When a security incident is detected in the data center, time is of the essence. The longer it takes to respond to an incident, the greater the potential damage. Yet even with the best planning, incident response is often slowed by uncertainty, due largely to the high volume of security alerts analysts have to deal with.
Security teams are hard pressed to distinguish genuine threats from false positives, making it difficult to prioritize incidents for investigation. Despite improvements in machine data collection and analysis from data center systems, manually sifting through reams of data logs to identify breaches and analyze their impact remains laborious and time-intensive. To compound the delay in responses, over-matched security teams often have to bring in third-party investigators, which means more time and expense.
Part of the incident response challenge is that organizations continue to place a greater emphasis on breach prevention than detection and response. As a recent Gartner report, “Competitive Landscape: Distributed Deception Platforms, 2016” points out, “Security defenses such as signature-based intrusion prevention systems, malware sandboxes, and firewalls are continuously and purposely being evaded by informed attackers and their attack toolkits…So security practitioners must always find new creative ways to detect attackers to block or isolate their activities and move the attacker quickly away from sensitive systems, applications and services wherever possible.”
Distributed deception technology for the data center has the potential to tilt the playing field in favor of the security team, not only by accelerating incident response times but also by improving the effectiveness of security measures to combat breaches. Deception has been employed in various forms for some time, but the technology has advanced significantly, becoming both more sophisticated and easier to deploy and manage.
Gartner defines distributed deception platforms (DDPs) as “centrally managed systems that provide organizations with the ability to distribute, administer and manage an entire deceptive environment and its related architectural elements. For example, decoy (faked) workstations, servers, infrastructure, devices, applications, services, protocols or data elements are used as lures to entice, engage and detect an attacker using deception as a core theme.” In contrast to traditional stand-alone honeypot solutions, distributed decoys do not lie in wait as bait for attackers, but rather seek them out, engage them interactively, and ensnare them in traps from which they can neither escape nor detect that they have been caught.
Turning the tables
Distributed deception denies the attacker the advantage of “dwell time,” meaning the length of time a data breach is allowed to go about its business before being detected. In an advanced distributed deception scenario, the attacker is caught red-handed the moment it makes its first move. This requires technology capable of monitoring all lateral movement within the data center for any possible indication of a breach. Any unsuccessful connection attempt to a data center system is deemed suspicious, and decoys automatically reroute the suspect into an isolated deception environment for immediate investigation.
This triggers an automated, real-time analysis to clearly confirm whether the incident is an active breach. If so, the attacker is effectively neutralized in an isolated deception environment, but allowed to progress, unaware that its behavior is being observed and analyzed in-depth. The analysis deconstructs the attack method, tools and credentials used, as well as systems targeted and any malicious files uploaded. The net result is the security team not only receives detailed forensic information on a confirmed attack, but also a summary based on automatic analysis that is easy to understand and act upon.
Compared to traditional analysis methods that rely on the collection of machine data, distributed deception casts a wider net for incidents that warrant investigation. The advantage of this approach is that it yields far fewer false positives because of higher fidelity breach recognition. This relieves security teams of a huge investigative burden, enabling them to quickly prioritize incidents that require immediate response based on severity – a process that would otherwise require hours of human analysis using conventional tools and techniques, with little assurance of success.
Once a breach has been contained, positively identified and analyzed, deception can trigger an automatic mitigation response, using the attack footprint generated during the analysis to scan the network for systems that have been compromised. The security team can then quickly ascertain the scope of the attack and initiate remediation measures.
Keeping it real
There are a number of security solutions available today that incorporate deception in one form or another, with varying degrees of effectiveness. Deception only works if the attacker is genuinely deceived. Today’s sophisticated black hats are well aware of the array of defenses being deployed against them, and are less and less fooled by system emulation. The more advanced solutions on the market today lure attackers with real machines, real services and real IP addresses, making it difficult if not impossible for attackers to recognize the ruse.
Against a relentless wave of increasingly sophisticated attacks on data centers and cloud operations, next-generation deception technology offers a viable solution that can help security teams regain the upper hand. Often strapped for staff and resources, security teams can employ deception to greatly expand their investigative and analytical capacity, prioritize incidents with greater accuracy, and automate mitigation measures – thereby reducing the impact of “dwell time” and accelerating incident response with greater efficacy.