More Deception in the Cloud Makes Detection Less Cloudy
By Carolyn Crandall
This week, Attivo Networks® announced the release of an enhanced version of the ThreatDefend™ Deception and Response Platform that includes cloud data center detection support for Microsoft® Azure. This capability builds on the existing ThreatDefend support for Amazon Web Services (AWS) and OpenStack®.
The door is now open and the detection outlook is clearer for Azure users that adopt deception-based detection technology through the use of the Attivo ThreatDefend platform. Azure is rapidly gaining adoption as evidenced in Microsoft’s fiscal year 2017 Q4 report, where it cited 97 percent year-over-year revenue growth for Azure, and industry analysts remain confident the Azure user base will continue to increase at a torrid pace.
Enterprises in a wide range of industries are turning to cloud data centers and cloud applications to reap the benefits of on-demand, scalable infrastructure. A recent survey of more than 2,000 cloud security professionals found that 72 percent of organizations store sensitive data in the cloud. However, the benefits of a cloud infrastructure bring a unique set of security challenges that IT teams continue to struggle addressing. In addition to the already daunting challenges of “traditional” networks, cloud infrastructures are especially inviting targets for attackers since enormous amounts of data are now stored in the cloud. Indeed, these security threats combined with a dearth of security professionals with necessary cybersecurity skillsets needed to address these threats is the principal reason 49 percent of businesses are delaying deployment of cloud architectures, according to a recent Forbes article.
The ThreatDefend platform provides highly efficient deception decoys and lures that deceive an attacker into engaging. Once the attacker engages, the deception environment captures and records the lateral movement of threats within the datacenter, provides evidence-based alerts and the forensic reporting required to promptly shut threats down. This approach is recognized for its efficiency in detecting attacker lateral movements vs. attempting to monitor or analyze all traffic, which is typically cost and operationally prohibitive.
Attivo has also announced the new ThreatDirect™ solution, created for remote and branch offices (ROBOs) and microsegmented networks. ROBOs can act as a backdoor to the enterprise’s central network and often don’t share the same physical security infrastructure as the central network such as 24-hour security guards and scan badge building access. Attivo addresses these gaps by closing this back door with the new ThreatDirect virtualized deception technology. With the ThreatDirect solution, organizations can deploy deception in their ROBO environment without the need to install a local BOTsink™ deception server. The ThreatDirect solution instead uses a VM forwarder which automatically forwards suspicious activity to a central BOTsink deception server for attack threat analysis. This approach provides significant savings on deployment and security team staffing costs. Additionally, organizations can deploy the ThreatDirect virtual scaling solution in environments where a full BOTsink deployment is not feasible, such as in all the subnets of a heavily segmented network.
The ThreatDirect solution is also designed to provide Managed Security Service Providers (MSSPs) an additional capability to offer Deception as a Service. By deploying a BOTsink solution in the cloud or housing one in their data center, a MSSP can run engagement servers on their infrastructure, while monitoring alerts in their security operations center (SOC). MSSPs can deploy ThreatDirect instances to their subscribers’ networks and can handle all the configuration, monitoring analysis, and response of alerts. Subscribers who may not be able to deploy a standalone BOTsink solution can gain all the benefits outlined above, while having policies configured specifically for them.