LIFARS recently interviewed Mike Fabrico, Sales Director, TrapX Security of the US East Coast. In this three part interview, we discussed deception technology and why this approach to cybersecurity is growing in popularity amongst the largest companies in the world. TrapX Security currently leads the market as it pioneered the idea of deception technology back in 2010. In addition, TrapX has been releasing new reports, case studies and whitepapers frequently about how they repeatedly stop attacks for the largest companies in the world.
Below part III of this interview series:
LIFARS: “Does deception work to protect my internet of things (IOT) devices?”
Mike: “Internet of things (IoT) devices are particularly vulnerable to attacker tools propagating through the network. Many IoT devices may have older, embedded operating systems which are closed and not accessible to your IT teams. These unpatched operating systems are highly vulnerable to attacker’s malware tools and can be used as a foothold for the establishment of an attacker’s “backdoor.” Additionally, most endpoint security and other internal cyber defense tools do not install in, nor protect IoT devices. The security operations center team has no visibility to an attacker’s presence within these devices. Deception greatly enhances visibility. Deception traps will find lateral attacker movement to or from IoT devices. Almost any way an attacker moves within the network, they will trigger a deception network trap. This makes deception a leading cyber defense technology to secure IoT and connected devices.
LIFARS: “What is the architecture of deception technology today?”
Mike: “Wow, that’s a great question, I will answer you in detail.
In the past few years, the deception market has evolved from managed honeypots using virtualization towards a full stack architecture. Integrated platforms that include all of the deception techniques available and supports the best practices in deployment to make these techniques successful. A full stack architecture would include:
- Tokens/lures that entice attackers to traps or fake IT resources. These lures would be scattered within your real IT resources and then lead the attackers to the deception traps in your network. Nothing is more tempting to an attacker than fake credentials and passwords.
- A disguise of fake network traffic between the traps to distract and confuse attackers in the earliest phase of their reconnaissance within your networks.
- Medium interaction or emulated traps that enable a broad diversity of deployed fake assets to be deployed easily, and at the lowest cost. Emulations exist for medical devices, automated teller machines, industrial control system components, switches, workstations and much more, by industry vertical, as a comprehensive packaged set.
- Full interaction traps or full operating systems traps (fullOS) enables the deepest attacker engagement and diversion. They are relatively the most expensive to deploy so it is ideal if the emulated traps can extend, perhaps by proxy, to these fullOS traps.
Most of the vendors within the industry offer one and sometimes two of these capabilities, I can confidently say that TrapX Security is the only vendor on the market that can offer all of these phases and that all three work effectively and seamlessly together.”
LIFARS: “Last Question for you Mike, what is the value and what are the expected benefits that enhance situational awareness and visibility for attackers that have already penetrated our network?”
Mike: “Alright, most existing security products do not detect advanced malware or malicious activity in the network. Attackers can work around most standard defense in depth products. Deception provides situational awareness to internal networks not provided by other cyber defense and can save the customer potentially millions of dollars from losses.
Uniquely, we detect midpoint lateral movement by malware or human attacker in real-time which is unseen by other cyber defenses. TrapX monitors and protects these areas.
Reduce time to breach detection/dwell time deception technology detects the movement of advanced adversaries almost immediately. We dramatically reduce the time to breach detection for the most sophisticated zero-day events, advanced persistent threats (APTs) and other attackers. The time to breach detection is often many months; during which significant damage will be done.
In fact, per the Ponemon Institute report in 2017, the average to breach detection in 2017 was 191 days (6.5 months!) – this is completely unacceptable!
Uniquely, deception can detect the movement of sophisticated attackers much faster, often within the hour, and substantially reduces the time of breach detection.
This, in turn, reduces the potential for financial loss and impact to business operations. Reduce false positives and help with SOC team operations Existing security products generate too many alerts. Either the filter is set too low and there are many extraneous alerts, or, the filter is set too high and critical events are missed. We decisively identify attackers. Just one touch of our traps and they are caught. We generate almost no false positives – only highly accurate and actionable alerts. They are touching a trap and clearly, they should not be doing so. This is recognized as an absolute violation – not probabilistic or subjective. This increases effectiveness and efficiency in the security operations center, saves both time and money, and reduces alert fatigue. Deception generates a small number of highly accurate and actionable alerts. Important events are not missed or ignored by your SOC team.”
In summary, we learned a lot of valuable lessons about deception technology and about how TrapX prevents attacks for their many customers.