One of the unfortunate realities of network security is that it is largely reactive. To be fair, organizations are adept at testing and ensuring that the known holes or vulnerabilities are shored up and systems and devices are kept current and optimized to prevent against a successful attack.
Tough perimeter security and mandatory personnel training help to keep a network safe. Despite these efforts, attackers have a firm advantage in that they get practically an unlimited number of attempts to penetrate a network, and all it takes is one instance of security failing for an attack to be successful. Deflecting attackers is like a game of whack-a-mole, where the mole gets to decide the rules and devise the tactics.
Attackers have newness and innovation on their side to use or invent what they need to get into a network. Most data breaches result from an attacker compromising a client computing device or user account, and there are thousands of ways to accomplish this, from spear phishing and social engineering to web-based exploits, and even from legitimate sites.
Today, organizations have to accept that motivated attackers will find a way in. The real challenge becomes finding an attacker early in what is typically a long process. Once inside a network, attackers need to understand what assets exist and where they are located. They also need to expand their control and establish a way to get to key assets without being detected.
Progressive organizations have or are planning to use various means of traffic monitoring to uncover signs of attackers. Industry analyst firms such as Gartner, Forrester and Enterprise Strategy Group have both followed and led the evolution of these approaches and have advanced requirements and perspectives on intrusion detection and intrusion prevention while leading the thinking around the new or updated categories of user behavioral analytics and network traffic analysis.
Deception sensors, sometimes called honeypots, are technologies that can be leveraged due to the fact that attackers do not have precise knowledge about assets and resources inside an enterprise. With deception sensors, a company can create decoy assets or resources such that these decoys should not be accessed in the legit cases. These decoys are designed to attract would-be attackers by appearing as real assets with real value.
The decoys can be used to identify possible attacks and to observe attack tactics. Typical examples are fake assets including servers, desktops or even user accounts. Virtualization makes it easy to deploy virtualized decoys on an organization’s network, including public cloud instances. Because they are created virtually, they are easy to deploy in any location. Virtualization also makes them safe, because it is easy to restore the sensor into a clean state so that an attacker cannot gain or harm anything.
New deception sensors are aiding the quest to outmaneuver attackers. The goal is to catch an attacker in their tracks, determine who they are and where they are from, and stop them immediately. In this way, the deception sensors serve as a sort of internal tripwire to alert a security team to the presence of a network intruder. Think of them as an internal burglar alarm, separate from the one protecting perimeter doors and windows.
Deception sensors are virtualized, isolated resources on the network designed to lure attackers by seeming real while also vulnerable. They have the potential to alert to the presence of an attacker as well as provide insight into the latest techniques attackers are using to better inform security teams and allow them to be less reactive and keep pace with attackers.
Challenges to deception technology are generally threefold. First, the resource needs to be convincing enough that it is indistinguishable from real ones. Attackers have a knack for discerning fake, simulated resources. Second, the sensors must achieve a high level of fidelity. False positives and “boy crying wolf” problems completely undermine the effectiveness of this technology. The deception sensors must clearly point to an attack rather than lead already-overworked security professionals on a wild goose chase. Third, there should be enough sensors deployed — or if a few of them are deployed, they should be deployed in the right places. Otherwise, attackers may not come across them.
Fortunately, the latest advances in deception technology have largely solved these issues. With containerization and virtualization technologies, these systems are now relatively easy to deploy and manage. They are also more feasible and affordable to deploy in greater numbers across both data centers and campus networks. In addition, some solutions can log all local activities by an attacker on a compromised sensor to a centralized data lake as evidence and for attacker behavior analysis. Some solutions even utilize advanced analytics like machine learning on this big data to give security professionals high-fidelity alerts.
Deception technology does not necessarily replace any existing solutions, but it produces an additive value. Organizations still need to maintain strong perimeter security, and if the staff and technical ability exist, it is valuable to have other technologies to potentially alert to the presence of attackers. The notions of having in-depth security and using a multifaceted approach are now more important than ever. Based on the cybersecurity framework from NIST, enterprises should invest to identify, protect against, respond to and recover from attacks. These investments should include:
• User and vulnerability management.
• Tight access control, such as a segmentation firewall policy and user privilege control.
• Educating and training all employees.
• Deploying advanced detection for end point, network and cloud.
• Automating incident response with security orchestration, automation and response (SOAR).
• Establishing proper incident response workflow from attacks.
But the value of new deception technology cannot be underestimated. Having an easy, accurate system to find attackers early makes network security proactive rather than being primarily reactive. Instead of waiting until attackers establish a record of new tactics and techniques, and waiting for new means to keep them in check, deception technology enables security teams to find attacks as they happen and immediately curtail them.
"network" - Google News
May 13, 2020 at 06:20PM
https://ift.tt/3fMiWyb
Moving From Passive To Aggressive In Stopping Network Attackers - Forbes
"network" - Google News
https://ift.tt/2v9ojEM
https://ift.tt/2KVQLik
Bagikan Berita Ini
0 Response to "Moving From Passive To Aggressive In Stopping Network Attackers - Forbes"
Post a Comment