Product Group Tests
Emerging products: Active breach detection
Not only are these clearly emerging product types, they also come at a time when breach activity never has been worse.
Full Group Summary
It is fitting, we suppose, that we should start 2016 with an emerging products section that highlights breach detection and cyber deception. Not only are these clearly emerging product types, they also come at a time when breach activity never has been worse. SecurityIntelligence.com tells us that as of 1 September 2015, there had been 533 breaches and that 140 million records were exposed. With stats such as those it is not surprising that organisations in general and CISOs in particular are eager for something to staunch the blood-letting. The tools we examine this month may well be candidates for achieving that task.
The deception tools - bred of the emerging deception technology (and it actually is an entirely new area of technology, already replete with patents) - are the inheritors of such legendary efforts as the Honeynet Project. This activity has - and still is - teaching us a great deal about the adversary. While every one of the deception vendors we spoke with denied that they were honeynets in the traditional sense (and we agree) the all acknowledge the honeypot legacy to a greater or lesser degree.
On occasion, technology editor Peter Stephenson and his team at the SC Lab address emerging technologies and markets. The purpose is to look at segments in the information assurance space that represent new technologies, needs and capabilities. In those emerging areas there always are new entries and old pros that want to expand into the space. We will be looking at both - and bringing you the companies and products that we believe will shape the future.
So it probably behooves us to take a shallow dive into honeypots so we can see what this new generation of technology is all about. Traditionally we used honey pots and honeynets to entice hackers or malware so that we could analyse behaviour. Even in the early days of threat analysis researchers knew that behaviour rather than signatures of files would be the future of attack detection. For that purpose there were - and, really, still are - two kinds of honeypots: low and high interaction.
Low interaction honeypots just sit and listen. They are highly instrumented but they really do very little in the way of interacting with the attacker. High interaction honeypots, on the other hand, interact with the attacker, enticing him to do things that will lead to profiling the attack or the malware. Every one of the deception tools we looked at were - to the extent that they are honeypots at all - very high interaction. If you are looking at deception technology be sure that you see high interaction. We no longer are interested just in research with these tools... now we use them for hard-core security.
In a perfect world deception technology would be all that we would need to protect the enterprise. That day may yet come but we are a far cry from it today. So in order to make threat intelligence - and that, really, is what these tools are all about - truly actionable, the tools themselves need to take some protective action or they need to pass what they've learned on to a SIEM or firewall, for example.
The nice thing about deception technology is that it is not completely reactive. Certainly they look at events after they have begun to happen, but they sidetrack the attacker into a safe environment for analysis and that keeps the attacker out of the "real stuff" that he or she is looking for. As experienced threat hunters and DFIR experts well know, the clue is lateral - some call it "east-west" movement within the network. That is not normal behaviour in most cases and it raises alarms when it happens. Lateral movement, though, is just one of the behavioural indicators these tools use.
If deception technology is interesting, active breach detection may be more so, if for nothing else than its diversity. Within some parameters deception technology sorts some fairly consistent techniques, although their implementation may differ significantly from product to product. Active breach detection products do not display that consistency.
Active breach detection, like deception technology, often depends on next generation computational and analytical techniques. There the similarities, in most cases, end. Some active breach detection tools watch for bad behaviour on the endpoints. Some mix several techniques - heavily forensic - to watch overall behaviour on the network. Some follow the kill chain and look for activity that matches one of the links in the chain. Whatever the specific technique, one thing is surprisingly constant: they all watch behaviour on the network very closely, doing deep packet inspection when necessary and watching for attack patterns that are familiar in one form or another.
These patterns are not the same as pattern matching, of course. Rather they are akin to watching pro football game and picking out the subparts of various plays to analyse their purposes. In the chess game of cyber-security today, a football game doesn't even come close but the paradigm certainly is worth consideration as you look through these new generation products.
For obvious reasons we will be a bit vague about how these tools work so we recommend that if one or more catches your eye, take a deeper dive with the vendor.