Apr 26, 2017 Friday Find: Acalvio’s Advanced Threat Defense
“You are in a maze of twisty little passages, all alike.”
That’s the phrase that kept running through my head as the folks from Acalvio prebriefed me on Deception 2.0, the second version of the company’s advanced threat defense technology. The basic premise behind the company’s software is to deploy a distributed network of low-impact honeypots that adapt automatically, tempting a would-be intruder with choice targets multiple directions. Which way to go, in the face of so many tempting options? (Hence the phrase).
The software presents attackers with a tasty buffet of (as the company describes it): “realistic and non-fingerprintable decoys, lures, baits and breadcrumbs,” including the user’s own custom apps and common off-the-shelf applications like Peoplesoft, Oracle, or SAP. The net effect is to present attackers with a delightfully realistic target-rich environment–and use their responses to study the attackers closely.
And that brings me to another fundamentally interesting aspect of the company’s approach: the use of what it calls “adversary behavioral analytics”. That is, Deception 2.0 relies on various logs and feeds (including SIEMs such as Splunk) as well as the intruder’s real-time behavior to learn and understand the adversary. That’s a novel application of the concept of Behavioral Threat Analytics (BTA), which is more typically implemented to track user behavior to unearth anomalies that might represent the actions of attackers. (BTA vendors include folks like Bay Dynamics, Exabeam, and Splunk’s Caspida acquisition).With Acalvio, the threat analytics is applied to a known adversary with the goal of knowing more about the adversary and protecting the environment against him.
Those two components–low-impact virtual honeypots and adversary behavioral analytics–are interesting enough. But what also caught my attention is the fact that Acalvio says its solution can be deployed to protect assets on premises, in public clouds like Azure or AWS, or in combination. That’s critical for enterprise organizations, 82% of which have deployed at least some IaaS to date.
The biggest challenge I can see with an approach such as Acalvio’s is that it requires fairly significant security maturity on the part of the enterprise organization deploying it. To make effective use of the technology, a company should have deployed tools like SIEM, as well as have a robust approach to incident analysis and response. It takes discipline to monitor an intruder’s action in one’s environment, and solid adherence to best practices to ensure that resources aren’t unintentionally left vulnerable. Most companies are at levels 0 (unprepared) or 1 (reactive) in Nemertes’ 2016/2017 Security Maturity Model, and these firms should focus on shoring up their deficiencies before deploying more advanced tools. For companies that score at the proactive (2) or anticipatory (3) level, the tool may be worth consider.
How well does the company live up to its claims? That answer will have to wait until I’ve talked to a few customers. But it’s an interesting approach, and one worth drawing to the attention of enterprise cybersecurity pros.