Name: Deceptions Everywhere
Company: illusive networks
Description: Illusive's Deceptions Everywhere® technology covers the entire network – physical or virtual.
Price: $60 per user per year subject.
Illusive's Deceptions Everywhere® technology covers the entire network – physical or virtual - across all endpoints and servers. It functions with the network, application and data layers allowing a completely realistic deception infrastructure. All decoys and supporting “honey” elements are generated automatically. Because they are AI-driven to maintain consistency with the real network, illusive's deceptions appear realistic and authentic to attackers. When an attacker attempts to use the decoy data, illusive detects and alerts, providing real-time contextual forensics from the source host. This enables informed incident response.
We especially liked the product's unique Attacker View. This views the target graphically as well as the actions of the attacker from the attacker's perspective and the routes that an attacker might take to get to his targets. As well illusive has implemented explicit responses against attacks on wire transfer systems (Wire Transfer Guard) and ransomware attacks (Advanced Ransomware Guard). These specialized functions not only protect against the specific types of attacks, they also provide substantial forensic data in the event of an attack.
The system is agentless and uses the existing infrastructure to deploy. Using its Deception Management System (DMS), it deploys using AI to meld the deceptive devices with the actual network. That includes operating at the network level to create links to non-existent devices. Along those lines, the tool provides email deception wherein it mimics the email credentials, formats and users in the enterprise.
illusive breaks its elements down into what it calls deception families such as browsers, scripts, network, mail, files and recents to name a few of the fourteen families we saw on the system we examined. We also saw 27 deceptive servers and 19 deceptive user names. Still, it deployed 83 deceptions and protected a couple of real servers.
Generally, we found that illusive provides all the functionality that we look for in a deception network. Especially impressive is its ability to mimic the actual network as it adds deception. However, not only is the deception net only – not the real network – visible to the attacker, the deception net is not visible to normal users. This is important because we do not want legitimate users getting buried along with real data in the deception net.
Typical deployment is two servers – either physical or virtual Windows 2008 R2 – one for the management server and one for the trap. It can integrate with SIEMs, such as ArcSight and Splunk, using CEF/syslog protocol. To address APT attacks, illusive works with Cisco's ISE and pxGrid. Integration with CyberArk provides privilege account management. Syncing with VirusTotal for malware information and Cisco Umbrella rounds out its several integrations. So, this is a deception tool that is well on its way to generalized integration with important third-party tools.
The web site is a good mix of marketing material and useful information. Support is offered at various levels up to attack risk analysis assistance. Pricing is reasonable. We found this a very substantial tool in the deception arena.
– Peter Stephenson, technology editor