The cybersecurity game playing out in today's enterprises is turning out to be a classic spy story pulled straight out from the cold war era - spooks tunneling their way into enemy intelligence, foiled by sleuths trying to outsmart them.
Cybersecurity experts get the short end of the stick and are often found one step behind the bad guys, and this is where deception technology makes the cut - it puts the good guys in control.
1. In what ways can deception technology outperform tradition cyber-security measures?
For the past 20 years, most active security control responses built into network security products have remained fairly constant, offering only a limited number of response actions, such as log, reject, drop and quarantine, with very little innovation or evolution beyond these more-simple automated response concepts.
Although these responses are effective at both detecting and blocking individual attacker attempts, responses such as reject and drop are widely visible to a skilled adversary, especially advanced persistent threat actors. These types of responses allow an attacker to rapidly (or even immediately) identify when they are detected, and serve to inform the attacker that it must quickly adapt its attack strategy to continue to move forward. These basic defensive actions must evolve so that a strong hold against the attacker can be maintained and to increase the attacker's economic burden.
Deception solutions are emerging to play a greater role in the future of enterprise threat defense. Detection is often a prerequisite to higher-quality deceptions. However, use of deceit in the enterprise is beginning to be used to actively thwart or "black-hole" malware botnets, threat actors and suspicious connections.
2. What sort of hacker behavior has deception technology revealed?
Threat management teams utilize intelligence and orchestrated deceptions to divert attackers away from their sensitive assets. This tactic can enable threat management teams to assert more active control on an attacker and his activities throughout the enterprise environment, and allow organizations to track and share even greater intelligence on threat actors.
Ideally, upon detection, threat actors and their compromised systems or applications will be automatically isolated into a network deception zone, where they are provided with what is equivalent to a hall of mirrors, in which everything looks real, and everything looks fake.
The most critical reason to use deception is to delay an attacker and force him to spend more time, causing him economic harm while he tries to figure out what is real and what is not, and whether to proceed.
3. What's your take on the usage of 'honeypots' in nabbing cyber-criminals?
Use of deception through use of honeypot sensors as a detection measure has often been a security practitioner's dream, yet has been unattainable because the honeypot sensors of the past required too much administration, handholding and maintenance, and were mostly based on open-source code.
Sign up for Computerworld eNewsletters.