As a child growing up in New Jersey, we were taught extensively about the state’s significance in the Revolutionary War.  One thing that always stood out to me was the battlefield culture of the Europeans. Both sides would line up in an orderly (some would say gentlemanly) fashion, and simply fire at each other until each line of defense was wiped out.  It made little sense, and ultimately, one of the tactics that helped the colonies was not to play by the rules of the English.  If you’ve watched Mel Gibson in “The Patriot”, this is well-depicted as his character changed the rules and refused to be a “sitting duck”.

The key in that example was the Colonies not playing sitting duck and going on the offensive.  In similar fashion and over 240 years later, organizations are very much “sitting ducks”.

Organizations today are predictable and regulated, work off publicly available industry security standards and, for the most part, are static in their security defenses.   Today’s attacker uses this predictability against them.  Attackers have intimate knowledge of the rules organizations follow so very well, understand defense practices, and are able to gain the advantage because they are not required to follow any rules when launching their attack campaigns.  Organizations, and their protected/sensitive data, are sitting ducks without any ability to response or launch counter measures.

This article will explore the challenges in the current environment and introduce ways that Deception Technology can put the odds back in the good guys’ favor.

The Current Environment of Security In Relation to Hackers

 Static in Nature

Most companies follow the same protocol in setting up their environments. There are Active Directories, End Users, Routers, Switches, Firewalls, etc.   Hackers know this and, once they’ve gotten past the best defenses, are easily able to navigate as they feel right at home.
Risk & Compliance Standards Driving Action

As our country has become increasingly regulated, keeping up with the necessary protocols to simply exist per the law has become a huge challenge for security teams and companies in general.

Reactionary Environment

The process of IT Security is essentially the same as watching a “Tom & Jerry” episode.  The mouse (the hacker) runs around the house (your corporate environment) and your security team (the cat) chases them.  It’s really that simple.

 Solutions Available To Both Sides  

Did your team attend RSA or BlackHat this year?  They probably learned about the latest technologies available to defend against the bad guys.  They may have even scheduled meetings with the sales teams and attended demos.  Guess what?  The bad guys attend those same conferences and they’re buying those same defenses. Once they reverse-engineer them, they learn how to get through.

Overwhelmed Security Teams

While InfoSec is the fastest growing segment of almost any organization’s IT staff, seemingly every organization that I speak to tells me that they are overwhelmed in managing their protocols, users, reacting to events/breaches, and purchasing yet more solutions to keep the cycle progressing in the same pattern.

Mobility & BYOD Environments

Security teams used to just worry about company issued desktops and laptops of their end-users.  The increase in mobile devices and tablets coupled with the application-driven smartphones has presented increasingly complex environments (and new, unseen endpoints) that security teams often cannot effectively protect.

Your Opponent Has Time and Automation in Their Favor

Professional criminals have patience and persistence on their side.  Targeted attacks are automated and eventually evade the best defenses.  As we all know, eventually they will get through.

Sophistication of the Criminals Has Increased Exponentially

No longer just mischievous or looking to exploit corporate data, the occurrence of Ransomware attacks is up significantly and a significant source of revenue to criminal organizations.

The Bad Guy Might Actually Be On Your Payroll 

Like the famous 1978 Lufthansa Heist made famous in the movie “Goodfellas”, many breaches are inside jobs.  It’s both disheartening and extremely difficult to guard against.

 No-Win Situation for CISO’s

The top Major League Baseball batters make in excess of $15mm a year to hit over .300, while a CISO is at risk of being fired for achieving 99.9999999% success. A single breach can result in an otherwise very adept and forward-thinking CISO’s termination.

A CISO currently has a thankless job in a reactionary environment with odds favoring the opposition/professional criminals.

So what can be done to mitigate risk of breaches and data theft and put the odds back in your favor?  The answer lies in Deception.

Deception-The Great Equalizer

We’ve established that bad guys will spend an inordinate amount of time to penetrate your defenses, and will eventually get through.  Once they’re in, they easily know their way around your corporate environment because everything seems the same.

Deception is the result of reverse-engineering the hacker’s mindset and finding a solution that prevents the hacker from being successful.  It provides the following benefits to corporations:

No Longer a Sitting Target:

Organizations that deploy deception place deceptive, or false, data and assets into their environment that force the hacker to make decisions using bad information.  By “poisoning information available to the attacker, we significantly alter the odds in favor of the organization rather than the attacker.  The deceptive approach is different than traditional honeypot technologies that serve as decoys and depend on the hacker to find the technology.   In contrast, Deception technology does not require decoy systems.  Deception uses current business assets and deploys deceptive data to every endpoint.   Deception takes the fight to the attacker as opposed to trying to guide them to a specific decoy system. The effectiveness and manageability of this approach is significantly better.  But perhaps the greatest advantage is identifying intrusions in real-time and on the source machine… often as early as the patient zero host.

Instant Breach Alerting & Remediation

Once deception is deployed, an alert tells the security team if unauthorized access has occurred, shows the source of the breach, and allows the team to shut down the intrusion immediately.  Compare this to the typical time an organization discovers a breach in their network (180 days and usually accompanied by a visit from the FBI).

Your Rogue Employee is Now Easily Identified

The biggest challenge to CISO’s is their personnel. An ill-intentioned employee determined to gain access to valuable corporate data is difficult to detect, and very little can be done to prevent it.  Deception provides a key tool in instantly identifying unauthorized internal access and provides the safeguard currently lacking in your environment today.

No Strain on the Network 

Network people and Security people are like oil and water.  Network engineers want open borders and Security engineers want to build a wall, for lack of a better analogy.  Deception provides no strain on the network whatsoever, so this is one technology that your security team can implement that will not result in conflicts between the two groups. More importantly, it will not affect your imperative application’s performance.

It Will Keep You Employed

As mentioned previously, very intelligent and capable heads of InfoSec lose their jobs over being 99.99999% successful.  Deception puts the odds in your favor of immediate breach discovery and remediation. There is simply nothing in the market today to even the odds as this technology.

So how does your organization find a Deception Solution, and how do you find budget for this when you may have already submitted budget for 2017?

 What Solutions Exist Today?

While a relatively new sector (Gartner has not yet created a “Magic Quadrant” for it), there are some mature solutions in the space.  Like you as a salesperson’s IT Target, I am approached by various solution providers and have spent time reviewing providers in this space. As you may have gathered, it is my intention to gain an audience with you to share the solutions available in the market, share my knowledge of the sector and help you make an educated decision on which solution best fits your particular organization’s need.

Pricing varies based on provider and some price by the endpoint while others price based upon VLAN.  The cost is relatively minor compared to the cost of a breach.

Finding Budget:

I recently finalized a deal with a regulatory body for one of the nation’s critical sectors. They did not initially have budget for the solution but recognized the importance and created funding.  This sentiment has been fairly well-exhibited by the majority of companies that have evaluated the solution.

Some companies, however, operate by a hard-line annual budget.  In these particular cases, I’ve seen companies allocate funds intended for endpoint towards Deception, as this does fall into that area (technically).

Another way to find budget is to simply look at the “Goodwill” section of the balance sheet.  If your company does not have a “breach remediation” budget, there is no “goodwill” better than preventing a data breach.  And the cost of breach remediation, such as hiring Mandiant, can run in the millions and cost you and your staff your jobs.  This is a pro-active approach instead.

Find the Time

In InfoSec, there is more fire-drill activity than in most sectors, but that should not prevent a head of Cyber to take the time to learn and evaluate the very tools that will keep the enterprise going.  Too many times, cancellations of meetings and demos resulted later in breaches and job losses (Home Depot, anyone?).

Final Thoughts

The technology of Deception is not new in theory, but is relatively new in practice. Proper safeguards of the traditional variety coupled with Deception can help any organization use simple math and probability to put the odds in an it’s favor.

About the Author:

Eric Blaier is the founder of Integrated Business Services, Inc.   An Atlanta-based IT & Security consulting firm established in 2001. He has held sales and sales management roles for such companies as Allnet, Teleglobe, ATT and Equinix, and his firm partners with the leading cloud, security and network providers in the marketplace to maximize the efficiency, safety and productivity of his clients.
He can be reached at eric@integratedbusinessservices.net or www.integratedbusinessservices.net