By: Joseph Tso, CISSP, CISM
Data breaches are a very common occurrence in today’s world. Criminal organizations are making millions of dollars on stolen business and personal data. The exfiltration point is typically conducted from an endpoint. All security incidents will involve an endpoint being compromised. The hacker will infiltrate an endpoint, run a command and control operation and take over the endpoint. Companies will address this problem by acquiring an endpoint solution to detect, interrupt, and capture forensic evidence of the attack. This is the preferred method to detect and prevent hackers from taking over an endpoint. Now that you now this, let me teach you how an endpoint solution works.
Endpoint Security Solutions
There are many forms of endpoint security such as DLP, antivirus/malware, application control, and IPS/IDS/Firewalls. Next-generation endpoint solutions that detect malicious activities and rouge processes are becoming the norm when it comes to security controls to prevent endpoint takeovers. Hackers trying to initiate or have successfully carried out command and conquer controls will follow a pattern that is recognized by these endpoints. As a result, these endpoints will attempt to kill the sessions once detected and capture the forensic evidence of the attack. The assumption is that these attacks are predictable and will follow a pattern. After all, hacking methods has been established for a long time, there is enough data out there to suggest a pattern can be detected, correlated, and analyzed. If that is the case, then endpoint solutions should be your last line of defense.
Defense in Depth with Deception Technology
The last line of defense doesn’t work, it has never worked. There are two things we need to consider: First, hacking methodology will continue to evolve and bypass these endpoint solutions. Secondly, security controls such as endpoint security products can be costly for larger organizations, these organizations will traditionally take a risk-based approach and protect only critical assets thus leaving non-critical assets unprotected. If there are holes in the defense, it leaves an opening for hackers to infiltrate these unprotected assets. There is no such thing as the last line of defense, to successfully reduce the threat vectors and risks, we need to apply defense in depth. Layering security controls on top of security controls is not a new methodology but it works. Deception technology, as defined by Gartner, is a defense in depth solution that can be used to augment endpoint security. When an endpoint solution fails, and the hacker has successfully taken command of the endpoint, the next step for the hacker is to seek out new targets, especially ones with critical assets. Deception technology like TrapX Security, will allow you to deploy deception systems on to subnets to keep your critical assets safe and lure the hackers into the deception environment and trap them. Deception solutions is also more cost effective as you don’t need to cover all the endpoints, it just needs to be strategically placed into the infrastructure. Solutions like the TrapX DeceptionGrid can improve your detection ability by alerting your SOC or security team it has caught and trapped someone within its deception system. It is another alerting mechanism when your endpoints do not catch the intruder. Remember, solutions like TrapX is not your last line of defense. It is not meant to replace a SIEM, DLP, Endpoint Security, or SOC monitoring. Deception technology is another line of defense when your main security products fail. Due to its unique abilities, unlike endpoint security solutions, the difference is when a hacker falls into a TrapX trap, they will not be getting out, they will be contained and trapped while your critical systems stay safe and secure. TrapX is your safety line when all other security products have failed.
If you want to augment and improve your endpoint defense against hackers, TrapX DeceptionGrid is the product you need in your environment.
Joseph Tso is a Cybersecurity Professional with over 20 years of Information Technology field experience with a focus on creating and managing cybersecurity programs. His expertise includes Cyber/IT Risk Management, Data Governance, Security Governance, Incident Response, and Privacy Management. Joseph has worked in a broad range of industries such as Finance/Insurance, E-commerce, Entertainment, Fashion, and Aerospace. Joseph has extensive knowledge of cyber law and regulations that include but not limited to NYS DFS Cybersecurity Regulations, EU GDPR, and HIPAA, Joseph has experience with cybersecurity frameworks such as NIST, COBIT, and ISO 27001. Joseph has participated in speaking panels discussing Cyber Regulations. Joseph has professional certifications in CISSP, CISM, ITIL Foundation, Six Sigma Green Belt, and ACE: Access Data Certified Examiner for Forensics. Joseph Tso is a Summa Cum Laude graduate from Pace University with a B.S. in Computer Forensics and is expecting his Master of Science in Information Security and Assurance that is sponsored by NSA/DHS from Embry-Riddle Aeronautical University in 2018.