What technology are many firms now starting to use to fill the Risk Response Gap?

What is the importance of responding to recon and unwanted activity?

You can’t respond to what you can’t detect. And sometimes even responding to what you DO discover is an issue.

The Risk Response Gap is that gap in time where something doesn’t look right, but you aren’t sure enough to respond. Here is an example:

I was hired to “recover” a priceless gem from a busy, well-protected house.  Armed guards, dogs, and gates. The works.  I poked around from afar to determine any probable entry methods. I decided that breaching the front door or a window was too much effort and risky.

If someone kicks the door in, they don’t belong there. Obvious.

The location had staff and people in and out so I made a couple fake gas company phone calls and gained entry as a natural gas repairman. One of the many helpful people told the guards to expect me. Once in, I got the complete layout of the house, all the defenses, communications, and where they kept the gem I wanted.

After poking around a little too much, the staff detected I may not be who I said I was. No one could validate me so I took a nap next to the boiler for a few hours and they seemed to forget I was there. I set off some smoke alarms, and in the confusion, I took what I wanted, then left with a smile. About 15 minutes later they determined I was an intruder they were breached. A day or so later they learned I had taken the gem.

Far too late. The damage was done.

Change the word house to business, and you get what happens in most breaches on a corporate level. Sound familiar? Trick a user to gain entry (phish etc.), move laterally, lie dormant, cause a ruckus, exfiltrate in the confusion.

Bad-guy 101.

Why? They had plenty of protection and actually did detect me, so what was the failure here?

Answer: The response was too slow. There were indicators that I did not belong, but they were not put together quickly enough to isolate me. By potentially being a false positive I gained a lot of time.

Usually, we like automated action; you jump the gate, and the dog automatically eats you. Walk through the gates and the guards automatically detain you. Once you have a trusted foothold past the guards and dogs, you can pretty much just hang out as much as you want… just like malware on a laptop. You see, entry is a given, you will always gain access… you send 1000 phish emails, and someone will let you in. There is always a hole… Hey Stuxnet, you air-gapped?

Detection accuracy becomes key to making a timely response.

Imagine the same scenario as above. In the house, there was a room marked “Gem Collection.” When you go into this room, the door closes behind you, and there is no way out and certainly no gems. You are captured simply for being curious. No other staff has business in there, so it catches thieving staffers too. In an ideal scenario, there are more fake rooms than real rooms and many objects a thief would be interested in that a worker will just pass by. These traps are known as “Deception.”

Deception technology provides accuracy which allows security to be automated.

Without deception, I can quickly and easily leverage native windows tools to map an entire infrastructure and systematically go after object nearly undetected until I get what I want in almost every environment.

With deception, I am detected almost immediately.

Not all deception is created equally. “Honeypots” and “honey grids” are easy to sift through or recognize. The fraud must be unrecognizable from business components. If I want to go after SQL server, Exchange servers, file servers, and even individual user accounts I should probably have Deception on all of those objects… Javelin does precisely this.

So instead of one house there are three, instead of 30 rooms in each there are 300, instead of 1 gem there are 49 fakes right next to it… select one of the cheats in the process and become captured immediately.

If you haven’t explored it yet, look into deception as immediate response protection.