‘An ounce of prevention is worth a pound of cure’ applies to more than stocking up on your vitamins. It is also a sound principle on which to base IT security, and one that Dell appears to have adopted if the products and services on display at the recent Dell World 2014 end user conference are any indication. Over the past decade, Dell has worked hard to position as an end-to-end solution provider, and along the way has bet big on security through significant acquisitions and investment in the assembly of a security portfolio that can play at each layer of the end-to-end. Dell calls this layering on of different security solutions “Connected Security” and has begun to build more of the product integrations needed to deliver automated security solutions that align with automation in cloud and converged infrastructure, and which extends ‘prevention’ to the thorny realm where multiple devices are linked to this infrastructure.
A laudable objective aimed at transforming security from a performance inhibitor to a business enabler, this goal is also something of a moving target: as the threat landscape, the need for infrastructure scale and IT service delivery speed, and the quality and quantity of data itself change — up the ante is the typical scenario — security vendors are having to respond. So as it is building ‘connections’ in its portfolio, Dell is also innovating in many product and service areas to address evolving security challenges — identity and access management-as-a-service (IAMaaS), the new Dell Change Auditor for Cloud Storage that has been integrated with Dell Data Protection | Cloud Edition, and a new 120 Gbps deep packet inspection (DPI) next-generation firewall architecture, which were announced at the event are notable examples.
Dell organizes its growing IT security portfolio around ‘three foundational imperatives’: protect the whole enterprise, comply with internal governance policies and external regulations, and enable the confidence to adopt new technology and pursue innovation. A key offering that falls under the ‘enable’ imperative is Dell SecureWorks security services, designed to manage security on behalf of clients who are then better able to focus on core business. Within this category resides SecureWorks’ Threat Intelligence Services, an extensive intelligence gathering and threat analysis service that highlights the utility of the ‘preventative’ approach to security strategy and provisioning. According to CEO Michael Cote, while SecureWorks has experienced rapid growth since its acquisition by Dell in 2011, the organization itself has benefitted from its own acquisition of three security firms that delivered massive files on threats, malware, etc.to SecureWorks: combined with ongoing monitoring of public networks — the research team scans approximately 9 million ‘events’ daily — SecureWorks has built a massive repository of data that it uses to compare and identify threats to client networks. The point of the Intelligence service, however, is to provide what Cote called “actionable information,” rather than remediation. For example, when information on a threat to a small bank is uncovered, SecureWorks can comb through its customer profile in order to advise clients that might be vulnerable to this particular type of attack.
So how does SecureWorks go about delivering actionable information before the horse is out of the gate? To ensure that this information may be used in a proactive rather than reactive way, the SecureWorks Counter Intelligence Unit has parsed and built techniques to respond to the ‘Cyber Kill Chain’, a process that threat actors use when they target an attack, which was first developed by Lockheed Martin for understanding threats in the physical environment which has since been adapted to the virtual world.
SecureWorks CTO Jon Ramsey described this process as starting with “reconnaissance” on who to attack through study of factors such as the target’s family, the technology used, and the target’s browser history to build a profile. The next steps involve: identifying the target’s weak underbelly (vulnerability) in order to create the most appropriate distribution and delivery mechanism for the attack (the right email phishing pitch, for example); exploitation, or execution of the attack package when it arrives on the target machine; the installation of code to maintain control and attacks on adjacent systems; communications to maintain command and control of compromised targets, “action” based on the threat agent’s objectives (to steal information, intellectual property or money); and finally, exfiltration of the data, code or personal information into the arms of the adversary. Typically, Ramsey argued, the security industry focuses on “indicators of compromise” — the last four steps in the Kill Chain process (steps 5-8); however, the point is to intercept the threat before it reaches the stage of compromise. “What we do in the Threat Intelligence Service,” Ramsey explained, “is we look for ‘threat indicators’ that you can use any time to detect what a threat actor is doing in any one of these steps in the process.” The SecureWorks counter threat team can provide, Ramsey claimed, “all the information you need to defend yourself at each step in the Kill Chain in your environment” — and as a result, initiate a shift from remediation to preventative action.
According to Ramsey, threats at each of these stages are difficult to detect, especially for the typical client organization, and it is in threat identification that the team dons the real cloak and dagger. For example, to identify ‘reconnaisance’ threats, the team essentially assumes the role of the threat actor, carrying out this activity through “executive and brand surveillance” in order to build reports on what is the likely target and attack mode, or researchers troll the underground to identify and build relationships with malware brokers in order to understand vulnerabilities and weaponization. At each stage in the Kill Chain process, SecureWorks researchers employ different intelligence gathering techniques, assembling a threat profile that often takes advantage of link analysis of various threat indicators.
As it is virtually impossible to know with certainty who and how many ‘bad guys’ are out there — or indeed what the latest techniques are, SecureWorks, as do other security vendors rely heavily on the application of heuristics and analytics to organizational, hacker or even individual employee behaviours. “We have made huge investments in machine learning,” Ramsey explained. “The problem essentially is that the whole security industry approach until now assumes that you can know how many bad guys are out there and what their malware is. But when you don’t know, you simply infer, based on behaviour in the history of the organization. You look for anomalies, put in a probability inference engine and can find some things with some degree of confidence that are malicious based on prior knowledge of the tactics, techniques and procedures of the threat actors.” Or at least SecureWorks can: “We have been working on this problem for a really long time, and we’re getting pretty good at it,” Ramsey added.
Armed with this intelligence on tactics and threat procedures, the client, in theory at least, can take appropriate measures to defend their systems — including contract for managed security services with SecureWorks’ Security Operations Command, which is provided with the same threat information.
For its part, SecureWorks is looking to focus on the creation and integration of this type of approach in other solution categories. In its recently announced Advanced End Point Threat Detection Services, for example, SecureWorks is relying on developing intelligence on end point systems. Ramsey explained: “What’s happening from a threat perspective is that as we study the tools, techniques and procedures we see that the threat actor assumes you’re going to have an IBS system or a next generation firewall. So they are crafting their attacks to subvert network security or security controls…. To answer our customers’ questions on how to address this, we need to have greater visibility into end point systems.”
Though it shares information from the Threat Intelligence unit with other Dell security areas such as SonicWall, and may manage that groups’ firewall solutions, SecureWorks operates essentially as a managed services provider and hence with relative independence of other Dell security divisions. But while Cote looks forward to greater integration of SecureWorks with Dell’s other security businesses in the future, though managed services today, the organization provides a key layer in the Connected Security profile — services for businesses that wish to rely on security service experts. The integration of Connected security innovation may be more apparent in other Dell security arenas, where, for example, next generation firewall architectures are combining with various email, mobile, data and end point management technologies to plug security holes and also speed security deployment and operation. Stay tuned….