Enterprises are increasingly turning to deception tools to improve response time and provide more effective solutions. While providers may have different approaches, and open source options may differ in terms of both breadth and depth of the coverage they offer, you can access some universal applications for detection and response. Try these five action steps:
Use correlation and alerting to optimize the security operations center. One of the valuable benefits that deception technology offers is the generation of refined alerts and results. Because deception tech is intended to lure an attacker, only legitimate alerts should turn up and there should be few or no false positives. For most solutions, security operations center teams are able to prioritize alerts, allowing them to more efficiently process investigations for faster resolution.
Utilize use cases and playbooks for insider threats. Deception and response technology can not only detect outside attackers, but can also identify insiders. Insiders are seeking out access to valuable data, and that searching by itself will likely lead the deception tools to detect the activity. Your security team may build a playbook that is focused specifically on insider threats, which is often difficult for enterprises because of entrapment or privacy issues.
Employ automated response techniques. A powerful feature that comes with deception and response solutions is the option to automate actions and responses. This can be done with the tools or through an integrated approach with another solution, such as automated incident response that generates “breadcrumbs” for enticing attackers. It may also be able to automate the capture of evidence or indicators that identify the attacker.
Develop a set of intel for tactics. The best threat intel will come from within your own organization, and deception and response technology can facilitate the creation of a reliable set of intel. Attacker toolkits, file indicators attached to malware, ports that are opened, network traffic patterns, and more can be identified through decoy environments and documented for comparison in other areas of the IT environment.
Minimize your response time. With its quick detection of attacks, deception and response technology can limit the amount of time an attacker has access to your systems. You can minimize dwell time, or the amount of time an attacker is lurking in your systems while planning attacks or executing them. With deception solutions, you can shift dwell time to a shorter or longer period, depending on your need to gather information about the attacker.
Deception and response technology is changing the approach of security teams to allow them to be more offensive against attackers, rather than only have defensive measures at their disposal.
To learn more about leveraging the best security solutions for your enterprise, contact us at eXemplify.