<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=725552337608854&amp;ev=PageView&amp;noscript=1">

Hiding in Plain Sight: How to Operationalize Deception for Security Teams

Posted by Acalvio on Apr 6, 2017 1:07:28 AM

Honeypots.

Just those three syllables are enough to cause instant nausea with a cyber security professional. Why? Honeypots are hard to operationalize into an effective, easy to use and consistent defense. But times are changing with the proliferation of deception technologies (Gartner tracked 16 vendors in a September 2016 report). Can deception be easily rolled into a cyber security defense?

The problem so far has been properly operationalizing deception. Implementing is a lot of work. Today’s deception approaches, like camouflage in the physical world, rely on consistent surroundings for concealment. When soldiers wear camouflage for snow, the desert or a forest and surroundings remain constant, you’re fine. But ascend from the forest to a snowy mountaintop and, unless you can rapidly change, you’re exposed. Every IT environment constantly changes. If deception can’t adapt like a chameleon, it’s useless. That’s Deception 1.0.

Enterprises need something that morphs. Modern deception must update dynamically with the environment being protected. For example, can your deception technology detect and recognize that you just updated a Linux installation? That’s Deception 2.0.

That’s the defense philosophy behind Deception 2.0. But the question is: how do security teams make deception deployable and effective? It has to be easy. And we mean dirt effing simple. A no brainer, easy as pie or any of other appropriate idiom. A recent report found that enterprises average 17,000 malware alerts per week so it’s a safe bet that alert number 17,001 won’t be investigated. In such an environment, deception must be operationalized quickly, easily and with tremendous impact. How would that look? It should meet several key business, technical and usability criteria.

Technically, one should learn from the mistakes of many of today’s security vendors who have built products with long deployments and complex configurations. Deception tools must able to:

  • Hide in plain sight. For a Deception Solution, this tops the list. How does this work? A deception technology needs to have some machine learning to understand and conform to your ever-evolving organization. By implication, this also means deception should be autonomous—the tool runs on its own, no tuning required.
  • Deploy within minutes: Tool is deployed easily and let it understand your environment. Once installed, the deception tool provides a list of recommendations within just a few hours. The UI says here’s what you should do.
  • Integrate with other security tools: Most security teams have their favorite tools of choice. At a minimum, a deception tool quickly integrates into your ecosystem.

From a usability perspective, security tools should:

  • Fit into your current workflow. Rather than do health checks every morning in a separate UI, an alert from a deception system should go into whatever event monitoring tool you’ve got deployed.
  • Enhance productivity. Deception, with its attack visibility, can help tune, for example, Splunk logs and reduce alerts. At the end of the day, you have a secondary, more reliable tool to understand if something is true or false, reducing alert fatigue. This also means accelerated investigations with improved breach response and visibility as well as augmenting the ROI from other security tools.

Lastly, and most importantly, does the deception tool help the business? It should have clear, quantifiable impact that allows the security team to stand in front of the CEO and say, “here’s how we reduced risk.”

  • Stops data/IP loss. The name of the game—enough said.
  • Reduce time to discovery. We all know that stats that dwell times are long, often starting around the Mesozoic Era. As security professionals, compressing this time is critical for many reasons. For example, you have a better idea of who did it. What were they after? What did an employee click on?
  • Improves executive awareness and understanding. With security in headlines almost daily, C-level’s often ask, “Are we safe from [insert name of whatever spooky attack group a vendor’s marketing geek came up with]?” You want to respond, “Yes, and here’s how we kept them out. Also, we aware of their attack methods and what they’re hoping to do.” In other words, the tool should help show that your team has its act together.

Deception, if done properly, can be a transformational shift in security strategy. By duping attackers and decreasing the attack surface, more of a burden of effort shifts back to the attacker. To succeed, deception efforts need to be inexpensive and usable by any enterprise, large or small, well staffed or under staffed. Today, many Deception 1.0 technologies are on premise and focus on large, well-established companies. But deception should become foundational, a cornerstone of everyone’s security strategy. If anyone tells you that an expensive, professional services heavy deployment is required—don’t be deceived.

Get notified of the next blog post

 

Topics: deception, honey pots, detection, multistage attack