Dell's SecureWorks subsidiary has unveiled a cloud-based service that identifies threats through malicious behaviour, enabling it to pick up on attacks that may otherwise go undetected because they involve little or no malware code.
Advanced Endpoint Threat Detection Red Cloak is available now as a fully managed software-as-a-service platform. It links to endpoint monitoring capabilities and lightweight sensors on the customer's premises in order to scan and analyse for activity that could indicate a network breach.
Dell explained that the service was developed originally for use by the SecureWorks Incident Response team when investigating malicious activity in customer IT environments. It proved so successful that the firm decided to develop it as a commercial offering for organisations to deploy.
"Red Cloak was so successful in rooting out the threat actors that our Incident Response clients insisted we leave the solution installed in their IT environment to alert them to any future malicious activity," said Aaron Hackworth, senior distinguished engineer with the Dell SecureWorks Counter Threat Unit (CTU).
"Those successes are what drove us to enhance the solution and make it available to help organisations around the world fight stealthy cyber attacks."
The service is powered by up-to-the-minute threat intelligence provided by experts from the CTU research team, as well as the wide-ranging visibility that comes from data gathered by Red Cloak. The system is already being used to protect more than 4,100 clients in 61 countries, according to Dell.
Red Cloak's sensors search for forensic evidence of malicious activity while continuously collecting information about what is happening on the endpoint device, such as running applications, commands being executed, network connections and memory inspections.
The sensors send the data to the cloud-hosted Counter Threat Platform, where it is analysed to spot attacks by using key behavioural patterns and threat indicators.
This approach is well suited to catching attacks that do not necessarily make use of malware, Dell said. Attackers who have breached a network can evade traditional endpoint security controls by using compromised credentials and tools native to the target's environment, such as remote access services, essentially piggy-backing on legitimate network services to conceal their presence.
The SecureWorks Incident Response team has already used Red Cloak to uncover intruders in one customer's network that had compromised the environment some 14 months earlier but gone undetected, Dell claimed.
"By focusing on threat actor behaviour and not just the tools and infrastructure they use we can identify and flag suspicious activity that bypasses firewalls, antivirus, intrusion prevention and detection devices and other traditional security controls. With the depth of monitoring we offer, we can put that activity in a larger context to quickly determine the scope of an intrusion," Hackworth said.
The Cyber Threat Analysis Centre can provide an electronic notification within 15 minutes of determining that activity constitutes a security incident, according to Dell. Targeted or high-impact incidents will then be forwarded to the Senior Intrusion Analyst Team, which guarantees a response within 24 hours.
Red Cloak is available in regions including EMEA, but language support is currently limited to English.
V3 will host a Cloud & Infrastructure Live online event on 20-21 April. Register now to hear more about issues concerning data centres and the cloud.
Japanese researchers develop a flexible screen worn on the skin that they claim can monitor patients' heart rate and other vitals
ZenFone 5 Pro appears to boast a Snapdragon 845 SOC, an Adreno 630 GPU and 6GB of RAM
Pilot project will serve 300 homes to start with
The IoT faces significant compatibility challenges, which could be avoided for blockchain by adopting Hyperledger