Actionable intelligence and active breach detection
Active breach detection and cyber deception are not only emerging product types, they also come at a time when breach activity never has been worse, says Peter Stephenson
Peter Stephenson, technology editor
This issue, we take a look at active breach detection and cyber deception. This group is changing the way we do security. It is in many regards the embodiment of “actionable intelligence.”
What fascinated us about this group is the creativity that developers are using to trap and analyse breach activity. Back in the day, we thought of honey-stuff as neat research tools and not much good for security. That has changed...and changed a lot. These are not your parents' honeynets. These are better than good for security and they're not bad for research.
The idea behind deception tools is that they make the intruder think they are an important part of the network. In some cases that absolutely is true. However, the protections deployed as part of the deceptions are rigorous and the actual assets never are in real danger. The active breach detection tools typically make use of some sort of behavioural profiling during an attack. Drawing on known attack patterns, these solutions look at user behaviour and decide whether or not the user is doing what they do typically. If not, the tools take some sort of action. The behaviour analysis can span events ranging from unverified through suspicious to breached. Usually, to make decisions, these tools focus on endpoints and the behaviour of actors and the position in the kill chain (or a variant). This is a case of “We know the bad guys are in. What we need to stop is their malicious activity until we can get rid of them.”
These types of tools are the future of security. Can we dump the firewalls, IPSs and anti-malware gateways? Probably not yet. But as time – and this emerging technology – matures, perhaps.
– Peter Stephenson, technology editor