Deception oversight: common problem across the board

Existing security strategies remain focused on perimeter security, anti-virus and intrusion detection solutions

Tags: Attivo Networks ( crimeUnited Arab Emirates
  • E-Mail
Deception oversight: common problem across the board Kafity : "Deception technologies are the new frontier in cybersecurity defence."
By  Ray Kafity, VP, META at Attivo Networks Published  December 4, 2017

The new wave of cyber-attacks does appear to be unstoppable. Early this year, approximately 15 government agencies and private institutions in the Kingdom of Saudi Arabia were attacked by the Shamoon virus. This was soon followed by a tidal wave of Wannacry and Petya ransomware attacks – although, the Middle East largely escaped unscathed.

However, the existing security strategies at many companies in the region remain focused on perimeter security, anti-virus and intrusion detection solutions.  While these solutions are important, to minimise the opportunity for advanced persistent threats (APTs) and BOTs to penetrate and harm a network, IT and security teams must think of an adaptive security approach that includes prevention and detection technologies.  Many have adopted a multi-tier prevention strategy, but these have proven decreasingly effective as new generations of malware increase in sophistication.  IT and security teams need new approached to get back ahead of the curve.

While networks remain vulnerable, enterprises continue to spend handsomely to protect their networks.  An IDC research states that organisations are expected to spend $101.6 billion by 2020 on security-related hardware, software, and services.  Additionally, Gartner states that by 2018, 10% of all enterprise organisations will have adopted deception technologies into their security solutions.

Enter decoy and deception technologies

Enterprises today are taking a page out of the attacker’s handbook and turning to deception to trap attackers.  While the concept of deception is not new, today’s deception-based technologies are abandoning the focus on known attack patterns and turning to advanced luring techniques and deception servers to entice an attacker away from critical information.  These solutions use endpoint and distributed engagement “lures” placed strategically throughout the network to actively attract an attacker.  They provide real-time detection and the forensics required to identify the infected device and to block, quarantine, and remediate against attacks. These technologies are easy and non-disruptive to deploy and provide a central management console for threat intelligence aggregation and reporting.  Deception platforms are also extremely scalable with support for user networks and datacenters across private, public and hybrid clouds and they can detect both reconnaissance and stolen credential attacks.

What is a CISO to do?

As a result, the CISO, other C-level offices, and the board of directors must engage in a continuing balancing act between the cost of information security and potential risks. 

Directors, in particular, continue to live in the shadow of yesterday’s Enron, Worldcom, and Global Crossing scandals, among others. 

Security is one of the four areas of a typical audit.  Security compliance includes ensuring corporate controls are in place to prevent breaches and deploying solutions that address incidents that do occur. 

Despite this, CISOs often have a difficult time gaining support for information security investment from the board.  Although information security is essential to corporate compliance with existing laws and regulations, directors are often required to focus less on ensuring “best security” in favour of “good enough” security.  The lack of a clear definition of “best security” is largely responsible for this thinking. 

However, in today’s environment, what was previously viewed as good enough, is not able to keep up with the advanced or insider threats of today.  Three important messages CISOs should communicate to their boards to demonstrate the importance of focusing on information security and deception technologies, in particular, include:

  Information security is a significant corporate risk.  It is nearly impossible to conduct any facet of a business today without a computer.  As a result, the information that resides in an enterprise’s networks is the lifeblood of the business and if not protected, could result in financial damages and negative impact on the company’s brand.  This makes information security a critical business issue.  Any security strategy that does not include an adaptive security plan with in-network detection to detect attacks that have bypassed prevention solutions will result in a network breach sooner or later, if it hasn’t occurred already.

Information security is now required and disclosure is no longer solely at a company’s discretion.  Between existing laws, insurance mandates, industry regulations, and shareholder demands, robust information security is now a corporate requirement.

Deception technologies are the new frontier in cybersecurity defence. These technologies are a “must have” component for executing optimal defence-in-depth security strategies that not only prevent attacks but also provide the real-time detection and forensics required to avoid a security breach.

So what does your management and board need to know?

To help your management team and board gain the knowledge adequate to make informed decisions, below are several questions they should be able to ask and answer:

Is there a defence-in-depth strategy in place and does it include protection at six critical layers of the security “stack,” including:

- Policies, procedures, and awareness – Protection via data classification, password strengths, code reviews and usage policies

- Perimeter – Protection via firewalls, denial of service prevention, and message parsing and validation

- Internal network – Protection via transport layer security, such as encryption, and user identification and authentication

- Host/OS – Protection through OS patches and desktop malware

- Application – Protection through protocols such as single sign on (SSO) and identity propagation

- Data – Protection through database security (online storage and back up), content security, information rights management, message level security

Does the defence include dynamic deception? Dynamic deception lures attackers into traps, provides forensics to study attacks, allowing IT and security teams to put in place remediation strategies and shuts down attacks.

Are the deception technologies based on real-time operating systems?  The key to effective deception is creating an authentic decoy.  Real-time operating systems provide better authenticity over the other solution, emulation, because they use active licensed software that is loaded on the engagement server.

Are the deception technologies frictionless; i.e., are they non-disruptive to deploy and manage? Deception solutions should integrate easily with existing security infrastructure and provide real-time threat detection.

• Do the deception technologies offer threat intelligence?  When a BOT or APT is engaged, the solution should run full forensics to capture the methods and intent of the hacker.

Do the deception technologies reduce false positives?  False positives sap the resources of the IT and security team by forcing them to research threats that turn out to be fake.  Deception solutions will not deliver false positives since they only produce alerts after actual engagement. 


The threat of cyber-attacks has reputational as well as revenue implications.  It will become increasingly likely that consumers and companies will avoid purchasing products and services that gain a reputation for failing to protect critical data.

Protecting an organisation’s reputation as well as its financial condition is a core responsibility of management and their boards of directors.  Information security based on a defence-in-depth strategy is the cornerstone of protecting critical data and decoy and deception technologies are an essential component of this defence in depth. 

CISO’s can acquire the budget and resources they need by educating, updating, and encouraging senior management and directors to learn about security within their organisations.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code