How Deception Technology Fits into the New Model for Endpoint Defense
Written by: Mike Parkin, Product Marketing Engineer – Fernando Montenegro, a senior analyst from 451 Research, was recently on one of our technology partner’s web presentations, where they talked about redefining endpoint security. The focus was on how to secure it, with an emphasis on Endpoint detection and Response (EDR). Fernando broke the attack cycle into four parts from the defender’s perspective: Prevention, Protection, Detection, and Response. Then he took it further, putting the first two phases in the context of an Endpoint Protection Platform (EPP) and the remaining two in the context of EDR. These defense concepts live well inside what has been considered the conventional perimeter but are still relevant in security models that embrace the “fuzzy edge” of a “perimeterless” security concept. In this new realm, organizations are preparing for a user’s need for mobility and migrations to the cloud in which borders are less clear.
We’ve discussed how deception technology fits into the endpoint security model before, publishing both blog posts and a white paper coming out next week on the subject. Endpoint solutions split between EPP and EDR solutions presents a different way to look at endpoint defenses. With this in mind, I want to look at some other points Fernando brought up and how deception technology addresses those concerns.
Along with the attack cycle view, the webinar highlighted a mix of concerns. This included competing user and business demands, and attack trends both in the context of techniques and how attackers have started to approach their final target by coming in through the supply chain and compromising intermediaries first rather than engaging in a direct attack. Some very high-profile breaches used either the supply chain or connected vendors to get in, highlighting this growing issue.
Some of the other concerns Fernando pointed out were common for both users and the business, the first of them being ease of use. From the Attivo perspective, ease of use is built in. For end users, whether they are folks using laptops for their day to day work or sysadmins keeping everything running smoothly, Attivo’s deception technology couldn’t be easier to use. It is completely transparent. There are no endpoint agents consuming resources or items in the system tray popping up and asking for attention. From their point of view, they have no visibility the deceptions. In fact, they probably won’t realize the endpoint deception exists. Which is kind of the point. There is literally no interaction between the end user and the deception technology protecting them. What could be easier to use?
To a security admin, who puts the technology into production, the deployment is largely automated and lets them deploy deception across the endpoints and the network with only a few clicks. This ease of use extends to the incident response team’s view, where they get a consolidated interface to receive validated, engagement-based alerts and can then leverage the built-in integration with 3rdparty security systems, including our integration with leading end point security vendors, to automate the response. They are adding a layer of defense that is efficient, effective, and makes their life easier.
Another concern brought up from the business perspective was how rapidly the environments are changing and how complex they can get in light of cloud migrations, M&A activity, wildly heterogenous environments, and the constant demands of user mobility. Where there used to be a solid and well-defined perimeter, we have a fuzzy edge that’s constantly reshaping itself, making the Infosec team’s life harder. Add increasingly sophisticated attacks leveraging zero-day exploits and custom malware, and a target surface that can now include an organization’s supply chain, possibly two or three layers deep, and it’s easy to see what keeps the security people up at night.
Redefining how an organization views endpoint protection can be useful to help evaluate where they stand now and where they need to go but doesn’t functionally change anything: the attack surface and threatscape will still evolve dynamically and attackers will still find new ways to breach their targets.
Modifying the definitions also doesn’t change the fact that deception technology is effective against attackers across both the endpoints and the environment as a whole. Even as they develop new tactics and tools, deception adds an element of uncertainty that makes their life considerably more difficult. Deception technology serves as a force multiplier that makes the organization’s defenses more efficient and more effective, shifting the balance of power back to the defenders now and in the future.