Contributed by Tony Cole, Chief Technology Officer, Attivo Networks
When the first automobile was manufactured, it wasn’t very safe.
Many drivers and passengers died because safety simply wasn’t a motivating factor in the design and creation of the automobile. Since then, a parade of features has been added to increase car safety. These initially included brakes and lap belts, then seatbelts, directional blinkers, headlights, taillights, brake lights, fog lights, and eventually advanced innovations like anti-lock brakes, traction control, airbags, lane keeper assists, auto braking, lidar, backup cameras, and front facing cameras.
Manufacturers didn’t just iterate on the same things. They improved the existing safety features and continued to innovate by adding new systems and features each decade. Why? Because even though cars are much safer, many people still die in car accidents each year. There are plenty of reasons: drivers make mistakes, people don’t obey rules, systems fail, Mother Nature throws us curveballs. When will we stop adding safety features to vehicles? Probably not in the foreseeable future—if ever. Not until we can protect everyone all the time. We will continue to innovate to try and save lives. It’s what humans do.
When the Internet was initially assembled, it was designed for communication and sharing. As with automobiles, safety simply wasn’t a consideration. No one knew that it would grow to what it is today. They couldn’t have predicted that it would become a fabric connecting all of society and a driver of the global economy.
Since no one had foreseen its potential for market penetration and global growth, protecting people and their data on the Internet wasn’t an initial priority. As attackers began to wreak havoc though via webpage compromises, distributed denial of service attacks, system compromises leading to data theft, data destruction and data integrity manipulation, preliminary safeguards were added to make the Internet a less dangerous place for businesses, consumers, and governments.
Unsurprisingly, it didn’t work. Anti-virus software was added to endpoints. Intrusion detection systems, firewalls, intrusion prevention systems, data leakage prevention systems, and much more were added at network perimeters across the enterprise. Yet intrusions continued, escalating in scope, severity, and number.
The reasons for the failure of these early measures are myriad, but one major issue is that most security vendors focused completely on preventative technology to stop breaches from happening rather than on detecting them once the adversary breached the network. We need to do both. The sophistication of attacks continues to grow as needed to accomplish attacker goals. Just as car safety advancements were critical to making our roads less dangerous, innovation must continue in cybersecurity. This means adopting a new perspective on the problem.
Let’s return to our car analogy. Remember all the innovative safety features added to reduce automobile accidents? They have certainly helped a lot, but accidents still happen frequently. Manufacturers understand this and address it by adding systems designed to help accident victims in today’s cars. Why? We know—and unfortunately accept—that they are going to happen, and we prepare for them. Some manufacturers have accident detection systems that close the windows, cinch up the seatbelts, brake the car automatically, deploy airbags on impact, call the authorities, and much more. Many municipalities even help save lives by monitoring high-traffic areas to enable quicker accident response.
In cybersecurity, it’s time to admit that system breaches are inevitable and innovative technologies must be more broadly applied to detect those breaches. If you can’t always stop the attacker (and you can’t), you need to detect them when they bypass preventative tools. Fast and reliable detection will help to ensure they aren’t successful in accomplishing their goals.
Today, deception technology is one of the more innovative tools that can help when the adversary infiltrates the enterprise. It sounds complex, but in reality, it’s a simple tactic to ensure the attacker is quickly detected and unsure of the environment. If we consider our car safety analogy, one innovation—fog lights—allowed drivers to see both the road and each other despite inclement weather. In internet safety, we’re doing the exact opposite: through deception, we’re literally creating a fog of confusion for the attacker to prevent them from understanding (or clearly seeing) the environment they’re wandering through. They have no fog lights. They can’t see, and they inevitably run into things we’ve placed in the network that immediately alert defenders of a breach. What makes it even more fun is that proper deception incorporates gold images as decoys. Even if the attacker had the cyber equivalent of fog lights, they would still hit things that immediately cause an alert. Even with increased visibility on the network around them, they still wouldn’t be able to tell production systems from decoys, real credentials from decoy credentials, real applications from decoy applications, or real data from decoy data.
We have a long road in front of us to make the internet completely safe. The truth is, we may never reach that destination. But by taking advantage of new technology and perspectives to mitigate breach impact and adopting an innovative approach to security, we can continue to make substantial and meaningful progress toward that goal.
The opinions expressed within this article are the personal opinions of the author. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
