This month, we take a look at a fascinating emerging products group: active breach detection and cyber deception. This is pretty typical of the next-generation products that we've been seeing. However, there are some interesting observations that we can make. This group is changing the way we do security. It is in many regards the embodiment of “actionable intelligence.”
Much of what we have for you this month is reminiscent – or appears reminiscent – of honeypots and honeynets (one product even has a honeyuser – lots of jokes we could make about that one, but you can be sure that when the bad guys encounter one it's no laughing matter for them).
What fascinated us about this group is the creativity that developers are using to trap and analyze breach activity. Back in the day, we thought of honey-stuff as neat research tools and not much good for security. That has changed...and changed a lot. These are not your parents' honeynets. These are better than good for security and they're not bad for research either.
The idea behind deception tools is that they make the intruder think they are an important part of the network. And, as you will see, in some cases that absolutely is true. However, the protections deployed as part of the deceptions are rigorous and the actual assets never are in real danger.
The active breach detection tools typically make use of some sort of behavioral profiling during an attack. Drawing on known attack patterns, these solutions look at user behavior and decide whether or not the user is doing what they do typically. If not, the tools take some sort of action. The behavior analysis can span events ranging from unverified through suspicious to breached. Usually, to make decisions these tools focus on endpoints and the behavior of actors – human or malware – and the position in the kill chain (or a variant). This is a case of “We know the bad guys are in. What we need to stop is their malicious activity until we can get rid of them.”
Overall, this was one of the most informative months we have had in a long time. These types of tools are the future of security. They work on that “already in the system” premise rather than focusing on keeping the intruders out. There are lots of traditional tools that attempt that and, as we now know, with varying degrees of success. Can we dump the firewalls, IPSs and anti-malware gateways? Probably not yet. But as time – and this emerging technology – matures, perhaps. Remember the old premise of defense-in-depth? Having any single line of defense is not going to solve our security and breach problems. At least not yet.
Don't forget to join me on The Threat Hunter Blog. You can find it in the middle column of the landing page on SCMagazine.com.