Protect Assets With Deceptive Honeypot Techniques

Thanks to Eric Schlesinger, Senior Vice President and Chief Information Security Officer at Polaris Alpha for sharing his thoughts on the current state of security.

Q: What are the keys to a successful security strategy given the ever-changing cybersecurity landscape?

A: We can no longer employ traditional security practices and hope for the best. We must have multiple layers of security - firewalls, IDS, IPS, etc. to limit our exposure. Something will always get through our network. Nothing can block everything. The new frontier is deception technology. Implement more innovative ideas to monitor lateral movement. Set bait and spring the trap on anomalous behavior. Stop as much as you can and be prepared to observe the rest.

Q: What are the most significant changes to the cybersecurity landscape?

A: Ransomware variants are getting through more easily. We need more end-user education. Ransomware is morphing into ransomworms that move laterally. There are more bots inside the network being stealthy and moving slowly. Create lures that look for behavior. See who's looking at what and if they should be. Be more collaborative to observe threats, redirect, and stop them. Learn from and use artificial intelligence (AI) and machine learning (ML) to detect bad behavior.

Q: What are examples of successful use cases where you have helped your clients?

A: We provide education for small and medium-sized enterprises. End users are still clicking on links and this is how malware gets into networks. We provide cost-effective traps in the network - inline and visible. We will put this on the D or E drive of slow commodity hardware and fill it with billions of one KB file. This stone walls the ransomware and alerts security professionals that someone is poking around where they should not be.  This protects assets with deceptive honeypot technologies and gives security professionals time to think rather than just react. It eliminates stress and allows security teams to do forensics on new threats and variants.

Q: What are the most common hurdles you see affecting the organizations with which you work?

A: It depends on the audience. Most security groups don't admit the weakness in their infrastructure since that's what they're charged with protecting. We try to establish a trusted advisory role. We get push-back on the financials when a company is already spending hundreds of thousands of dollars on security and is being asked to spend more. Others pretend they will not get hacked. We educate versus sell and work to build allies. We will sell our solutions and then services around those solutions.

Q: What's the future of security from your perspective?

A: A larger community sharing data, stories about what happened and how they stopped it, the tools used, crowdsourcing. Take steps towards more innovative approaches. Look at deception to track, see, watch, and catch. Most attackers will lay dormant for 180 days before they will attempt to exfiltrate data. Using ML is the next frontier to look for anomalies, lure traffic in, and observe when something seems different.

Q: What skills do developers need to be more proficient in building secure apps?

A: Work with security practitioners to know more about normal bugs. Become familiar with deception technology and begin putting honeypots in your code to catch people moving laterally in your network. Create tables or rows in databases that say "passwords." Create areas in your code that look like a hard-coded password. Be familiar with how to build deceptions into your code.

Q: What else do we need to consider with regards to security?

A: Developers are in the same category as everyone else. Every technology, JavaScript library, and code has a flaw. Stay up-to-date on best practices and patch flaws when they are discovered. Create a new flaw and share how to fix it. Think about how to create lures for hackers. Transparency and open communication are the keys to defending against hackers as it's easier for things to be infiltrated and the bots are slower moving once they're inside the network.