Great discussion with Rick Moy, CMO of Acalvio about their distributed deception platform and their philosophy of catching the hacker in the act versus preventing attacks. The platform can be applied to machines, applications, kiosks, as well as source code repositories.
According to Jez Humble, author of Continuous Delivery, DevOps is "building, managing, and operating rapidly changing resilient systems at scale." Enterprise-scale deception requires a DevOps approach to configuring, deploying, and managing deceptions.
DevOps helps to dynamically create and manage deceptions based on the devices in the smart home and developing threat profiles. If an exploit is known to compromise cameras with factory default settings, DevOps projects similar cameras in the smart home to detect if malware has entered the home network.
Leveraging a DevOps approach, Deception 2.0 security can quickly deploy relevant additional deceptions around an alert to intelligently lure the attacker away from production assets. "Attackers know what they are looking for. We use data science so fake systems can blend in with real systems," explained Rick.
Each threat vector has an appropriate mix of fake machines that can be evolved from lightweight emulation facades to high interaction deceptions based on what the attacker is doing. A distributed deception platform is always adjusting the balance between a large number of lightweight honeypots and high interaction honeypots to confuse and ensnare the attacker.
Without a distributed deception platform, it takes anywhere from 150 to 240 days to find an attacker in the network. 87 percent of attacks require lateral movement to be successful. The distributed deception platform puts up trip wires so the attacker self-identifies and also leaves a trail of where he or she has been. The platform can then deliver a short list of highly-qualified security exploits so the security team's time is spent where known attackers are rather than sorting through false positives.
Enterprises can use a distributed deception platform for protecting IP, source code repositories, developers' operating systems, and applications. They typically start with a segment of the network with a proof of concept and then scale throughout the entire network and ultimately the infrastructure.
According to Rick, the future of distributed deception is using artificial intelligence (AI) and data science for an easy, accurate, and automated response. Acalvio already integrates with Splunk's adaptive response framework and will ultimately enable developers to build deceptions into applications with an add-on library feature in a REST API.