Beyond the Endpoint AgentDecoupling Threat Behavior Analytics from the Endpoint Agent By: Ryan Cobb
Endpoint Detection and Response (EDR) solutions have rapidly matured over the last few years, growing from bespoke and experimental tools written by security researchers to commoditized products that are production-ready and widely deployed across systems from workstations to mission-critical servers. It is important that an organization identifies the EDR product that is the right fit for their individual needs and collects data that will provide the most security value. Secureworks® threat hunters and incident responders developed Red Cloak™ in 2010 because the tradecraft necessary to analyze threat actor behavior and understand their intent was not available at the time. Secureworks researchers, incident responders, threat hunters, and security analysts rely on two different kinds of telemetry from EDR solutions in order to defend our customers from both known and unknown threats – streaming telemetry and query-based telemetry.
EDR products may audit operating system activity and send back an unfiltered flow of data in the form of streaming telemetry. Examples of streaming telemetry include process execution, network connections, file modifications, and Windows Event Log events. The countermeasures applied to streaming telemetry will alert an organization to on-going threat activity such as successful phishing attacks, lateral movement, and malware persistence in near real-time. Raw streaming telemetry is usually stored for a period of time to allow threat hunters to find previously unknown threats that evaded existing security controls.
Few EDR products enable the analyst to search across the environment for forensic artifacts at scale. This kind of query-based telemetry allows us to identify the presence of specific registry keys, to evaluate the likelihood that a given file is a webshell, and to answer other investigative questions that cannot be derived from streaming telemetry alone. Recent efforts to map Red Cloak countermeasures to MITRE's ATT&CK Framework revealed that query-based telemetry drives detections and provides coverage for about one-third of ATT&CK techniques. For threat hunting, streaming telemetry is not enough. Threat hunting requires query-based telemetry too.
The challenge for Secureworks – and anyone else who has tried to compare EDR products – is that even if two EDR products purportedly collect the same kind of telemetry, the telemetry will be returned in different levels of detail and in a different data model between different products. Each vendor has their own preferred data model, which has been designed to work best for their unique product and technologies. This has several consequences for organizations that need to operationalize multiple EDR products or are considering changing to a different EDR product:
- Countermeasures become vendor-specific and require rewriting or translation between different products depending on the quality and quantity of available telemetry. In many cases, we have found it impossible to create an analog for Red Cloak countermeasures in other EDR products. As such, providing consistent detection capabilities across all vendors is problematic.
- The raw telemetry from each vendor is stored in different locations so research varies from difficult to nearly impossible across such a distributed and non-normalized data set. It is challenging to perform consistent research across managed endpoints.
- Vendors have their own web interfaces and APIs, which requires analysts to learn separate and distinct workflows for each product. It is a constant struggle to provide consistent delivery of managed and professional services across all the vendors.
Ultimately, the variety of ways in which different EDR products collect streaming and query-based telemetry make it challenging for us and for others to consistently apply intelligence, perform research, and deliver services. Therefore, we wanted to devise a way to collect both kinds of telemetry in a uniform manner across different endpoint vendors to enable our services and better protect our clients.
Red Cloak Partner Program
The Red Cloak Partner Program aims to solve these technical and workflow challenges through the integration of Red Cloak behavioral analytics and applied threat intelligence with endpoint products that already collect much of this telemetry. The Red Cloak Partner Program defines the data that is necessary to collect for threat detection and hunting based on our many years of experience. It also describes the technical and business requirements for Secureworks to consume telemetry from partner products and collect telemetry that the partner product does not natively collect.
The Red Cloak Partner Program will provide Secureworks and our clients with consistent detection capabilities across multiple vendors and platforms, permitting clients to select the endpoint product that fits their operational requirements without compromising on security efficacy.
Red Cloak Partner Program Benefits:
- Expands the scope of Secureworks' endpoint visibility so threats observed across different products and organizations can be transformed into effective threat intelligence and threat indicators that help detect adversaries across clients, regardless of EDR solution
- Reduces the number of endpoint agents an organization must install, with a goal of providing a single persistent agent with the benefits of Red Cloak behavioral analytics and applied threat intelligence
- Facilitates the consistent delivery of managed and professional services, including our Managed Detection and Response (MDR) solution
- Allows Secureworks to innovate and improve our data collection and detection abilities independent from the product vendor so we can continue to perform cutting-edge research to better protect our clients