Reduction of Attack and Detection

Real-time Threat Detection for the Prevention of Data Exfiltration

Despite many techniques tried and heavy investment made to protect valuable company information, the number of breaches and the incidents of data being exfiltrated continue to grow at staggering numbers. The average time-to-discover a breach is well over 4 months and 1 in 5 notifications of compromise are estimated to come from outside the company. Whether the attack is from a malicious hacker or from an employee or third-party contractor, it would seem prudent to add inside the network threat detection as a required layer of security defense for real-time notification of intruders.

Unlike intrusion detection and monitoring systems, which rely on known attack patterns and signatures, an active deception solution uses deception and decoy to lure hackers into engaging with their deception servers vs. company servers. With active deception, BOTs and APTs that are moving laterally within a network are detected in real-time. Additionally, since there is no reason for anyone to engage with a deception server, the second the threat attacker engages, they are detected and trapped. Whether the threat vector is a reconnaissance or stolen credential attack, the Attivo BOTsink platform is able to authentically lure attackers to engage by using real operating systems, full network services, and if desired, a company’s golden image.

Attivo Real-Time Data Center East-West Traffic Threat Detection

Attivo Real-Time Data Center
East-West Traffic Threat Detection

Unlike some solutions that attempt deception with emulation, the Attivo active deception creates an environment where the attackers cannot tell the difference between a BOTsink server and a company’s production server. Additional luring technology placed on endpoints and servers will also attract BOTs and APTs to engage with the BOTsink first, giving organizations the advance notice needed to shut down an attack before damages can be done. Being able to detect zero-day attacks is a critical part of the process for the prompt detection and remediation of BOTs and APTs. As threat actors move deeper into the network, their movements and methods become difficult to detect, especially when they utilize Windows features and tools typically used by IT administrators. Once administrative privileges are gained, threat actors’ activities can go undetected and often become untraceable. It is not uncommon for a breach to go undiscovered for several months before being uncovered and as a recent Ponemon survey revealed, it is more often by luck than a systematic approach, that these breaches get discovered.

Many organizations remain challenged by the complexity and cost of securing data centers due to heavy computation, complexity of integration, and the need for monitoring of all traffic. The BOTsink solution provides a unique and cost-effective alternative that is not inline, does not require heavy compute power, and is not reliant on monitoring or database lookup of hashes, IP Addresses, Domain Names and URLs. For these reasons, many large organizations and Government agencies have turned to Attivo for a real-time, scalable threat detection solution for their large data centers and cloud operations.

2014 Ponemon Study: A Year of Mega Breaches (1,798 Participants)

When was the breach discovered?

20% Unable to determine0%
15% More than two years after Incident0%
36% Within two years of Incident0%
21% Within one year of Incident0%
16% Within six months afterIncident0%
5% Within three months after Incident0%
3% Within one month after Incident0%
2% Within one week after Incident0%

How was the breach detected?

46% Accidental discovery0%
42% Detection through automated monitoring0%
23% Notification by partner or other third party0%
19% Audit or assessment0%
12% Loss prevention tool such as DLP0%
10% Use of forensic methods and tools0%
6% Consumer or customer complaint0%
3% legal filing or complaint0%
2% Other0%

Whether the motivation is to have an additional line of defense around your most valuable company assets or the need to know in real-time about intrusions or data breaches, Attivo active deception solutions will provide the ability to accurately and quickly identify infected clients, including sleeper and time-triggered agents. Solutions are designed based on real engagement with a BOT or APT which means no false positives and no noisy alerts to distract you from promptly following up on the real threat actors within your network.