Dell SecureWorks Finds, Contains, and Eradicates Threats Faster with TIBCO LogLogic
Fast response and threat discovery using big machine data
Dell SecureWorks' goal is to enable organizations to fortify their cyber defenses to prevent security breaches, detect malicious activity in real time, prioritize and rapidly respond to security breaches, and predict emerging threats.
"Incident response needs quick and accurate understanding of what the compromise means to the business," explains Jon Ramsey, CTO of Dell SecureWorks and a Dell Fellow. "We go after the facts: who they are, what data they took, whether the breach needs to be disclosed, how they got in, how to keep them out, how to prevent them from getting back in. It requires insight into what has and will happen in the environment and then quick and accurate log analysis to craft a response and minimize impact on the business. The implications for clients who aren’t able to respond quickly are vast and many, and the longer the incident persists, the more costly it is."
Dell SecureWorks used to offer its own proprietary log retention solution, but the time came to strengthen and scale its offerings to meet large enterprise needs more effectively. "We want to be our clients' trusted security advisor and provide them with complete solutions. Clients want log retention because it plays a critical role in compliance and incident response, and they want to know that their data will be available when they need it."
"We looked at the market and selected TIBCO LogLogic® log retention because it was one of the best in the industry, and it was a good fit for our managed log retention services," says Ramsey.
"LogLogic powers our Log Vault and Enterprise Log Vault Solutions. These services provide managed log retention for clients from very small credit unions to large enterprises. Our team has been delivering managed solutions with LogLogic for eight years, so we have deep experience with the platform and know how to help clients find the data they need.
"TIBCO worked hard to help us fit its technology into our sales model and provide it in a way that meets clients' technical and budgetary requirements. We provide a wide range of deployment options using LogLogic physical and virtual appliances, and TIBCO provides us with great behind-the-scene sales support. It functions almost like an extension of our own sales team. In the last 12 to 18 months, the partnership has gone to the next level, and we've grown our joint business over 200%.
"Number one in our culture is service excellence. We stay close to our clients, we listen to the problems they have with security, and we build services that bring together people, process, and technology, such as TIBCO LogLogic, to protect and enable businesses in the face of extensive security threats."
Threat Discovery Using Big Machine Data
"Detecting advanced persistent threats, APTs, has become very complicated. Cyber criminals are very good at changing their attacks so they blend in with normal activity," says Mr. Ramsey. "Our approach is to apply machine learning techniques on large volumes of data to look at threats in a way that actors don't expect. This big data approach couples the visibility we have across our client base using all the logs we collect with sophisticated analytical approaches, such as probability inference and statistical modeling."
Fast Response Using Centralized Logging
"You need information from the total environment to answer questions about where the threat actors went and what they took," says Ramsey. "Without that information, you're just guessing. Many companies don't have centralized logging capabilities or enough log retention, which can add days or weeks to forensics analysis. The investigator has to manually pull system logs, if they exist at all, from the critical network infrastructure.
"One example of incident response working well was a denial of service attack on a financial industry client. Dell SecureWorks was the managed security service provider, so they engaged us for the incident, but we had not been involved in any DDoS preparations beforehand," says Ramsey. "Fortunately, the logs were immediately available to the incident response team, and centralized logging helped us acquire additional logs. We combined efforts of the incident response team, our security operations center and security research team, the counter threat unit, and the customer's distributed mitigation service to help resolve the threat. The client gave their internet provider information that helped limit the threat, and we determined that it didn't affect any financial transactions or client personal data."
"Over the past few years, we've reduced detection and incident response time and effort with highly optimized processes and technology," says Ramsey. "Given these improvements, today we can find, contain, and eradicate threats faster. Our goal is to continue to protect our clients and provide the absolute best security services so they can grow and thrive."