We’re all tired of hearing about these uncertain times and the “new normal,” and that tedium can make it easier to let one’s security guard down. But it’s important to remember that amidst all this uncertainty, what we unfortunately can count on, is that cyber risk continues to rise, and companies of all sizes must combat this affordably.
The problem, of course, is that security operations are becoming even more costly and complicated to run effectively. Moreover, it is notoriously difficult to measure the return on investment across a complex suite of advanced threat detection products. Effective usage of these products depends upon a team of skilled security analysts, who are hard to find and not cheap to staff. Analysts can spend much of their time sorting through high volumes of alerts, which can lead to long detection and response times (or get completely lost in the noise of alerts.) On top of their complicated nature and heavy staffing requirements, these traditional detection and response solutions typically cost a company from five to seven-figures annually to procure, time and effort to operationalize and integrate with existing security operations center (SOC) tools – not to mention, ongoing maintenance and support.
There are a couple ways to solve the dual problem of too much complexity and too much expense in the SOC. One is through vendor consolidation; fewer solutions with better automation and efficiency. For example, there are several great bundled SOC solutions out there, such as Microsoft 365 E5 security, that many organizations are moving towards for most of their fundamental threat monitoring needs. Cisco SecureX is another great Extended Detection and Response (XDR) platform that brings together insights across Cisco’s wide array of security products. A second way is to leverage Managed Detection and Response (MDR), which is becoming increasingly popular: Gartner observed a 44% growth in end users’ inquiries into MDR over the past twelve months.
The third way is to invest in more effective tools that require fewer resources to manage and use. This is where a deterministic alerting platform can change the game. A deterministic alert is one that is certain, one where you know for sure there is a bad actor or something else gone awry that definitely needs remediation. Instead of trying to find a needle in the haystack, these platforms provide precision and certainty in their alerts so that defenders are right 100% of the time. This approach particularly benefits smaller businesses with the need for agility: it eliminates the need for sorting through alerts, hiring costly security analysts, and investing in AI/ML technology to try to make the alerts more manageable. As a result, many small businesses are able to innovate better by consolidating their security tools without a SOC (or even without a SIEM) and deploying a more precise set of effective tools that can be effectively managed by few security staff or even IT professionals without specific security expertise.
These types of platforms work by shrinking the attack surface via attack surface risk discovery and remediation, creating the illusion of an expanded attack surface with deceptive campaigns, and leveraging agentless endpoint forensics for efficient investigation. They offer simplified and automated lateral threat risk reduction, high-fidelity detection, and light-weight response that focuses on minimal daily alerts with near zero false positives. If they have an agentless approach, they can be used across the broadest of scale, from hundreds to hundreds of thousands of endpoints, and are easily managed by IT or security staff regardless of business size.
Here are some of the most significant benefits that deterministic alerting can offer the mid-market:
- Quick deployment in the environment of choice, be it on-premises, cloud or hybrid: Companies can deploy a simple, agentless lateral threat management solution in as short a time as 1-3 days.
- Ease of use: Agentless endpoint forensics based on deterministic deception campaigns can provide efficient and lightweight response capabilities for any skill level, ranging from the expert SOC analyst to an IT professional without specialized cyber analysis skills.
- Low manpower requirements: For companies without dedicated security resources, it’s vital to select solutions that don’t require full-time analysts, that present exceptionally low volumes of alerts, and that easily present critical information in a clear picture. Attack surface management and deterministic alerting are critical to keeping smaller companies focused immediately on what is important. That includes narrowing in on which high-value assets are luring attackers and which privileged users might be targeted by an attacker looking to access important data.
- Overall lower total cost of ownership: With no hardware requirement, low user requirements, and very low maintenance requirement, a deterministic, deception-based lateral threat management platform can come in at a fraction of the cost of a SIEM or NDR solution.
- Highly effective and no noise: Endpoint-based deceptive campaigns customize a deceptive story within a customer’s network specific to that customer’s data and assets. If done properly, a deterministic solution will be silent for weeks, only alerting when an attacker trips up. Deception-based deterministic products are known to be exceptional at catching very creative attacks (as well as not so crafty ones) – such as an insider threat that was an employee of a bank, who was reading and copying deceptive Microsoft office files, thinking instead they contained lucrative trade secrets. The insider wasn’t aware the files were fake, which were placed in a way normally unseen during typical user activity but enticing to an attacker leveraging a sneakier approach, and the deterministic platform issued an alert accordingly.
- Total environment coverage: As many commercial customers shift to the cloud, or have built cloud-native from the get-go, being able to detect and protect high value cloud assets is critical. Using attack surface management risk discovery, we commonly see businesses where organizations unknowingly have user identities with drastically different access privileges between their cloud and on-premises infrastructure.
- Automated response: Broad ecosystem integrations with endpoint management and SOC solutions allow for high-fidelity detection that can be automated into existing security response workflows. Integrations with EDR, SIEM and SOAR can leverage deterministic deception-based triggers to automate responses such as host quarantines or other incident response playbooks.
For businesses looking to invest in their first security solution, a deterministic, deception-based lateral threat management platform covers key use cases found in more complex products but without costly overhead or contributing to the ever-present cyber security skills gap. MITRE, through its Shield matrix, recently endorsed this approach as a best practice in active cyber defense. With deterministic alerts, business teams can rest assured that they’ll see a return on their investment and relief to their security budgets.
Nicole Bucala is the vice president of business development, at Illusive Networks and has a proven track record of bringing innovations to the market within the security industry.
Paul Kivikink is Director of Strategic Business Development at Illusive Networks, and is focused on building & growing relationships with innovative technology partners to help address customer security challenges.