Deception in its various embodiments is becoming a critical part of organizations' security infrastructure. According to Gartner, the need for better detection and response is creating new opportunities for security stack automation, integration, consolidation and orchestration while also driving the emergence of new segments like deception.
These trends set up the perfect match of deception and automated detection and response or ADR.
The main goals of the deception are to:
Following the compromise of assets in an organization, attackers start their reconnaissance phase. They search affected assets for valuable information and clues about where desired data lives in the environment. Attackers look across endpoints, networks and different devices as they try to move laterally throughout the environment. The deception layer intervenes in this reconnaissance phase, luring and deceiving the attackers, detecting their activities very early in the kill chain before damage is caused to the organization and before the attackers can reach their objective.
Deception has clear advantages when done properly:
Automation of Deception Deployment and Maintenance
When deploying deception technology, there are several challenges that should be handled. These include:
Key considerations for effective configuration and maintenance of an effective deception network are listed below. These considerations and challenges are faced by every organizations implementing deception. Only an integrated ADR + Deception solution deals effectively with these:
The right methodology to deal with the above challenges is to deploy and maintain the deception in its various embodiments automatically. No other way will overcome the above list.
Knowing the environment and having visibility is crucial in order to setup deception. In many cases the security team does not have all the relevant information about the environment, especially that the environment is constantly changing.
Automated Environment Visibility & Analysis
The first step starts by automatically identifying and profiling the networks, the assets, the applications and all other parameters of the environment.
The core management of the deception is analyzing the profiled information and using different criteria to define the deception layers that match the resource of the organization. This creates persuasive decoys that will effectively thwart and confuse attackers.
Automated Decoy Creation
It will then automatically build the deception components, define the right network locations for the deception and distribute the deception in the network, preferably with minimal resources, i.e. one appliance will be able to support multiple decoys on different subnets, running different operating systems and different applications.
As the network and the resources in the organization are changing, the deception solution will constantly continue the identification and profiling adapting the deception to match the changes in the organization.
The deception deployment process as described above provides immense security visibility to the security team supporting hunting efforts and forensic activities. As part of the visualization the solution provides the administrators a clear view how the deception layers cover and match the resources of the organization. i.e. what resource the organization has and how well the deception deployment covers these resources. This is important in order to assess how well the deception already deployed fits the organization and what actions should be taken in order to complete the deception deployment.
Taking the automated approach for deception deployment and maintenance guarantee that the organization's resource is utilized efficiently and efficiently raising the level of the organization’s security maturity.