How to build a better cybersecurity defense with deception technologies

This new cybersecurity defense mechanism proactively protects organizations and prevents attacks.

How to prevent data destruction from cybersecurity attacks IBM's Christoper Scott discusses malware, how cyberattackers get into environments, and why using multifactor authentication is crucial if you use an online service.

When you think of deception technology you may envision stolen passwords via social engineering, phishing attacks, malicious pop-ups, bogus websites, and the like. In fact, deception technologies, a new cybersecurity defense mechanism, actually protects organizations instead of exploiting them.

I discussed the topic of deception technologies with Tushar Kothari, CEO, Attivo Networks, a cybersecurity defense organization.


SEE: Perimeter security policy (TechRepublic Premium)

Scott Matteson: What exactly is deception technology? How does it close major gaps in cybersecurity detection?

Tushar Kothari: With emerging attack surfaces and increasing attacker sophistication, traditional security controls have proven they are no longer sufficient to prevent all attackers from getting in. As a result, some of the biggest challenges facing security teams today include greater dwell times, slow remediation times, and the shortage of high-skilled staff. 

Deception technology addresses these key challenges with early and accurate detection coupled with automation to accelerate incident response. The solution tricks threat actors into revealing their presence with authentic, high-interaction decoys that blend seamlessly into the production environment. As soon as an attacker attempts to scan the network, steal credentials, or move laterally, the deception platform raises a high-fidelity alert, reducing dwell times. From there, defenders can remediate or safely let the attack play out and collect company-specific threat intelligence to strengthen their defenses. 

Deception platforms can provide automated repeatable playbooks for a consistent response process, helping alleviate personnel or skill shortages. Altogether, these features shift the balance of power into the defender's hands and dramatically reduces the time it takes to detect and respond to attackers.

Current challenges

Scott Matteson: What are the current challenges with deception technologies?

Tushar Kothari: A common misconception we hear about deception technology is that it is challenging to deploy and manage. This issue may have been true with older deception technologies like traditional honeypots and honeynets, but today's commercial deception technology comes with features that make for efficient implementation and operations. 

While deception technology of old could take weeks to set up and deploy, machine learning makes deployment simple by proposing decoys and deceptive credentials that match the production environment. 

Organizations can deploy a modern deception platform in less than one hour and easily configure it to suit their needs while leveraging a central dashboard for easy management and streamlined operations. The flexibility offered by modern deception technology arms organizations of all sizes to build a proactive defense. 

SEE: How to become a cybersecurity pro: A cheat sheet (free PDF) (TechRepublic)

How to be more proactive

Scott Matteson: Regarding the evolution of cybersecurity strategies – how can we be more proactive in our "perimeter-less" society?

Tushar Kothari: One way to be more proactive is to assume the attacker will get in, and plan a defensive strategy that leverages the entire network to detect them early, while gathering adversary intelligence to better defend against future attacks. In the perimeter-less society that we find ourselves in, with the rapid adoption of cloud infrastructure and ubiquitous global access, traditional security can't scale to keep up with where organizations now operate. 

Add to this the growing number of connected devices such as Internet of Things (IoT), and security teams now struggle to cover the organization's expanded attack surface. Defenders can no longer rely on traditional solutions that attackers have proven they can regularly bypass and should focus instead on a proactive defense that leverages fast and accurate detection coupled with rapid response and relevant intelligence.

Bad actors have far too much time to plan and execute their attacks while remaining undetected. Breakout time averages 4.5 hours, underscoring the importance of detecting an adversary quickly. 

Conversely, even when defenders successfully disrupt attacks, they often gather little useful data to remediate the attack fully and protect themselves should the attacker return. This lack of adversary intelligence makes it very difficult (if not impossible) to verify that defenders have removed the attacker's foothold within the network or prepare for subsequent attacks. 

Organizations must detect threats early, react quickly, and collect the company-specific intelligence needed to defend themselves. As in the physical world of offense and defense, understanding adversaries is critical for any organization to prevent and counter their potential actions.

Scott Matteson: Can you highlight the importance of tool consolidation and high-fidelity alerts to prevent alert fatigue?

Tushar Kothari: One of the universal truths of our industry is that as the scope and complexity of cyberattacks and risks continuously increase, new solutions appear that promise to address them. The challenge for CISOs is that they must figure out ways to get these technologies to work with their existing security infrastructure. Adding to this difficulty is the massive volume of log data noise that security teams must sift through to find actual security incidents, leading to alert fatigue as analysts deal with false-positives. These issues increase operational complexity and exacerbate resource shortages with personnel, time, and effort. 

Choosing tools that integrate well together and can automate response processes helps simplify operational complexity and reduces the difficulties that workforce constraints put on a security organization. Adopting a security solution such as deception technology that cuts through the noise with actionable alerts reduces analyst alert fatigue by only alerting on confirmed attacker engagement.  

SEE:  Policy: Patch management policy  (TechRepublic Premium)

What's keeping admins up at night?

Scott Matteson: What's keeping admins up at night and how should they address these challenges?

Tushar Kothari: As mentioned earlier, the traditional concept of the perimeter has disintegrated, creating a swathe of new areas susceptible to attack. Even knowing what is in the network becomes a challenge, as devices proliferate throughout the environment. Whether it is a smart thermostat, a networked video device, or personal phone, the sheer number of devices propagating throughout the network makes the security admin's job harder. They no longer have the visibility they need to account for every device in the environment, let alone defend them. Adding controls that may cover gaps but adds excessively to the workload overburdens the admin with little benefit. 

Admins must focus on implementing solutions that allow them to see more, know more, and act more quickly to defend against an attack. Instrumentation can help, with tools that detect attacks already in progress, react to it automatically, or gather expansive data sets to analyze and make defenses better. Network visibility leads to awareness of where attackers can go, where they can move, and where they can hide. Increasing reaction speed by reducing alert noise and automating response actions reduces their workload and increases efficiency. 

Gathering relevant attack data means better defense against future attacks, reducing their burden even further. Implementing these capabilities can help admins focus on what matters and sleep better at night. 

Also see

Data Security system Shield Protection Verification

Image: Getty Images/iStockphoto