Signature-based detection is great at what it knows, but it can leave your business open to new, emerging threats. As Director of Detection Research TJ Nelson explains, signature detection is the first locked door a cyber intruder encounters and allows security teams to concentrate on unknown threats. Learn more about the importance of this baseline level of protection – and why you also need more dynamic capabilities. Get the lowdown on the latest detection solutions, in particular the Secureworks Taegis cyber security platform.
What We'll Cover
Secureworks Interview with TJ Nelson
Sally : Hi everyone. And a very warm welcome to Let's Talk SoC, a special episode featuring signature based threat models and do we need to move beyond? And to do exactly that and explore this subject area, I'm delighted to be joined now by TJ Nelson, who is Director of Detection Research at Secureworks. Welcome TJ!
TJ : Thanks for having me, Sally!
Sally : Oh, my absolute pleasure. And perhaps a great way to start this, find out a bit more about the person behind the tech, so to speak. Can you take us through your role at Secureworks, TJ? Just get to know you a little bit more.
TJ : Certainly. So I run the countermeasures team within the counter threat unit for Secureworks, and we're under the umbrella of detection research. And my team is responsible for creating and maintaining the detection logic that protects our customers within the Tages platform. So, I like to say that we make the blinky lights happen in the portal, but in all actuality, there's a lot more to it. So, day to day, we are working with our customers to help them manage and balance the security context that they get through their various telemetry sources as well as the alerts that they need to respond to.
Sally : Fantastic. Great opportunity there. You're saying everything that's going on behind the scenes to make that invisible visible in this discussion, I think. And as part of that, as I intro’ed in the episode there really, for so much time now, many decades in fact, we've been using signatures, haven't we, to detect those known threats? Very much a standardized approach in the industry. What for you has changed the most in that particular statement?
TJ : Yeah, so every year attackers are developing more complex and nuanced attacks against, to attack their victims. And they're designed to fly under the radar and make it harder and harder to defend against. So, we're seeing cases where static signature detection just does not work. They're going to sidestep it. They're going to do things that will obviously work directly against those detections. And because of that, we need to move to more dynamic and resilient approaches towards detection.
Sally : I totally understand that. And again, I think for the audience out there at the moment as well, if you're not familiar with this, I think maybe let's give a metaphor as well. You know, what is a signature in this context? Maybe like the person's DNA would be a really good analogy for that. You know, it's…
TJ : Yes.
Sally : …unique to every single one of us, but you know, in a family environment, there'd be similar say indicators across these DNA patterns as well, just for everybody watching and listening if you're not familiar. And maybe TJ actually, as well, as part of that information, perhaps we could just briefly explore the differences say between a signature based approach to say anonymity or behavior or even heuristic. What are the key differences there for people to look out for?
TJ : Yeah, definitely. So, a signature-based approach is something that is very static. We call those atomic-type detections. It means that you are seeing something, and when you see that exact string, byte sequence, or log, you know that this event happened, and you're using that in existence as an alerting to say this is something that's malicious. As opposed to more dynamic detections, like a heuristic-based detection, basically be looking at the patterns of behavior and stringing together multiple different factors in order to determine maliciousness. So, that's why, you know, that moving towards looking at multiple things and sort of correlating that, that's where the new detection frontier is.
Sally : Aw so, so true. And I have three S's around cybersecurity, kind of scope, scale and sophistication of all these different threats and they're converging coming from new areas. Bad actors are coming together, so many different things to look out for. So having the approach that can respond and react to that dynamism of change is so, so important. So, I love that and getting that balance right, as you mentioned at the start too. So, we kind of briefly, I wanted to go on to kind of the role now. of signature based detection today. So, given what we've said so far, kind of how do you see the balance? Does it still have any place at all? Or should we be looking to replace this entirely now?
TJ : Well, Sally, much like with security systems, you probably don't want to leave your door unlocked, even if you have the best security system for your house. So, signatures allow us to have that strong baseline of detection to prevent straightforward attacks, leaving you with the resources to be able to focus on some of the more complex attacks. So, if you're able to cover the baseline, you can actually spend your resources actually trying to find out what things you're missing. And that's really the advantage of using signature-based detections today. Attackers will try to use the lowest form of an attack in order to be successful. So, ignoring the basics will just make their job easier and we're trying to up their cost so that they're more deterred and they'll think twice before trying to attack certain customer environments.
Sally : Absolutely. So, so true. Kind of increased their kind of the threshold to entry, so to speak, because it's come down in so many different respects. So, getting those foundations, that basic cyber hygiene, right? Absolutely critical. And signature-based detection is part of that. I think it's part of that kind of armory, so to speak, is really important there. And then building on top, as you were saying, there were those extra solutions. I've used myself hands on keyboard detector. Really, really impressed by that. And again, that use of ML, really aggregating different forms of evidence and sources from that endpoint telemetry over time, really impressed with how that worked.
TJ : Absolutely, definitely.
Sally : Fantastic. And so in terms of that, so in terms of moving beyond this now, those other layers of security, what would you say, where are we now, you know, from a Secureworks perspective, what are your kind of newer detection capabilities and how have they evolved? Maybe look at the last year or so as an example, given the speed of change here.
TJ : Awesome, yeah, so from the Secureworks side, we've introduced a bunch of new detection capabilities in the Taegis platform. So, we started looking a lot into the dynamic type detection solutions. And some of those come in the form of those ML-based analytic detectors, like the hands-on keyboard detector that you just talked about, and the tactographs. So, these detectors help us map malicious patterns of behavior that threat actors use. And instead of just trying to look for one thing, we're looking for tens, 20, 100 things happening in a sequence. And we're able to take that information and try to get that context in order to understand whether it's malicious or not. And the interesting part about it is that we're actually able to give a lot more context around why the attack is malicious because we're looking at the behavior. We're tying those things together. When you look at the hands-on keyboard detector, you're actually able to see the play-by-play of the attacker and seeing what their motives are and maybe some of their objectives, so that you can actually front run some of your response and make sure that you're protecting your most valuable assets. And then with some of the analytic detectors, we're actually able to identify, understand, and profile the behaviors that we're seeing that are normal in your environment, so that when we see anomalous behaviors, we can hone in on those with more scrutiny and identify malicious behavior, even though they're so nuanced that they're really designed to fly under the radar. And if you just looked at it day to day, you might think it's normal activity, but that small change is really the devil in the details here. And so, our job is really to bolster some of those detections in order to protect our customers in that way.
Sally : I love that. It's that capacity to get granular, isn't it? You were really…
TJ : Yes.
Sally : …bringing to life there to get that most nuanced detail, to cut through the noise. Because again, I think that's another challenge here we see all the time with so much change and so much data to frankly, and often, pressures on different departments at the moment as well, the ability to cut through that gets that right data for the right role, right agent, right time. and give you that agency to get ahead as you were talking about there and not be retrospective about these risks, actually proactively preempt them to a degree in terms of kind of bringing all these different signals together. So, I absolutely love that. Really, really, really important, I think. And in terms of some examples of this in action, again, I think for the audience, it'd be amazing to kind of explore maybe a couple of customer projects even where you've seen the benefits of this change in terms of supporting them and dealing with all these challenges today.
TJ : Yeah, definitely. So, our customers have the confidence of us being able to hold their information confident. So, I won't go into too many details, but I'll talk about some general attacks that we see pretty often, and we're able to help our customers through. And so when attackers gain access into an environment via phishing or initial entry vector, like a malware payload, they're immediately trying to orient themselves to find a way to get admin credentials. And usually, that's in the form of a poisoning attack where they're trying to act as a man in the middle, spoofing as an authoritative source, like a domain controller, and they're trying to trick systems into giving them the credentials so that they can go off and perform their other duties, the things that actually harm your environment. So, catching them at this stage is really important. And this spoofing is really hard to distinguish because it's designed to look legitimate and work just like the legitimate system would. So, understanding that malicious behavior and how it's tailored to work like that, we can use things like our analytic detectors to look at that activity in aggregate and distinguish whether it is anomalous behavior. It's only when you zoom out, when you can actually see this activity and really hone in on it. And Taegis and some of our analytic detectors allow us to do that.
Sally : Fantastic. Love that example. And perhaps as a final thought as well, because I get asked about this a lot in terms of recommendations. So for organizations that are exploring this at the moment, whether you're an SME or right through to enterprise level as well, and particularly just thinking of this dynamism of change. Now, how would you, have you got some resources, for example, we could recommend in terms of places to look to help get ahead alongside the technology, just educational…
TJ : Yeah, definitely.
Sally : …resources as well. I often get asked for recommendations around that. So perhaps as a final thought. Perhaps we could focus there on perhaps the skills piece here and how we can support people from that point of view.
TJ : Definitely. So, we actually post a lot of blogs and documentation around the way that we do our detection. So, keep a lookout for the Secureworks blog. But then there's also groups like MITRE that will have the attack framework that will help you map out where your security gaps are and you can actually hone in on the different things that are targeting those security gaps. So, that will really help you orient yourself from a protection standpoint. Looking at some of those tools that are being used by actors and how they work blog posts is really another great way to do that. And then finally, really just talking with your security vendors and understanding how their platform is integrated into your environment. That is really your first line of defense, and you get a lot of information. The customers that give us the most diverse telemetry sets are always the best protected customers because we're able to look at multiple data sources and correlate that data source in order to find that malicious, the slightly malicious activity that turns into the next big breach that you'll see in the news. So that's really the things that I would say looking into to really protect and learn more on how to protect your right environments.
Sally : I love that. Thank you, TJ. I always like to end it on a tangible if you can, I think it's so, so important. And again, what better way to bring all these different elements together, as you just said really about getting ahead before you get to that breach of being in the news, all these different elements, all these foundations layer by layer, they give you that capacity to get ahead and the confidence as well to deal with this very dynamic space. So, thank you so much for sharing your expertise, TJ. Really, really valuable. Thank you for joining us today.
TJ : Absolutely. Thank you for your time.
Sally : Oh, my absolute pleasure. And to everyone watching and listening right now as well, thank you so much for your questions and your responses to Let's Talk SoC. We'll be back with another episode very soon. Thank you for joining us today.