and observe the trends across SecureWorks’ customer base. It is a pro-active approach in a field of passive solutions.

Related: Server and Application Monitor, monitors/alerts on the health and status of servers and their applications

With AETD Red Cloak (RC), Dell SecureWorks has brought a fully-hosted endpoint security solution powered by constantly updated threat intelligence provided by experts from the CTU research team to market. RC was initially developed to support the company’s Targeted Threat Hunting and Response professional services teams, but they found that it was so helpful that clients requested that they leave it installed on the computers.

Related: PingAccess Server IAM Review

Some of the most difficult to detect attacks occur on systems by using “living off the land” techniques, meaning that the adversary follows processes and commandeers tools that already exist in the system to attack the system without utilizing any malware. Hence, these deep observation techniques are important because they help define and differentiate “normal” behavior and what are disguised attacks. This mode of attack’s discrete nature allows prolonged, easy retrieval and removal of data from a storage system.

These attack types have meant a shift in redefining victory and defeat in the enterprise system. SecureWorks defines “victory of adversaries” as not avoiding detection, but avoiding containment of the adversary so it can access and take the intended data or achieve a compromised system.

SecureWorks’ defense does not aim to prevent any potential attacks but to inhibit this definition of an attacker’s victory and better strengthen the security measures for the next wave of possible threats. RC is not dependent upon any single indicator, behavior or malware signatures, but combines threats, tactics, and procedures and is constantly learning from new clients. Bundles of tripwires are installed as part of the program that when triggered will alert the CTU analysts into action.

RC detects any new processes and its arguments in its modules: new commands being initiated, any persistent programs, especially those that remain after a restart, signatures of tools that reside in memory, mapping network drives with explicit credentials, and memory allocation are just a few examples. As RC learns the behavior of the individual system, it is able to adjust appropriately to strengthen and increase security. Discovering the trend is key to the analytics and their success.

RC consists of different modules appropriate to the scenario. It is easily installed on a client’s endpoints so that information collected can be sent to the cloud SaaS location over a mutually authenticated, safe connection. Each endpoint sends an average amount of 10MB of (compressed) daily, and the service is set to run as a low priority process and is therefore preempted for any user activity on the workstation. RC has been deployed on more than 3.5 million endpoint devices, including desktops, servers and laptops.

Phil Burdette, Senior Security Researcher with SecureWorks’ Counter Threat Unit (CTU) research team, provided more insight into how RC can work for enterprise systems. Businesses may set their own memory or disk space capacity limits. Burdette explained that “RC was designed with the idea of ‘do not harm the system’ first so that the program will have minimum effects on an enterprise system and will yield to the other needs of the system.  RC is a SaaS solution so it easily scales to meet the needs of enterprise systems and can be customizable per enterprise.” Currently, RC supports endpoints running the Windows operating system. Support for other operating systems is forthcoming.

According to the website, the Security Analysis Team Cyber Threat Analysis Center will provide an electronic notification within 15 minutes of the determination that the activity constitutes a security incident. These pro-active responses are key to containing and shutting down attacks. Incidents that are targeted or deemed high-impact are assigned to the Senior Intrusion Analyst Team, with a response guarantee within 24 hours.

When I spoke with Burdette, he explained that businesses also have the same ability to monitor and observe the information collected by Red Cloak just as analysts do. The interface is accessible and readily available to enterprises; businesses may also request how much of the observation and support that team provides. Burdette noted that some businesses prefer a more background role from the team while others ask for 100 percent support all the time.

Review: Dell SecureWorks AETD Red Cloak - YourDailyTech
Dell SecureWorks AETD Red Cloak Interface – YourDailyTech

The biggest bonus of Red Cloak is that if any new threats are detected by them even in a different customer system, once they learn, understand, and create a solution, the update is available immediately to all customers in their own RC endpoint security.

Red Cloak builds upon Dell SecureWorks’ endpoint security portfolio to cater to the needs of the enterprise business. RC is currently available in the North America, Latin America, EMEA and the ANZ regions. Language support is only in English at this time. As for Advanced Endpoint Threat Detection, there are several different options out there including Digital Guardian that includes tools and solutions that focus on detecting, investigating, and mitigating suspicious activities and issues on hosts and endpoints. FireEye offers threat and exploit detection capabilities with FireEye Endpoint Security (HX Series), which enhances endpoint visibility and enables a flexible and adaptive defense against exploits, known or unknown threats.

AETD monitoring is a quickly expanding market, but Red Cloak is built and prepared to endure with its customers for generations of systems to come.  Pricing for the service starts at under $100 per endpoint for small deployments with volume discounts.


Additional Resources:

Dell SecureWorks AETD Red Cloak Data Sheet

Dell SecureWorks AETD Red Cloak Press Release

Lindsey Cobb

Lindsey Cobb, a Georgia native and former history major, is a technology researcher who is fascinated by past and future of technology. When she is not engrossed in the prophecy of science fiction stories, Lindsey is likely to be planning her next adventurous trip or petting every dog she meets. Contact Lindsey at [email protected]

One thought on “Review: Dell SecureWorks AETD Red Cloak

Comments are closed.