Page 31 - Cyber Defense eMagazine for September 2020
P. 31

Upside:  Many  organizations  are  already  doing  this  and  can  use  decommissioned  systems  or  Linux
            systems for simple IDPS functions.

            Downside: Signature-based detection can miss threats. In addition, organizations can have deployment
            issues, such as failing to have sufficient sensors to provide the required visibility.

            Implementing network traffic analysis


            This is where organizations collect network traffic and analyze it to look for potential threats.

            Upside: Network traffic analysis is a dedicated function that has useful capabilities for internal threat
            detection and analysis.

            Downside: This tends to be an inefficient method for organizations. Data storage and analysis at scale is
            problematic. For many companies, it’s a challenge to tune systems, and there are visibility issues.


            Leveraging the deception approach

            Deception and data concealment technology is an emerging category of cybersecurity, with products that
            can prevent, detect, analyze, and defend against advanced attacks by hiding and denying access to data.
            Deception uses misdirections to lead attackers away from production assets, and a variety of decoys
            placed at the network and endpoint level to identify threats. The technology takes a proactive approach
            to security by aiming to deceive attackers, control their path, and then defeat them.

            Upside: These tools do not rely on signatures, network traffic capture, or behavioral analysis. There is no
            need to collect logs or for traffic storage, log aggregation, analysis, or creating rules. Alerts are based
            upon engagement or detection of unauthorized activity, which removes false-positives and includes threat
            intelligence for actionable incident response.

            These solutions can identify threats starting at the endpoint, targeting Active Directory, and through the
            network, as they attempt to move laterally and escalate privileges. From the network side, decoys can
            detect suspicious or malicious connection attempts from another internal host. From the endpoint, local
            deception  functions  can  identify  inbound  or  outbound  connection  attempts  to  non-existent  ports  and
            services as suspicious or malicious. This is important because it prevents an attacker from fingerprinting
            a system and targeting vulnerable services.

            Downside: Misperception may be the biggest challenge for this technology. There remains a limiting
            association with legacy honeypots, and some believe it is only for organizations with mature security
            operations. Not all deception technology providers offer products that can achieve all of the capabilities,
            and as such, cybersecurity teams will need to be careful in their solution selection.







            Cyber Defense eMagazine – September 2020 Edition                                                                                                                                                                                                         31
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   26   27   28   29   30   31   32   33   34   35   36