Deception Technology is the Highest Accuracy Security Control You Can Buy

According to the 2019 Cisco CISO Benchmark Study, “the accuracy of the tools used to determine which alerts should be investigated are not doing their jobs.” According to the report, “24.1% of the alerts that were investigated turn out to be legitimate,” down from 34% in their 2018 report.”

The Related Problem

The related problem, of course, is that the vast majority of security operations center (SOC) teams are buried in a continual barrage of alerts and most cannot investigate many of the alerts they flag as suspicious. The SOC team needs the information to make decisions about these alerts, which much of the time they do not have.

Which Alerts to Investigate?

How will we know which alerts to investigate? Which alerts represent active threats that need my immediate attention? A great variety of security controls may identify any specific behavior as malicious but with limited and varying accuracy. Data shows us today that security controls often fail to generate important alerts, generate many spurious alerts, or generate important alerts that are still missed by the SOC due to the overall deluge of alerts.

Signatures of Malware

Signature-based technologies identify known bad actors almost immediately and hence rarely identify advanced threats. Advanced threat attackers know that they must constantly change the signatures of malware they use, and so they use techniques such as repacking to in effect, create a new unknown hash or signature. They use freshly minted malware tools and related techniques to perhaps to gain a foothold, establish command and control to an IP address which threat intelligence has not identified as malicious.

Once this is done, carefully, these attackers move carefully through your networks, gaining administrator credentials, identifying resources, using standard tools you might expect to find in your network, creating new backdoors, and ultimately exfiltrating confidential information or diverting funds.

All of the detection techniques and the underlying math these security controls use, at some point, has to place code and the associated behavior either into a bucket that indicates varying degrees of suspicion, or eliminate them from further attention. Often there are too many in the bucket of suspicious behavior because security control technologies cannot identify them properly, or, because of how the security controls are configured.

Twenty Years Ago

About twenty years ago, enterprise search engine technology attempted to classify and cluster documents based upon Bayesian math and training sets. The automation was good and highly useful compared to generating rules-based data classification. However, the accuracy of these systems after using the sample data as training sets was often poor. Perhaps 5% or more of the new documents were incorrectly classified. This same Bayesian math and other closely related mathematical techniques, with a few tweaks, are used for some of the network threat analysis tools today.

Viewing this theoretically, if your technology sets move the boundary condition for being suspicious so you can make sure you find all possible attackers at very high probability, you end up including many good (or acceptable) behaviors and thereby will generate an unmanageable and extreme number of alerts. Similarly, if you loosen up the boundary conditions for not being suspicious similarly you will include many malicious actors that will, in turn, compromise your networks.

Acalvio’s ShadowPlex Deception Technology

Acalvio’s ShadowPlex Deception Technology, in sharp contrast, is the highest accuracy security control you can buy to identify advanced threats moving inside of your internal networks. Deception technology is not variable or conditional. It is not probabilistic. The detection is absolute and crystal clear. It is certain. No one should be touching any of the decoys that might be used. No one. You touch a decoy and you are caught. This sort of behavior is clearly malicious and represents the reconnaissance activity of a sophisticated attacker moving through the network.

In certain organizations, perhaps intelligence agencies, defense, military, nuclear facilities, and others where the highest levels of security and secrecy are required, often the placement of Deception Technology components is kept hidden from even highly trusted IT administration team and management. Historically, we have seen that the very rare false positive alerts generated come from these IT team members using scanning tools or probing the network, perhaps in practice, and then, of course, touching the Deception Technology in place. Even these instances are few, often counted on one hand, and easily investigated and resolved.

In summary, cyberattackers will penetrate your networks at some point. Once inside, these cyberattackers within your networks will move to perform reconnaissance, and identify key resources for compromise and theft. At almost every move or turn they make, Acalvio ShadowPlex will be in their path. Once they touch a deception decoy Acalvio will identify them at extreme certainty, and then generate alerts of the highest importance for your SOC team.