High Accuracy, Low-Noise Breach Detection

Breach Detection is the core Deception use case. Security teams must assume that adversaries will penetrate even the most sophisticated defenses, necessitating post-breach detection. Numerous standards specifically call for detection controls, including at least three from NIST alone: The Cybersecurity Framework, SP 800-171B, and SP 800-160.

Breach Detection is challenging however, for several possible reasons:

  • The wide range of attacker methodologies (TTPs)
  • The lack of a solid baseline of “normal” in the environment
  • Lack of sufficient well-qualified staff
  • Silos between tools and teams

Advanced Deception solutions for breach detection represent the culmination of years of development, beginning with honeypots decades ago and now leveraging AI/ML for ease of deployment and scale. At the highest level, the concept is a simple one:

  • Deploy fake assets (decoys, breadcrumbs, and baits) in the internal network that attackers will find attractive
  • If an attacker engages with such assets, create an alert to be investigated

The advantages of this approach to breach detection are clear

  • Low Risk – Completely independent of production assets; no agents or in-line appliances
  • Low False Positives – If someone engages with a deception asset, it can’t be for legitimate business purposes and is therefore likely an intruder

Acalvio ShadowPlex Advanced Deception builds on this concept and takes it to the level required to handle today’s threats across the hybrid cloud:

  • Pervasive Detection – Assets are deployed to attract, detect, and misdirect the adversary at each kill chain step during the attack
  • Low False Positives – If someone engages with a deception asset, it can’t be for legitimate business purposes and is therefore likely an intruder
  • A rich mix of assets types to blend into any environment and address the wide variety of attacker TTPs.
  • Cloud hosted and managed for scale, cost control and ease of operations
  • Automated deployment that adapts to the environment for higher credibility
  • Simultaneous support for additional use cases: Visibility, Attack Forensics and Obfuscation

ShadowPlex enables organizations large and small to implement high-fidelity, low-risk breach detection without a major commitment of budget or staff.

“This strategy recognizes that despite the best protection measures implemented by organizations, the APT may find ways to breach those primary boundary defenses and deploy malicious code within a defender’s system. When this situation occurs, organizations must have access to additional safeguards and countermeasures to confuse, deceive, mislead, and impede the adversary—that is, taking away the adversary’s tactical advantage and protecting and preserving the organization’s critical programs and high value assets.”

NIST 800-171B

Next Steps

Explore our patented technologies to enable Active Defense in your enterprise.