Greetings from Acalvio! We are joining the fight to keep our enterprises safe from malicious activity. While the problem is old, our approach is new and innovative.. read on!
The IT industry has paralleled our traditional approach for defending physical assets – build perimeter defenses. Walls, moats, doors, locks, identification, etc. are the motivation for the perimeter defenses that the security industry has spent its energy on. Lately, the advent of ubiquitous mobile connectivity, proliferation of cloud services, advent of IoT, and the quickening pace of IT change has made it clear that we cannot entirely depend on perimeter defenses.
Furthermore, if any of the recent highly publicized security breaches are any indication, malicious activity is rampant. Studies tell us intruders are often active within the enterprise for as much as 200 days before they successfully exfiltrate data. Clearly we need a defense mechanism that takes into account the fact that malicious activity has already breached the perimeter.
Well, in the physical world, we solve this by using motion sensors inside our buildings. These catch successful penetrations of our perimeter defenses.
We need Motion Sensors for our digital environments – to protect IT, IoT and so on.
How do we build that?
A natural instinct is to try to look for anomalies within the IT environment. Accomplishing this is a herculean task – we need to collect lots of event and log data, establish what is normal, and then what is left must be abnormal. Doing this at scale, with low false positives, is a very challenging task. The best efforts here can only yield a set of exceptions – potentially lots of them – and someone has to work through each of these to find the true anomalies. The effort it takes to sift through these “potential” alerts makes the exercise a rather futile one, and one quickly reaches the point of diminishing returns. Security Operations Centers are already inundated with signals. Sending more signals to process is not the most desirable solution.
There must be a better way! Can we invert the problem? Can we have the anomaly announce itself?
Well fortunately, there is a way. Deception. Nature (flora, fauna) has used deception very effectively for millions of years for survival and self-preservation. And humans have used it in warfare for thousands of years – since the days of Sun Tzu.
The first successful use of Deception in IT security that made an impression on me was by Cliff Stoll, an incredibly brilliant computer scientist at Lawrence Livermore National Lab, Berkeley in 1986, where Stoll used honey pots to trap Russian intruders. This has been depicted in dramatic detail in his book, Cuckoo’s Egg. Since then, Deception (usually in the form of honeypots) has been used extensively to ensnare threats on the public internet.
However, for corporate IT departments, Deception has seen application mainly in labs, and science experiments, and has not seen the light of the day in production scale deployments. Why is this?
Simply put, the first generation of deception technologies – which we call Deception 1.0 – were simply not designed for success in the corporate network. Before the technology could be ready for widespread use, some key problems needed to be solved:
1. Automation – DevOps for Deception
Traditionally, the entire task of setting up, maintaining, and interpreting the results of honeypots fell on the administrator. No tools existed to automate these complex tasks.
2. Authentic or forget it
One of the age-old dictums is for spies to be able to blend into the territory they serve for them to be effective. The same is true here, decoys or deceptions need to be authentic and need to blend very naturally.
3. Staleness is the enemy of Deception.
One thing we need to remember – attackers have no penalty for retrying. We can count on them doing that. The consequence of this is that, over several attempts, attackers can map out all the Deceptions that are hosted within an enterprise. If they aren’t changing, from then on the Deceptions are relics – they will be avoided.
4. Scale and Density are critical
The historic difficulties deploying deceptions means they are normally deployed in small numbers, limiting their effectiveness.
To summarize, Deception 1.0 solutions established the potential. In order for them to be effective in Enterprise scale deployments, it needs to address the above systemic areas. This is precisely what we at Acalvio are doing with our Deception 2.0 solution.
Calvio in Latin means Deception. At Acalvio, we are focused at delivering Active Deception solutions to address the needs of Advanced Threat Defense.
We are excited to be launching innovative products based on patented technologies that can deliver timely and effective detection, are cost effective, and can be deployed at DevOps scale.
I would like to thank you for your interest in Acalvio. Check back here, where I will keep you briefed of key developments on our front.
Ram, co-founder, CEO