Behind the Mask with Aflac’s Director of Security Operations and Threat Management
Attivo Networks – Behind the Mask (Blog) Interview with:
DJ Goldsworthy, Director, Security Operations and Threat Management, Aflac
Why did you choose to use deception?
<DJ> While a defense-in-depth strategy can provide a strong level of resiliency against advanced threats, the unknown cannot always be accounted for in traditional controls or even some of the more modern analytics/machine learning based solutions. I wanted a solution that didn’t depend on a signature or an algorithm to be right to be able to detect an attacker. Deception offered such a capability. It is an elegant solution that is attack methodology agnostic, and as far as I can tell 100% accurate from a false-negative standpoint. I consider it an insurance policy for the unknown.
How do you use deception in your security program?
<DJ> We incorporate it as one of our critical layers in our holistic security program. In many ways, it acts as the first line of defense (early detection) and last line of defense (can detect what nothing else can).
What process did you use to evaluate deception solutions?
<DJ> We conducted a full-blown on premise POC with 3 different solution providers. We created a long list of requirements broken out by “must haves” and “nice to haves” and scored each provider using our stringent success criteria.
How do you gain access to budget and overcome objections to make deception a priority over another project?
<DJ> We used analogies to get buy-in to the concept. The analogy was pretty simple, really. We described protecting precious jewelry in a house. In a traditional security model, you might have door locks, an alarm system, security cameras and a safe for the jewelry. This is probably enough security to stop teenagers and low-level criminals from getting at the jewels.
But what if you have a sophisticated burglar that knows how to evade these controls?
<DJ> With deception, it would be like adding fake doors that lead to nowhere but sound alarms if they are opened, and, if they get to the safe room, there are dozens of safes that all look alike and touching the wrong one would set off an alarm and lock you in the room. Which scenario makes you feel like you are more equipped to protect the jewels? That sold our leadership on the concept of deception. They are pretty visionary anyway, so it didn’t take much selling, but that painted the clear picture for them to understand the value.
What types attacks have you found in scope for deception?
<DJ> Anything from external intrusion attempts to insiders running unauthorized scanning software or trying to access systems that they had no authorization to access.
What effort and resources are required to deploy, manage, and operate your deception deployment?
<DJ> The solution is really quite eloquent and easy to deploy and manage. We allocate about ¼ of an FTE on average to manage the lifecycle of the technology, keep architectures up to date and implement the latest features and functionality.
What favorite feature do you like to use from the Attivo deception solution?
<DJ> We are pretty jazzed about the auto provisioning component for campaign development. It makes implementing new decoy systems an absolute breeze, reducing the already low TCO of the solution.
What is your favorite detection or case study of Attivo Deception so far?
<DJ> We caught our penetration tester in the first 15 minutes when he tried to hack a decoy system. He spent an hour trying to exploit the system while we watched and had a good laugh at his expense. We were impressed with the level of detail Attivo’s reconnaissance was able to provide us during his engagement with the decoy system.
Where do you see the future of deception heading?
<DJ> I see behavioral analytics working to lure intruders through dynamic content derived from interoperability between SIEM/analytics system and the deception technology. For example, if the SIEM flags a system or user as high-risk, the deception technology could receive that information and start attempting to lure that user or system to decoys by putting them in an isolated environment with mostly decoys to increase the probability that their lateral movement attempts would be detected.
What words of wisdom can you offer to someone heading down this path?
<DJ> Do it, and do it all the way. Embrace the technology and deploy it fully across your environment.