Authored by: Carolyn Crandall, Chief Deception Officer, Attivo Networks – The value of deception technology is no secret among cybersecurity professionals. Unfortunately, they are often not in charge of making budget decisions, which means the ability to financially justify a new security technology’s cost to the CFO and others is critical. Can they clearly explain the value? Will it save money in other ways? How reliable is this technology, really? Before making a decision, security teams almost certainly need to answer these questions. Fortunately, quantifying the value and cost savings associated with deception technology is not as difficult as it may seem. In this blog, I will lay out the facts demonstrating the ROI and cost savings associated with deception and concealment technology.
Reducing Dwell Time
A recent survey conducted by Enterprise Management Associates found that the respondents most familiar with deception technology reduced their average dwell time (the amount of time an attacker spends undetected within the network) to an all-time low of fewer than six days. Compared to the industry standard averages, which range from 56 days to over 200 days, depending on the study, this reflects a 90-97% reduction in dwell time. The amount of time that an attacker has creates a direct correlation to the cost of a breach as well as the operational costs associated with remediation.
The cost of a data breach can be astronomical. IBM’s Cost of a Data Breach Report 2020 reports that the average cost of a data breach is now $3.86 million worldwide, with that number rising to $8.64 million for those in the US. The use of deception-based solutions have resulted in a cost-of-breach savings of as much as 51%, or an average of $75 per record compromised. This figure stems from the savings associated with reduced dwell time and the impact of the overall breach, as breaches with a more extended gestation period tend to be more severe. Given the pervasiveness of ransomware attacks, and as a means to demonstrate savings, Attivo has also created a ransomware savings tool to calculate the cost of a ransomware attack based on ransom payment or upon restoring operations. Simply request a demo of the tool to see how it works.
Recent research conducted by Deceptive Defense, Inc. highlights the value in SOC operations savings. Cyber deception can reduce SOC inefficiencies by as much as 32% (or $22,747 per SOC analyst per year) based on alert fidelity substantiated with information like TTPs and IOCs, as well as the ability to gather forensics that reduce attack investigation and response time. Deception solutions capable of automating attack analysis and correlating events and providing built-in native integrations can also help reduce incident response time through automation. These integrations can result in the automation of isolation, blocking, and threat hunting. Attivo Networks provides over 40 native integrations with major players at the endpoint, firewall, SIEM, and SOAR platforms that it can leverage for automation. Attivo customers that utilize the automated attack analysis and the response automations have commonly cited a 12X-15X reduction in the time that it takes them to investigate and remediate an incident.
Insider Threat Detection
Cyber deception can be a particularly valuable tool for insider threat detection. Its ability to non-intrusively detect policy violations as well as nefarious activities sets it apart from other solutions. A recent Enterprise Management Associates (EMA) study recognized deception as the most efficient security control for detecting insider threats. What investigation teams like the most about using cyber deception for incident response is that an engagement with a decoy or deception asset translates to unauthorized activity and it is substantiated then and there. This can eliminate hours, days, or even weeks of time that would typically be spent confirming that there is an attack pattern or that the actions taken were truly an incident.
Augmenting Deception with Concealment
Most of the research associated with demonstrating the value and savings of deception technology focuses on the ability to quickly detect the attacker using lures or decoy traps that reveal the attacker’s presence when they attempt to engage. However, one can generate additional savings by augmenting deception technology with concealment technologies.
Concealment and denial technologies work differently: instead of interwoven decoys and lures spread throughout the network attempting to detect and snare the attacker, denial solutions center on attack prevention. They operate by hiding and denying access to real objects on the network. For example, security teams could apply concealment technology around Active Directory. When an attacker attempts to query Active Directory, the technology intercepts the query and feeds the attacker fake information. It will also immediately raise an alert to defenders, and should the attacker attempt to use any of this fake information, it will divert them into a decoy environment. Because the attacker will be unaware that they are in a decoy environment, they will attempt to carry out their attack, as usual, revealing their methods and attack strategies to defenders.
Concealment technologies are also capable of hiding the data and file systems that attackers are after. Using concealment and denial tactics, defenders can hide files, folders, network and cloud shares, and removable drives so the attacker will not find or alter the data they are seeking. Put simply, attackers cannot steal, encrypt, or otherwise tamper with data if they cannot find it. Denying an attacker from gaining any traction as they seek to conduct a ransomware attack? That’s priceless.
Deception and Concealment Combine to Provide Incredible Value
At a time when a layered defense is so critical, justifying the value of any single security control is always a challenge. As security professionals, CFOs, and other key decision-makers recognize, there is no such thing as a silver bullet or a one-size-fits-all solution. But deception and concealment technology can provide real, tangible, bottom-line benefits to organizations that choose to use them. Hopefully, this piece has offered some useful context. I also encourage you to look into the MITRE ATT&CK® and Shield frameworks, both of which demonstrate a boost in performance and detection coverage with Attivo solutions deployed. With ATT&CK, testing has proven to boost EDR detection performance by an average of 42%, which in itself is a tangible demonstration of the benefits associated with Attivo solutions.
Feedback is always welcome, and Attivo is eager to hear about other metrics that security professionals have found helpful when it comes to justifying the value and ROI of deception and concealment technology.