By Brett James, Director, Transformation Strategy at Zscaler
In recent years, federal agencies have expanded remote work dramatically, and in response IT teams have done the same for edge computing deployments. increased use of cloud computing, and continued other important government IT modernization efforts. These are all positive developments that help agencies meet their missions more effectively.
But, they also come at a cost – an expanded cyberattack surface – and cyber attackers are taking advantage. For example, Microsoft’s Digital Defense Report showed that 46 percent of nation-state cyberattacks in one year were directed at the U.S. government.
Public trust is at risk, while the price tag of cyber breaches is rising. The IBM 2021 Cost of a Data Breach report found that data breaches became 10 percent more expensive in 2021, and the average cost of a breach in the public sector was $1.93 million. Moreover, the average time to detect and contain a breach was 287 days, driving up costs and increasing the danger.
With an increase in the number and severity of cyber threats, government agencies that rely on traditional detection technologies could be at a serious disadvantage.
Confronting the Growing Danger
Cyber attackers are using increasingly sophisticated methods that are difficult for government agencies to detect:
- Stealthy attacks: Advanced adversaries use purpose-built playbooks and an in-depth understanding of their target’s environment to get in and stay hidden. As a result, 91 percent of incidents do not generate a security alert, representing a threat to even well-defended and prepared agencies.
- Human operated: Traditional defenses are designed to detect malicious code, but 68 percent of attacks do not use malware. With ransomware, for example, an agency is not simply fighting a software program; the attack is directed by a person. Sophisticated adversaries use advanced tactics like legitimate credentials or built-in tools to bypass traditional defenses and challenge security teams’ limited resources to hunt for threats.
- Hiding in false positives: Most agency security operations default to compiling as much data as possible, collecting it in a security information and event management (SIEM) system, and then seeking evidence of an attack. The sheer volume of resulting data overloads security teams with alerts, 45 percent of which are false positives. Research shows 99 percent of security teams say excessive alert volumes are a problem. Frequently, big threats are flagged, but they are buried in all the noise.
Implementing Active Defense
Zero trust architectures directly connect authorized users to permitted applications and data, reducing the attack surface and lateral movement. But what happens when a bad actor slips through those defenses? How does your agency defend against insider threats and sophisticated nation-state and ransomware attacks?
In these situations, the best defense is active, making it nearly impossible for attackers to achieve their aims. This is the idea behind deception technology.
Deploying Honeypots
Deception technology provides a fake attack surface to intruders, to distract them from sensitive data or systems. This attack surface is composed of honeypots, or false assets, that set off an alarm when an attacker touches them. These decoys can be fake endpoints, files, services, databases, data, passwords, users, computers, user paths, OT, IOT and other resources that mimic production assets.
Deception technology can leverage cloud-based delivery and can be expanded to every possible identity system. Because nine out of 10 attacks involve an Active Directory infrastructure, creating fake, but attractive objects to monitor is a good place to start, followed by fake network attached resources.
Once an alert is triggered, defenders can track attackers’ movement in a secure, isolated environment, identify the assets the attackers are interested in, slow them down, and monitor their tactics, techniques, and procedures.
Deception technology provides:
- Pre-breach warnings: Perimeter decoys detect stealthy pre-breach activities that often go unnoticed.
- Lateral movement detection: Application decoys and endpoint lures intercept adversaries that have bypassed perimeter-based defenses and limit their ability to maneuver and find targets undetected.
- Defense against ransomware: Decoys in the cloud, network, endpoints, and Active Directory act as landmines to detect ransomware at every stage. Simply having decoys in your environment inhibits ransomware’s ability to spread by providing early warning.
- Real-time threat containment: The best deception technology integrates seamlessly with your ecosystem of third-party security tools such as security incident event management (SIEM), security orchestration automation and response (SOAR), and other security operation center (SOC) solutions to shut down active attackers with automated rapid-response actions.
Integrating With Zero Trust
One of the most powerful approaches to cybersecurity integrates deception technology into a zero-trust system. No single security technique is 100 percent effective at stopping attackers; for maximum protection, multiple technologies must work together and share information.
While the core of zero trust does not include a threat detection component, incorporating deception technology into a zero-trust architecture adds a powerful capability. Deception decoys act as tripwires in a zero-trust environment, identifying compromised users or lateral movement across the network.
Conserving Time and Money
Deception technology is a very efficient form of threat detection that can save time and reduce costs for government agencies. Agency personnel can simply set up honeypots and wait, detecting advanced attacks without high operational overhead. Because legitimate users have no reason to touch fake assets, agencies drastically reduce the rate of false positives and add a powerful layer of threat detection across the enterprise.
About the Author
Brett is an IT infrastructure and security leader with 20 years’ experience spanning operations across six continents. Prior to joining Zscaler, Brett led Bechtel Corporation’s journey towards Zero Trust while directing multi-disciplinary teams across the globe. Brett’s career has evolved from help desk support, server and datacenter operations, through to leading regional and global teams with responsibilities across operations, engineering design and architecture disciplines. That wide experience gave him in-depth knowledge of a diverse range of technologies and disciplines plus the capability to direct teams who manage them.
Brett James is the Director, Transformation Strategy of Zscaler. He can be reached online at [email protected], LinkedIn and at our company website https://www.zscaler.com/.