SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
#
Firewalls
#
Network Security
#
Phishing

Video: 10 Minute IT Jams - Who is Attivo Networks?

Wed, 10th Jun 2020
FYI, this story is more than a year old
Author image
By Sara Barker, Copywriter and Senior News Editor

Australian and New Zealand organisations are facing increasingly complex cybersecurity threats. But a new approach, described as "turning the tables on the attacker", is offering hope to IT and security managers stretched thin by mounting risks.

Jim Cook, Regional Director for Australia and New Zealand at US-based TiVo Networks, is forthright about the current landscape: "We're dealing with a quite a knotty problem that most IT managers at the moment are struggling with, and security managers, which is what do you do after an attack has got through your perimeter defences?" he said.

According to Cook, traditional security measures are not enough on their own. "Depending on what bit of research you read, the average dwell time at the moment is somewhere between a few weeks to a few months attackers are inside the network for that long," he explained.

TiVo Networks, a vendor specialising in threat detection, is championing a different methodology it calls deception technology. The company's solution aims to reduce this dwell time dramatically – to hours, or even minutes. "The way that we do that is by seeding the different attack paths that an attacker might use with this set table decoy bits of information," Cook said. "We kind of think of it as turning the tables on the attacker."

The technique involves distributing fake documents, credentials, servers and PC endpoints across a network. When an attacker interacts with any of these decoys, they alert the defence team without the attacker realising. "If they touch any of the decoy bits of information that we've seen throughout the network… then they get detected. And if they continue their attack, if they use that information, then the defence team knows that they have been attacked – but the attacker doesn't know they've been detected," Cook explained.

This shift gives defenders the advantage, enabling them to observe the attacker at work. "Because they're in our decoy network, the defence team sees absolutely everything that the attack is doing… what malware they're using, what files they're dropping, where they're trying to go, what they're trying to get to," he said.

For smaller organisations, the benefits are especially pronounced. Many operate with only one or two security staff responsible for hundreds or even thousands of devices. "They don't really have time to mess around with the volume of data that's available to them. They need to know when there's an attack and they need to know how to deal with it so… we only really create an alert when there is an attack," Cook said.

Crucially, TiVo's system integrates with leading security vendors, automating responses and simplifying the process even for those with limited expertise or resources. "If we detect an attack, we can send a command to… quarantine the machine or to, you name your firewall vendor, we can create an added IP address for block rule. So really simplifying the way that a small company deals with an attack that they haven't ever had to deal with previously," he added.

Large enterprises with dedicated security teams benefit from the "really rich information that only deception technology can provide", Cook said. "They want to keep the attacker in the decoy network for as long as possible and really understand what it is they're trying to do and how they're trying to do it," he explained, adding that believability of the decoy environment is essential.

Cook pointed out that attackers typically gain initial access through phishing or compromised endpoints. From there, they probe network systems like Active Directory for vulnerabilities. TiVo's technology aims to disrupt this activity by feeding decoy data at every step. "We allow that query to occur but we feed decoy information into that query, so the attacker does get a beautiful view of the network but it's not the real one – it's the deceptive one," he said.

Even if an attacker attempts to use credentials scraped from endpoint memory – a common tactic – some will be fake, leading intruders straight into the decoy environment. The technology covers a range of behaviours, including so-called "living off the land" strategies where attackers move laterally through shared drives and network resources.

"It's quite common as well to live off the land to try and see where you can get to… so we connect some decoy shared drives to that system. Again, we try and make it so any kind of observation of the network is going to lead to a detection event and it's going to then turn the tables and make it an easier play for the defensive team," said Cook.

Recent improvements to TiVo's suite include the release of 'Ad Secure', which further enhances the decoy environment in Active Directory, and new integrations "every week or every couple of weeks" with other security platforms. "We don't want to be an additional layer, an additional screen that our sake needs to look at. We want to be a fully integrated part of their existing system," Cook said.

Looking ahead, the company is guided by two main principles: thinking like an attacker, and listening to customer feedback. According to Cook, "The deception space is still reasonably new so there's always improvements that can be made based on the customer feedback we have. We're very lucky in we do have hundreds of customers around the world… so it really is a bit of an arms race, I think, where we're constantly trying to work out what the next attack vector is going to be and create a set of information that's going to fit right into that and keep the attackers confused."

Cost-effectiveness is also front of mind. "One of the things we hear a lot is, particularly in Australia, one of the main issues that sort managers and CSOs have is burnout of their staff because there's just so much information available. How do you know where to focus? If we can reduce the cost to defend and, of course, respond and create a better ROI for our customers then that keeps everybody happy and keeps us on the forefront of what's happening as well," Cook said.

He added that further automation and more seamless integration are key aims for the future. "We do that by lowering the operational overhead and maintaining the fidelity of the alerts that we produce… and by creating more and more automation – using use of our own systems to simplify deployment and response," Cook said.

For organisations interested in deploying such technology, Cook recommends going through specialist systems integrators in Australia and New Zealand, particularly those with deep security expertise. "Because the tech's quite new to Australia I've found that the most value can be added by using systems integrators who have deep technical specialist and main security," he said. 

"It really is a bit of an arms race," Cook concluded.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Barracuda boosts threat detection with multimodal AI upgrade
Facebook ads scam uses celebrity faces to spread malware
Care & tech jobs surge as traditional roles decline in Australia
BlueVoyant launches tailored Microsoft Security optimisation service
Mid-market APAC firms boost cybersecurity but lag in AI use
Top stories
New report reveals major security flaws in multimodal AI models
AI trends in video surveillance focus on ethics, hybrid models
Broadcom forces VMware clients to roll back crucial updates
Fortinet launches FortiGate 700G with AI & quantum protection
DXC launches solution with SAP & Microsoft to boost AI use