Published: August 1, 2019
Deception Technology:
A strategic imperative for Detection and Response
Why is deception technology important?
The IT security industry has paralleled the traditional approach for defending physical assets by building perimeter defenses. Walls, moats, doors, locks, identification and inspection have found their digital equivalents in the cyber arena. However, increasing mobile connectivity with 5G and the proliferation of cloud services and IoT, coupled with the rapid pace of change in the information security industry, have made it clear that companies cannot depend on perimeter defenses and traditional IT security concepts alone.
More than 40,000 security incidents including 2,013 confirmed data breaches being studied in Verizon’s latest analysis of the global security landscape only confirm the gravity of the situation. Verizon’s 2019 Data Breach Investigations Report reveals that intruders are often active within the enterprise for 100 to 250 days before they are detected, often by a third party. Clearly, defense mechanisms that address the post-intrusion part of the kill chain are needed, so detection and response are quicker.
Accurate deception detection has been a challenge…until now
Detecting bad activity amidst a sea of good activity at scale―with low false positives―is a very challenging task. Security Operations Centers (SOCs) are already inundated with incidents. Sending more signals to process is not a desirable solution. There must be a better way than chasing and analyzing every packet and file to find the bad guy! It’s been said that many difficult challenges are best solved when they are addressed backward. Can you invert the problem and have the malicious behavior announce itself by utilizing deception security?
In the physical world, using motion sensors inside buildings solves the problem. These catch successful penetrations of our perimeter defenses, not by identifying a specific malicious behavior, but by identifying an activity occurred in a place it should not have. Such motion sensors are needed for digital environments. And, deception technology does just that by detecting activity where it should not occur, namely on any of a broad range of deception assets clandestinely managed throughout a network: fake hosts (decoys), fake data (honey data), bread crumbs that lead an attacker to another fake asset and more. Deception security turns the tables on the adversary by misleading them into revealing themselves.
Nature (flora, fauna) has used deception very effectively for millions of years for survival and self-preservation. More recently in the cyber realm, cyber criminals have been using deception and deceit to disguise their malware, hacking and phishing activities. Turnabout is fair play, is it not? Especially when it is effective.
How deception detection came to be
The first successful use of deception detection technology in IT security was by Cliff Stoll, when he used honey pots—a system set up as a decoy to detect, deflect or study hacking attempts—to trap German intruders (who were in collusion with Russians). Since then, deception detection technologies (usually in the form of honeypots) have been used extensively to ensnare threats on the public internet.
However, until recently, deception detection had not gained much traction outside of limited deployments and research projects. These first-generation deception technologies were simply not designed to work in modern, highly distributed corporate networks. Fast forward to today, and many technologies such as micro-services, software-defined networking and artificial intelligence have been leveraged to make deception a viable, cost-effective solution at scale, even in distributed cloud and complex IoT settings. Furthermore, deception security has been successfully used to detect entrenched adversaries inside sophisticated, well-managed networks within days or weeks, dramatically shortening the mean time to detect an incident (time-to-detection).
Deception security can support a variety of use cases crucial to cybersecurity:
- Detect lateral movement of adversaries post-intrusion, or even malicious insiders
- Improve SOC efficiency by using deception to validate suspected incidents
- Improve incident response and threat hunting teams’ effectiveness by providing detailed forensics captured by observing adversary behavior in the “deception network”
- Perform rapid assessment of the health of a network prior to a merger or acquisition
Good end-to-end cybersecurity requires a balanced approach to identify, protect, detect, respond and recover. Verizon’s security solutions address cyber resiliency across your entire enterprise by helping you to:
- Enhance your visibility of risk. Know your internal risks and external threats.
- Protect the attack surface. Protect critical infrastructure, assets and data everywhere.
- Detect and respond to attacks faster. Respond quickly and efficiently to breaches.
- Reduce impact and quickly restore operations. Shrink time from compromise to containment.
Deception technologies have always been interesting for the most advanced security architects and engineers. Now that they are being embraced by more security practitioners, this represents an important strategic imperative for organizations of all sizes and industries who need to detect and respond to attacks faster.
Learn more about how we can help you detect and respond to attacks faster and how Verizon and our partners can help you leverage deception security in order to protect your business against cyber threats.