This article is fifth in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of how deception fits into information risk management strategies and how organizations can answer C-level ROI questions for justifying deception.
Cyber risk management and deception
Perhaps the most foundational objective for any enterprise cyber security team is the proper management of risk. Too often, teams get caught up in the day-to-day operational issues of cyber security – and they tend to forget that their goal is risk management of cyber-related issues. This requires balancing security protections with the cost and effort required to prevent, detect, or respond to an incident.
This view of risk management as a driver for security protections helps senior leaders place cyber security into more familiar business contexts. Managers and executives understand risk, so when they can integrate unfamiliar concerns about hacking, malware, and exploits into more familiar and well-known risk models, then they become more comfortable with the security team’s operational, funding, staffing, and investment requirements.
Deception technology, it turns out, is a protection method that is best viewed in the context of risk management. That is, when enterprise teams decide to deploy deceptive assets, the goal should be to cost-effectively reduce cyber risk to the organization. This is an important view, because it reinforces the point that the best cyber security controls are never designed to remove all risk, but rather to reduce the likelihood and/or negative consequences of a breach.
C-Level ROI considerations
The development of meaningful return-on-investment (ROI) metrics for cyber security has been an elusive goal for many years. This is true for any type of security control, simply because one cannot measure what does not happen. The good news, however, is that methods do exist for demonstrating ROI in the context of familiar metrics for security, and deception technology plays an important role in the optimization of these quantifications:
- Vulnerability Metrics – Every security team keeps track of relevant vulnerabilities, often using penetration testing or bug bounty resources. Including deception will help to identify vulnerabilities during internal or external testing, and for more advanced deception platforms, in advance of testers finding them. This can improve metrics for vulnerabilities by identifying them sooner or discovering them on non-operational assets.
- Budget Metrics – The workflow automation available in advanced deception platforms helps to reduce the need for staff, budget, and capital in active cyber defense. This is one of the most important metrics of all, since it demonstrates the ability to manage risk without the need for continually increasing funding, though this capability is not present in all deception platforms.
- Incident Response Times – The cycle times for incident response can be lengthy, often because determination of adversary tactics and root cause of issues can be particularly difficult. Deception plays a role in reducing the time to understand adversary behavior, and thus create better root cause analyses.