Using deception as a threat detection solution would seem to be a no-brainer: It can detect malware at multiple points in the kill chain, with no false positives and no modifications or impact to production systems. Everyone must be doing it you would think. However, the reality is that deception isn’t widely deployed at all. So what’s the issue and what’s being done about it?
The problem with most deception solutions boils down to one thing: Operational reality. In order to be effective, deception needs to be easy to deploy at scale and constantly tuned to be credible. Sure you can throw a few honeypots around, but you’ll lack coverage in most of your network. Just as bad, unless each honeypot is configured to blend in with the surrounding environment, and morph as the environment changes, it will stick out like a sore thumb. That requires administration time and attention you just don’t have. Think you can improve things by deploying breadcrumbs to lead to the honeypots? Great, now you’re responsible for placing artifacts on production systems and making sure nothing goes wrong. Thanks but no thanks! I think by now you get the idea – there are just too many challenges to make it realistic for almost all organizations.
We at Acalvio would be the first to admit that there are solutions out there that go part way towards solving these issues, for example achieving scale through large numbers of simple decoys. However this is like going from a two wheeled car to a three wheeled car: There’s progress, but it’s still not viable in any production situation.
The good news is that we listened to the market when we architected our Deception 2.0 solution, ShadowPlex. We focused on both the necessary credibility to deceive the attacker, and capabilities required to operationalize at scale:
- Automation: ShadowPlex automates pretty much everything: Discovery, deployment, scale-up, and authenticity (read on for more on that). This means that with very little effort, you can deploy it broadly and with credibility, and immediately get high integrity events (i.e. no false positives) rolling up to your SIEM.
- Dynamic Authenticity: ShadowPlex not only configures deception to blend in with each environment to appear credible, it also dynamically modifies the deception based on changes in the environment. Becoming stale kills effective deception, and trying to stay credible manually is a non-starter.
- Scale and Coverage: To be able to scale without breaking the bank, we support large volumes of low interaction decoys. And since no one wants to implement a solution that can’t cover most or all of their environment, we support all the typical operating systems, and the ability to deploy in traditional, public, and private clouds.
Deception 1.0 was the two and three wheeled cars: Interesting, but not practical. Like any 1.0 offering, you probably don’t want your job depending on it. Acalvio ShadowPlex is the first example of Deception 2.0 – a powerful combination of DevOps, Distributed Deception, Machine Learning and Cloud capability. We took a great concept and made it operationally viable and cost effective for any size organization. So it’s finally time to take the keys and take it for a test drive. We think you’ll like what you see.