Who is creating the malicious activity? Where do the threats manifest themselves? What can clients do about it? Who can help identify malicious activity?
SecureWorks addresses questions you have by using advanced correlation to provide global context for threats along with machine learning to drive rapid insights. Our expert systems deliver countermeasures that can reduce the potential damage of new threat variants to minimize the impact of threat toolkits and serve as an early warning of indicators of compromise.
In this video about threat intelligence, Terry McGraw – Executive Director for Cyber Threat Analysis, outlines what sets SecureWorks apart and how we apply threat intelligence to get organizations back to a their strategic objectives, such as winning new business and retaining current customers.
What You Will Learn:
- What sets SecureWorks apart from other security vendors
- How we apply threat intelligence
- How SecureWorks uses tools, techniques and procedures to get our clients back to a steady state after threat is uncovered
Other security companies that provide threat intelligence, provide the who and the how, but not necessarily the what. That’s really what SecureWorks does better than anybody else. So when I say who and how, that’s, who is creating the malicious activity. How are they developing and how are they applying it, and how is it promulgated? But the what is what happened in the client environment. Where did that malicious activity manifest itself. And what can you do about it? What are the countermeasures that you can bring to bear? What are the security changes that you can offer your client? What are the consultation services that you can provide? And how do you do that in a managed security service? I’m seeing all of this activity, now I’m telling you what happened and what you should go do about it.
An Example: How We Apply Intelligence
Recently, the Metasploit Toolkit had a new variant released. So, we have a member of our research team that does nothing but look at new toolkit development, and determining what was changed, where it’s being promulgated, how it’s being marketed and monetized, and then how would I developed countermeasures against that particular new variant of the tool.
We do that by looking through our own data stores of our client information. So all of our client information, our log data gets stored within our environment. We’ll then run that countermeasure as a test. We’ll go back and look through, you know, 90 days’ worth of data to see where that might’ve appeared, and test the validity of the countermeasure to see where it’d manifest. To make sure it’s valid.
In a particular instance, we did just that. This Metasploit Toolkit variant was determined, we wrote a countermeasure, we applied it against what we’ve already seen in data logs, and we discovered that several of our clients had already been affected by that toolkit, and it had passed completely through their perimeter security devices because they hadn’t been tuned to see it.
We wrote a new countermeasure, we applied it on our iSensor, and then we automatically escalated that activity to our clients to alert them that it had in fact already infected their environment, and they needed to go re-mediate it. That started an Incident Response engagement, where they leveraged our service to go help them clean it up and get back to a normal state. So from end to end, we had research, we applied it in a countermeasure, we proactively alerted the clients to what was affected in their environment? How extensive the damage was? And then helped them get back to normal steady-state operations.