Improving Effectiveness And Efficiency With Deception-Based Active Defense Technology
By Nicole Bucala and Paul Kivikink, Illusive Networks
During the pandemic, when cybersecurity risk has hit a new high, security operations are becoming even more costly and complicated to run effectively. In addition, it’s notoriously difficult to measure the return on investment across a complex suite of advanced threat detection products. Effective use of these products depends on a team of skilled security analysts, who are hard to find and not cheap to staff.
Analysts spend much of their time sorting through high volumes of alerts, which leads to long detection and response times or key alerts on attacker behavior being missed. In addition, traditional anomaly-based detection and response solutions usually cost a company from five to seven figures annually to procure, plus time and effort to operationalize and integrate them with other tools, and ongoing maintenance and support.
Solving The Cost Challenge
There are several solutions to the high cost and complexity of a SOC. One is through vendor consolidation that results in fewer solutions with better automation and efficiency. Several great bundled SOC solutions are available, such as Microsoft 365 E5 security, that many organizations are adopting for most of their fundamental threat monitoring needs.
A second solution is to leverage an external offering like a managed security service provider (MSSP) or Managed Detection and Response (MDR,) which is becoming increasingly popular. Gartner observed a 44% growth in end users’ inquiries into MDR over the past twelve months.
A third option is to procure more effective tools at lower price points that require fewer resources to manage and use. “Does that even exist?” you might wonder. Thanks to recent innovations, this is where a deterministic alerting platform can change the game. A deterministic alert is one that is certain; you know for sure there is a bad actor or that something else is wrong that needs immediate remediation. Instead of trying to find a needle in the haystack, these platforms provide precision in their alerts so that defenders are right 100% of the time.
Platforms of this kind reduce attack surface risk, leverage endpoint-based deceptions to stop attacker movement in hybrid-cloud environments, and offer high-fidelity detection characterized by minimal daily alerts with nearly zero false positives. If they have an agentless approach, they can be used across the broadest of scale – from hundreds to millions of endpoints.
This latter approach particularly benefits MSSPs/MDR providers. These providers are under pressure to detect attacks on their customers without delay, to operate with agility, and at the lowest cost possible. With deterministic versus anomaly-based detection, these providers can innovate better by consolidating their security tools to focus on those that provide the highest value and most reliable alerts – and are easily managed by a light MSSP staff regardless of the customer’s actual size.
Benefits Of Deterministic Alerting
Deterministic alerting offers significant benefits, including:
- Ease of use: Alerts are certain and accompanied by real-time and historical host forensics. They don’t require an advanced analyst to make sense of a bunch of different anomalies.
- Rapid deployment: An agentless solution deploys in as little time as one to three days.
- Lower total cost of ownership: With very low maintenance requirements, no hardware requirement, and low staffing requirements, these can operate at a fraction of the cost of a SIEM or NDR solution.
- Automated response: Integrations with EDR, SIEM and SOAR can leverage deterministic deception-based triggers to automate responses such as host quarantines or other incident response playbooks.
- Business context for prioritization is provided: MSSPs and their customers need solutions that easily present critical information clearly. Deterministic deception platforms that shrink the attack surface and label high-value assets keep security teams focused on what’s important.
- Coverage of the whole environment: Few solutions cover complete hybrid cloud environments, but a variety of decoy types can create lures that stop attacker movement toward both on-premises and cloud-based assets.
- Catch creative attacks: Deterministic threat detection products based on deceptive approaches, or Active Defense, are known to be exceptional at catching even very creative attacks. For example, consider a bank employee who was reading and copying deceptive Microsoft office files, thinking they were real and contained lucrative trade secrets. The deterministic platform issued an alert accordingly to catch the insider.
- Endpoint-based deception: Endpoint-based deceptive campaigns customize a deceptive story within a customer's network specific to that customer's data and assets. If done properly, a deterministic solution will be silent for weeks, only alerting when an attacker trips up.
Effective, Affordable Security
Customers are increasingly relying on security partners to help them solve complex issues. MSSPs are no exception, and today they have the opportunity to offer their customers a deterministic, deception-based lateral threat management platform as a key element of their overall security strategy. Most importantly, alerts from these tools always mean something important: It’s often found that when deception-based solutions catch an attacker, other anomaly detection tools also generated some noise, but their alerts weren’t eye-catching enough to warrant an analyst to pay close enough attention. That’s why deception technologies often catch attackers that have been lurking for months to years, and customers say of deceptions tools that they are “the only product we have that truly, if it raises its hand about something, you need to go look at it.”
About The Authors
Nicole Bucala has a proven track record of bringing innovations to the market within the security industry. Nicole comes to Illusive from RSA Security where she was head of strategic business development and technology alliances. During her tenure at RSA, she built out the strategic partnership team and achieved annual triple-digit partnership revenue growth through closing a variety of inventive partnership deals. Before that, she led RSA NetWitness Platform Strategy & Operations, where she was responsible for strategic planning, corporate development, and business operations. Before RSA, Nicole founded and served as CEO and president of MIFCOR, an early-stage biotechnology startup developing novel therapies intended to reduce tissue damage associated with heart attacks, acute kidney injury, and other indications. Earlier in her career, she served the U.S. government, where she managed complex operations covering military science & technology and counterterrorism issues. Nicole received her MBA from Harvard Business School, her S.M. from Georgetown University, and her S.B. from MIT.
Paul Kivikink is director of strategic business development at Illusive Networks and is focused on building and growing relationships with innovative technology partners to help address customer security challenges. Paul brings 20 years of cybersecurity experience across a broad range of threat detection & response technologies and roles including business development, sales engineering, and SOC analyst. Paul is also a frequent speaker for business and technical audiences, fostering awareness of innovative technologies, infosec threats and trends, and industry best practices.