Attackers Overstay Their Welcome

The average dwell time - an attacker's time in your environment before detection or executing their attack - is 204 days. For nearly seven months, attackers move around stealthily, discovering valuable data, understanding your infrastructure and backup environments, and planting back doors that give them persistent access to your organization even if you find and block them.

Data protection requires shortening the time they have to tinker in your environment. This is the goal of most detection technologies that exist today. The problem, of course, is that most detection mechanisms generate far too many alerts to false-positive actions. This leads to wasted time and effort looking into things that are simply business as usual. It also causes major burnout for cybersecurity personnel who need to be at their best when combatting real cyber threats.

Combat alert fatigue by improving alert fidelity

Cyber analysts will agree that uncovering the needle in a haystack and thwarting an attacker is a real adrenalin booster. It's why many people get into cyber investigations to begin with. Conversely, if you ask any analyst about the worst part of their job, it's often responding to alerts that lead down rabbit holes to nowhere.

A good way to improve your security posture and employee morale is to invest in technologies that reduce tedious, rote tasks and stop your teams from chasing ghosts.

But tuning detection tools to find the signal in the noise is tricky. You don't want to throw out true alerts with false positives, but you also don't want your analysts to investigate alerts that aren't real. So, finding a better signal is key.

Plant decoys in strategic places to trap attackers

A good way to get that better signal is to use deception technologies. These technologies employ decoy assets in your environment that are never seen by legitimate users. Since decoys and traps are invisible to real, authorized users, when interactions occur with these decoys, Threatwise automatically issues high-confidence, high-fidelity alerts that indicate the presence of a malicious actor.

This significantly cuts down on the noise from traditional security tools, allowing security personnel to focus on real threats. It minimizes the chance that Dave from accounting causes an alert by accidentally clicking on something he shouldn't and increases the confidence that an alert was triggered by something that shouldn't be there. These alerts can be seen in Commvault® Cloud and fed automatically to SIEM, SOAR, and other alert management tools to integrate seamlessly into your security operations workflows.

Where should you place traps? Near critical data

The kinds of traps and decoys you deploy in your environment should (1) look like they belong there, and (2) mimic things that an attacker would find appealing. To do both things, you need to place the decoys near data you want to protect and deploy enough of them that the chances that an attacker interacts with the trap and not the real data are high.

Historically, it's been difficult to spin up enough decoys in your environment to effectively dupe attackers. But today, technologies like Threatwise can easily scale and deploy dozens or hundreds of decoys from a single system, increasing your odds of detecting the threat actor.

Add to that Threatwise Advisor, our intelligent assistant that takes into account the data you have in your environment and automatically recommends where and how many decoys you should place across your infrastructure. This makes it simple to deploy and manage, requiring far less maintenance than traditional deception technologies.

Strategically deploying decoys and traps near your most critical data improves your security posture. Using a system that already understands your data and its criticality allows for intelligent recommendations for placement that will yield the best results.

Get deep insight into an attacker's tactics, techniques, and procedures

An added benefit to using Threatwise deception technologies and decoys to detect threats is that you also can use decoys as ways to gather threat intelligence into how an attacker operates.

You can trick attackers into thinking they've gained access by deploying real but innocuous decoy assets, complete with things like login screens and more. This allows you to monitor their behavior and gather valuable intel, like credentials they use or test. Early visibility helps you identify and respond to threats much faster, potentially before any damage is done.

Deploying deception technology as part of your proactive defensive measures yields better security. The technology can be tailored to reflect your organization's specific architecture, infrastructure, and risks. It also can be deployed across a wide range of environments, including areas that traditional security tools might miss. This helps to eliminate blind spots in your defenses.

If you'd like to learn more about cyber deception, reach out to our sales team and we'd be glad to show you how it works, or start your own trial today.

Public link

Please use the above public link if you want to share this noodl on another website.