Most organizations implement relatively static and denial-based cybersecurity defenses. They deploy controls such as firewalls, anti-virus, and vulnerability management, and start monitoring for events. The problem is that attackers can repeatedly probe for weaknesses in these denial-based defenses, and then apply maximum pressure at the defender’s weak point. In addition, defense evasion measures for many of these security solutions are well-known and public. Determined attackers eventually find a way in – it has become a question of “when” and not “if”.
Active Defense is Complementary to Traditional
Cyber Defenses
Traditional cybersecurity defenses monitor all activity against regular assets and alert on suspicious activity – detected based on signatures or anomaly detection using probabilistic machine learning models. This results in a lot of false positives and also misses zero-day exploits.
- Generates a new stream of low volume and high-fidelity alerts, which adds to and extracts value from the alerts raised by other defenses
- Provides another layer of defense based on orthogonal detection methodology, complementary to the traditional cyber defenses
- Detects even zero-day exploits, since deception-based detection does not depend on whether the exploit has been seen before
Acalvio Active Defense Provides Dynamic Deception
Denial-based cybersecurity defenses are relatively same throughout the enterprise and even across enterprises. If an attacker manages to evade a specific defense, this monoculture helps attacker use the same strategy to evade that same defense everywhere else as well.
Acalvio Active Defense uses Artificial Intelligence to deploy relevant and blended deception, automatically customized to every endpoint and every subnet, even within the same enterprise. The deception is also automatically updated and kept fresh to match any changes in the network neighborhood. Even if an attacker identifies a deceptive asset, it does not provide any insight into the other deceptive assets anywhere else including in the same neighborhood, which makes deception-based cybersecurity very effective.
Active Defense Covers all Enterprise Assets
Active Defense covers all enterprise assets. ShadowPlex ships with 150+ built-in deception types and, more importantly, includes a framework to easily add additional deception types. The agentless architecture of Acalvio Active Defense Platform can protect all assets where EDR agents cannot be deployed and networks where NDR solutions cannot sit inline. Active Defense works extremely well for protecting OT / ICS networks as it is a low-risk solution that does not need any agents and does not impact the enterprise assets in any way.
Attackers also go after applications (for example, Log4Shell is an exploit typically against web applications). Active Defense is a great mechanism to defend from application threats, by providing new deceptive set of application targets for the attacker and by protecting the real applications by embedding deceptions in them.
Identity Security
Identity is always of interest to attackers, as demonstrated through the APT 29/SolarWinds exploits. Current Detect and Respond security solutions do not have built in awareness of Identity threats. Active Defense is a great security mechanism to detect identity compromise. ShadowPlex provides visibility into attack targets in identity repositories and endpoint identity caches and uses deception to detect and respond to identity compromises.
Analyst Recommendations
Recent reports from IDC, KuppingerCole and other technology analysts endorse the importance of cyber deception.
The Role of Deception Technology in IoT/OT Security
IDC Market Perspective, July 2022
“By design, distributed deception platforms have a far lower false positive rate than IDS/IPS, SIEMs, and some other tools, which can improve efficiency in SOCs”
Distributed Deception Platforms (DDPs)
KuppingerCole Leadership Compass, Sep 2021
Next Steps
Explore our patented technologies to enable Active Defense and Identity Protection in your enterprise.