{"id":2031,"date":"2017-04-06T19:22:09","date_gmt":"2017-04-07T02:22:09","guid":{"rendered":"https:\/\/new.acalvio.com\/?p=2031"},"modified":"2017-04-06T19:22:09","modified_gmt":"2017-04-07T02:22:09","slug":"hiding-in-plain-sight-how-to-operationalize-deception-for-security-teams","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2017\/04\/06\/hiding-in-plain-sight-how-to-operationalize-deception-for-security-teams\/","title":{"rendered":"Hiding in Plain Sight: How to Operationalize Deception for Security Teams"},"content":{"rendered":"<p><strong>Honeypots.<\/strong><br \/>\nJust those three syllables are enough to cause instant nausea with a cyber security professional. Why? Honeypots are hard to operationalize into an effective, easy to use and consistent defense. But times are changing with the proliferation of deception technologies (Gartner tracked 16 vendors in a September 2016B <a href=\"https:\/\/www.gartner.com\/doc\/3096017\/emerging-technology-analysis-deception-techniques\">report<\/a>). Can deception be easily rolled into a cyber security defense?<br \/>\nThe problem so far has been properly operationalizing deception. Implementing is a lot of work. Todayb\u0000\u0019s deception approaches, like camouflage in the physical world, rely on consistent surroundings for concealment. When soldiers wear camouflage for snow, the desert or a forest and surroundings remain constant, youb\u0000\u0019re fine. But ascend from the forest to a snowy mountaintop and, unless you can rapidly change, youb\u0000\u0019re exposed. Every IT environment constantly changes. If deception canb\u0000\u0019t adapt like a chameleon, itb\u0000\u0019s useless. Thatb\u0000\u0019s Deception 1.0.<br \/>\nEnterprises need something that morphs. Modern deception must update dynamically with the environment being protected. For example, can your deception technology detect and recognize that you just updated a Linux installation? Thatb\u0000\u0019s Deception 2.0.<br \/>\nThatb\u0000\u0019s the defense philosophy behind Deception 2.0. But the question is: how do security teams make deception deployable and effective? It has to be easy. And we mean dirt effing simple. A no brainer, easy as pie or any of other appropriateB <a href=\"http:\/\/idioms.thefreedictionary.com\/easy\">idiom<\/a>. A recentB <a href=\"http:\/\/www.ponemon.org\/blog\/the-cost-of-malware-containment\">report<\/a>found that enterprises average 17,000 malware alerts per week so itb\u0000\u0019s a safe bet that alert number 17,001 wonb\u0000\u0019t be investigated. In such an environment, deception must be operationalized quickly, easily and with tremendous impact. How would that look? It should meet several key business, technical and usability criteria.<br \/>\nTechnically, one should learn from the mistakes of many of todayb\u0000\u0019s security vendors who have built products with long deployments and complex configurations. Deception tools must able to:<\/p>\n<ul>\n<li><strong>Hide in plain sight.<\/strong>B For aB Deception Solution, this tops the list. How does this work? A deception technology needs to have some machine learning to understand and conform to your ever-evolving organization. By implication, this also means deception should be autonomousb\u0000\u0014the tool runs on its own, no tuning required.<\/li>\n<li><strong>Deploy within minutes<\/strong>: Tool is deployed easily and let it understand your environment. Once installed, the deception tool provides a list of recommendations within just a few hours. The UI says hereb\u0000\u0019s what you should do.<\/li>\n<li><strong>Integrate with other security tools<\/strong>: Most security teams have their favorite tools of choice. At a minimum, a deception tool quickly integrates into your ecosystem.<\/li>\n<\/ul>\n<p>From a usability perspective, security tools should:<\/p>\n<ul>\n<li><strong>Fit into your current workflow<\/strong>. Rather than do health checks every morning in a separate UI, an alert from a deception system should go into whatever event monitoring tool youb\u0000\u0019ve got deployed.<\/li>\n<li><strong>Enhance productivity<\/strong>. Deception, with its attack visibility, can help tune, for example, Splunk logs and reduce alerts. At the end of the day, you have a secondary, more reliable tool to understand if something is true or false, reducing alert fatigue. This also means accelerated investigations with improved breach response and visibility as well as augmenting the ROI from other security tools.<\/li>\n<\/ul>\n<p>Lastly, and most importantly, does the deception tool help the business? It should have clear, quantifiable impact that allows the security team to stand in front of the CEO and say, b\u0000\u001chereb\u0000\u0019s how we reduced risk.b\u0000\u001d<\/p>\n<ul>\n<li><strong>Stops data\/IP loss.<\/strong>B The name of the gameb\u0000\u0014enough said.<\/li>\n<li><strong>Reduce time to discovery<\/strong>. We all know that stats that dwell times are long, often starting around the Mesozoic Era. As security professionals, compressing this time is critical for many reasons. For example, you have a better idea of who did it. What were they after? What did an employee click on?<\/li>\n<li><strong>Improves executive awareness and understanding<\/strong>. With security in headlines almost daily, C-levelb\u0000\u0019s often ask, b\u0000\u001cAre we safe from [<em>insert name of whatever spooky attack group a vendorb\u0000\u0019s marketing geek came up with<\/em>]?b\u0000\u001d You want to respond, b\u0000\u001cYes, and hereb\u0000\u0019s how we kept them out. Also, we aware of their attack methods and what theyb\u0000\u0019re hoping to do.b\u0000\u001d In other words, the tool should help show that your team has its act together.<\/li>\n<\/ul>\n<p>Deception, if done properly, can be a transformational shift in security strategy. By duping attackers and decreasing the attack surface, more of a burden of effort shifts back to the attacker. To succeed, deception efforts need to be inexpensive and usable by any enterprise, large or small, well staffed or under staffed. Today, many Deception 1.0 technologies are on premise and focus on large, well-establishedB companies. But deception should become foundational, a cornerstone of everyoneb\u0000\u0019s security strategy. If anyone tells you that an expensive, professional services heavy deployment is requiredb\u0000\u0014donb\u0000\u0019t be deceived.<br \/>\nGet notified of the next blog post<\/p>\n<div class=\"sharethis-inline-share-buttons\" style=\"margin-top:32px;\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Honeypots. Just those three syllables are enough to cause instant nausea with a cyber security professional. Why? Honeypots are hard to operationalize into an effective, easy to use and consistent defense. But times are changing with the proliferation of deception technologies (Gartner tracked 16 vendors in a September 2016B report). Can deception be easily rolled [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2031"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=2031"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2031\/revisions"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=2031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=2031"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=2031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}