Is next-generation deception technology "a nice-to-have or a must-have"? A March 7, 2018, panel on the topic leaned decisively in the direction of "must-have." Moderated by Rick Moy (CEO EdgeNext), the panel included Andy Nallappan (CIO, Broadcom), Richard Rushing (CISO, Motorola Mobility), Caleb Sima (Founder, Badkode Ventures), and Abe Smith (Director Enterprise Security, Cavium). They began by offering surprisingly full-throated endorsements of the technology.
Nallappan thought investment in deception technology was driven by the question, how do you know what you don't know? Protecting intellectual property has become critical for a companies of Broadcom's size, and his company' board is now interested in deception, especially for the help it offers post-breach.
Rushing said that Motorola Mobility began looking at deception about four years ago. "You used to recognize an attack because you stumbled across it," he said. "Deception can increase the stickiness for the adversary in ways that don't hurt us, but that trigger the alarms we need."
Smith said that, while most people think you should deploy deception after you reach a certain level of maturity, Cavium has found a great return on its early investment. "We've found that deception enabled us to detect attacks that had bypassed other defenses."
Sima likes deception because "it's one of the few things you can do that raises the attacker's costs. It makes them worry about their next steps." Smith seconded this: "Deception enabled us to invert the paradigm—the attacker now needs to be right at every step." He doesn't understand why deception wouldn't be the first thing you did in an enterprise. "It's a cheap man's monitoring: even if you have no visibility, you still have bad guys tripping alarms." Rushing agreed that deception often worked well in areas where you had limited visibility. "Don't think like an auditor (or like a 13-year-old with a scanner). Think like an attacker." He advised using a team of business leaders, operators, and engineers to ask the enterprise what's important. "And the answer can't be the proverbial 'everything'." Working through that question with an attacker's mindset is essential to deploying deception effectively. Set up a domain controller with a tempting name. "What's this," the attacker should say. "Let me go and look." Understand what the attacker is looking for and build around that. Nallappan advised iterating on the placement of your deception tools.
To Moy's question about whether deception could ameliorate the false alarm problem and the notorious lack of security personnel, Sima said that, while you will get false positives and false trips if you haven't thought about where to place your deceptive tripwires, on the whole deception reduced false positives. Smith wanted deception that could essentially run on autopilot, and seemed satisfied that he has. Another advantage Smith sees in deception is that he "now no longer needs to think about security by obscurity."
The hardest problem with deception, in Rushing's view, is the management of the nodes. "You have to plan, you have to do out-of-band work. And it's all virtual, so you have to decide, for example, if you'll patch the traps. So it is roll your own, but it should look like your real stuff." And when you see something tripped, you have to go back and analyze what happened.
There's also a role for deception in incident response. Moy observed that deception helps your incident response teams because you'll have your traps instrumented in ways that you probably won't have your production environment instrumented. And deception isn't just an alternative intrusion detection system. There are different ways in which it can be used. "In a primary sense it's about detection. You have a very high, true-positive fidelity. What you do with it varies. Some go with ping-and-shoot. Others engage and watch. It's up to the company deploying the deception to decide which way to go."
The panel's consensus conclusion from their disparate experience was that deception is an excellent way of getting detection at a low false positive rate, and that it's a defensive technology with a very attractive return-on-investment.