Deception technology is no longer considered an overly complex cybersecurity solution designed only for the largest enterprises with infinite financial and operational resources. Deception is being adopted more broadly by companies of all sizes and industries and is now recognized as a mature, scalable and standard security control. CISOs know that they need to rationalize where their dollars are being spent, and they must invest wisely in proven technology that can deliver a reasonably quick and measurable ROI. With data breaches continuing to occur at unprecedented rates, it’s clear that a prevention-only defense is no longer sufficient for the modern enterprise. Threat actors are going to get access to corporate networks and the faster, more accurately and more efficiently attackers can be detected, the greater the likelihood they can be shut down before exfiltrating critical data.
Still, questions remain relative to deception technology’s applicability to cyberdefense. There are many answers to this question. The most pertinent one is that it allows defenders to shrink adversary “dwell time” inside their own environment. Let’s talk about deception for a moment before digging into how it can reduce dwell time.
Deception has been used for millennia to win major battles. There was the mythical Trojan horse packed full of soldiers who took over the city in the middle of the night after everyone was asleep. Alexander the Great used deception to beat Porus in a battle by tricking him into thinking he was not crossing a river when in reality, he did cross the river. Genghis Khan deceived his enemies into thinking he was retreating. Surprise! It was a trap. There are many other historical cases where deception was utilized to secure a victory in battle.
Beyond warfare, use of deception is also prevalent in most sports—teams build an offensive strategy to fool the other side into setting up in the wrong defensive scheme so they can get around them and score.
Today, midsize and large enterprises are connected to the internet from locations around the globe. CISOs mostly agree that they are frequently under attack, and they acknowledge that attackers will find a way into their networks. These battles, though, increasingly are taking place not on a battlefield or playing field but in the enterprise, which is essentially a CISOs home turf. Deception allows defenders to utilize that home-field advantage to slow, disrupt, deter and, most importantly, quickly identify the attacker inside the enterprise.
How a Deception Technology Playbook Works
Dwell time, the duration a threat actor has undetected access in a network until it’s completely removed, remains a major security issue today. Discovery increased to 101 days in 2017 from 99 days in 2016 (FireEye/Mandiant’s 2018 M-Trends report) globally and can be considerably longer in many regions. Clearly, adversaries are afforded too much time to move around inside the enterprise once they’ve breached. Among the major home field advantages that deception technology provides is that it enables the security defender to quickly identify attackers or policy violations, close the detection gap and shrink dwell time by rapidly detecting the growing number of in-network threats that other security controls miss. By simplifying and automating processes, it also reduces the mean time to remediation, another critical benefit.
To accomplish all of this, deception must be highly authentic so the attacker cannot discern the difference between true production assets and deceptive assets. Additionally, distributed deception platforms should be flexible enough to deploy seamlessly across network, data center, cloud, endpoints, IoT, ICS-SCADA and POS environments. A well-structured deceptive layer can make this simple by deploying across the enterprise using machine-learning and incorporating golden images to ensure maximum authenticity. It’s also important to note that since the deceptive environment has no employee production value, security teams know that every alert, based upon deception engagement, indicates a real threat or vulnerability. Once an alert is raised, security analysts can either remediate the threat or monitor the adversary and collect intelligence based on their activity.
Organizations should leverage their home field advantage and use their intelligence to apply offensive countermeasures to stay one step ahead of the attacker. Often. threat deception technology is perceived as something you would want to do last versus early on. Yet, whether you have sophisticated or straightforward security controls, identifying threats inside the network as quickly as possible is critical. Over-reliance on a perimeter defense has left too many companies in dangerous situations. Instead, detect early and build a better defense for the future, all on your own terms.