With Red Cloak Threat Detection and Response, Red Cloak becomes a brand for software delivered without a managed service component. The channel partner play out of the gate is limited, but is likely to develop somewhat over time.
Managed security service provider Secureworks, a Dell subsidiary, has announced a new offering which reshapes their go-to-market model. The new Red Cloak Threat Detection and Response [TDR] provides a SaaS offering that is not tied to a managed service, allowing the customer to do that part themselves. It is aimed at the most mature type of customers, who have the resources and desire to do this work themselves. That makes it a limited play for channel partners at the outset, although there is a minor one. Secureworks’ many ISV strategic partners are more likely to realize benefits from this.
With Red Cloak TDR, the Red Cloak brand is elevated to one to designate software delivered through a SaaS model where the customer, not SecureWorks, handles the management.
“The Red Cloak brand has been around for a couple of years around our endpoint product – Advanced Endpoint Threat Detection,” said Kyle Falkenhagen, senior platform director for Secureworks. “It is the closest thing we have ever had to a true software product that doesn’t require any managed service around it. Going forward, Red Cloak will be the brand for software which we sell on a SaaS model, without a managed service.”
SecureWorks has had a TDR product for years – as part of a managed services offering.
“We have had an internal set of capabilities for this – the Counterthreat Platform,” Falkenhagen said. “It has been around for 12-15 years, and has been our platform to deliver managed security services. The problem is that it is our own internal tools and processes, and there is no way for a more mature customer who would want to do this themselves to handle it. They had to rely on our managed services.”
This kind of customer is the market for Red Cloak.
“This is aimed at our more mature, high-end customers,” Falkenhagen said. “For most customers like this, the reality is that it takes a combination of software and services to get to outcomes that they are looking for. So this kind of customer, while they love the capabilities of our software, want to do more in-house and to do that, they need to be able to manage it themselves.
“There is some alignment with the size of the organization, but it has really has more to do with their security maturity,” Falkenhagen added. “Do they have a CISO? Do they have a 24×7 SOC? Can they do basic alert triage, or threat hunting?” He said that a good ballpark figure for the target customer for this would be those with at least seven security professionals and up on staff.
The core value proposition of this type of service is to work in concert with preventative measures aimed at stopping threats from getting on the network, to track them down once they do get through. Red Cloak TDR is designed to do this with a minimum of false positives that generate alerts that waste SOC staffs’ time.
“Ideally you prevent things from happening in the first place,” Falkenhagen said. “TDR is a fallback. The faster you can contain the threat, the better off you will be. You can literally be locked out in an hour with ransomware. Time matters.
“In this area there are a lot of point products, around endpoint, network, orchestration and response,” Falkenhagen continued. “Without correlating data from each of these sources, it’s hard to make sense of what you are seeing. We wanted a more coordinated and integrated approach to use our advanced analytics, and automate those actions. The software sets out to do this.”
Falkenhagen indicated that this software does have some net-new firsts.
“As attacks become more sophisticated, the means of detecting them has to change,” he said. “The industry has used a rule-based correlation of events – patterns, streams and other indicators of compromise. Now we have to combine that with machine learning and more advanced analytics. This is something that UEBA [user and entity behavior analytics] has been doing for a while, and we haven’t been that robust there. But UEBA is a very noisy space. It can create a lot of alerts. We’ve built in capabilities applying machine learning to the alert paradigm itself to improve the signal to noise ratio. Only when we have real confidence do we bubble it up to the user.”
Secureworks has not yet quantified this reduction of alerts to a specific order of magnitude, but Falkenhagen said that the beta reports indicate that it will be strong.
“We have several beta customers who have told us that it is an order of magnitude less than what they dealt with in the past,” he said.
Another enhancement is on the investigative front.
“We have had a bifurcated experience with our managed security offerings in that the customers see something very different from what we do,” Falkenhagen said. “That made it hard to work hand in hand with our analytics. We have changed that, and have built out an investigative workbench to let customer analysts collaborate directly. We have also added a premier support model, where the customer can use our most senior analysts as an expert resource.”
More Red Cloak SaaS offerings will follow, Falkenhagen said, although for the moment what they are remains shrouded in mystery.
“There’s nothing that we can say publicly just yet,” Falkenhagen said. “We will bring out additional software on the same model to tackle other major challenges.”
For Secureworks’ partner channel, the opportunity here out of the gate will be limited.
“We plan on starting with primarily a direct model, but we are having discussions with a couple large VARs about reselling the software, and we have plans to let more regional service providers deliver services on top of this,” Falkenhagen indicated. “There are still a lot of customers that will need services, and we will introduce service wrappers on top of this.”
The more significant partner angle for the moment will be with Secureworks’ strategic vendor partners.
“This is a big partner play for us because there are a lot of security vendors out there and we see those as a data source for telemetry or as an actuation source,” Falkenhagen said. “Coming out of the gate, this is not a huge channel play, but it is a big partner play.”