This article is fifth in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of how deception fits into information risk management strategies and how organizations can answer C-level ROI questions for justifying deception.
Cyber risk management and deception
Perhaps the most foundational objective for any enterprise cyber security team is the proper management of risk. Too often, teams get caught up in the day-to-day operational issues of cyber security – and they tend to forget that their goal is risk management of cyber-related issues. This requires balancing security protections with the cost and effort required to prevent, detect, or respond to an incident.
This view of risk management as a driver for security protections helps senior leaders place cyber security into more familiar business contexts. Managers and executives understand risk, so when they can integrate unfamiliar concerns about hacking, malware, and exploits into more familiar and well-known risk models, then they become more comfortable with the security team’s operational, funding, staffing, and investment requirements.
Deception technology, it turns out, is a protection method that is best viewed in the context of risk management. That is, when enterprise teams decide to deploy deceptive assets, the goal should be to cost-effectively reduce cyber risk to the organization. This is an important view, because it reinforces the point that the best cyber security controls are never designed to remove all risk, but rather to reduce the likelihood and/or negative consequences of a breach.
C-Level ROI considerations
The development of meaningful return-on-investment (ROI) metrics for cyber security has been an elusive goal for many years. This is true for any type of security control, simply because one cannot measure what does not happen. The good news, however, is that methods do exist for demonstrating ROI in the context of familiar metrics for security, and deception technology plays an important role in the optimization of these quantifications:
- Vulnerability Metrics – Every security team keeps track of relevant vulnerabilities, often using penetration testing or bug bounty resources. Including deception will help to identify vulnerabilities during internal or external testing, and for more advanced deception platforms, in advance of testers finding them. This can improve metrics for vulnerabilities by identifying them sooner or discovering them on non-operational assets.
- Budget Metrics – The workflow automation available in advanced deception platforms helps to reduce the need for staff, budget, and capital in active cyber defense. This is one of the most important metrics of all, since it demonstrates the ability to manage risk without the need for continually increasing funding, though this capability is not present in all deception platforms.
- Incident Response Times – The cycle times for incident response can be lengthy, often because determination of adversary tactics and root cause of issues can be particularly difficult. Deception plays a role in reducing the time to understand adversary behavior, and thus create better root cause analyses.
Improving response times with deception
As shown in the figure above, a major advantage of deception is its inherent support for defensive forensics and adversary tactical observation. Rather than having to plan, initiate, and execute on separate forensic and attack analysis processes, deception technology includes direct support for these activities as part of the overall process. In fact, as soon as an intruder engages with the deceptive trap, forensic observation has already begun.
At the senior or board-level, ROI is estimated based on broad, high-level, business issues; for middle management, ROI tends to combine strategic and tactical considerations; and at the working level, ROI is almost always tactical. Deception technology is useful at each of these levels, because its forensic and response value is immediately evident to executives, managers, and operators – even ones without backgrounds in cyber security.
Strategies for justifying deception
When security teams are making their case to justify investments, in addition to ROI, they must make trade-off decisions between different security solutions. That is, security solutions can be functional measures such as firewalls and encryption; they can be procedural controls such as improved system and security administration processes; and then can be policy controls such as more severe consequences for bad actors who are caught violating security rules.
Deception technology is particularly attractive as an overall control for cyber security because it supports all three of these control areas. Deception platforms are clearly functional, since they involve actual computing and networking capability embedded into a target network without impacting production operations; but deception also includes support for better forensic and analytic procedures, as well as offered basis for improving enterprise security policies.
The bottom line for cyber security teams is that all three strategies – functional, procedural, and policy-oriented – are supported in any deception platform ROI case. This is good news, because it will help enterprise security managers convince upper management and decision-makers that deception is not only an attractive means for reducing cyber risk, but it has now evolved into an essential control.
Enabling business functions with deception
In the end, the greatest return on investment for any enterprise cyber security initiative is mission success. In a commercial context, success involves business and financial objectives; in a government context, success can involve strategic or tactical objectives, often with safety or life-critical implications. Viewing cyber security in this manner allows one to emphasize enablement rather than blocking of business activity.
Deception technology plays a critical role in this ROI-driven enablement because the risks that are reduced and mitigated through solutions, such as the Attivo Networks ThreatDefend platform, are often significant and mission-affecting. To that end, we hope the reader will consider the use of deception technology, if they are not already doing so, and that an emphasis on deception will optimize security ROI and the chances for mission success.