MSPs looking to spot malicious insiders trying to move laterally through a network and reduce attacker dwell time while solving for false positives should consider deception technology, says Attivo Networks CTO Tony Cole. The side benefit? A stronger relationship based on innovative use of tech.

“A layered deception service across a customer’s enterprise is innovative and provides enormous value by quickly detecting malicious actors inside the wire and therefore, shrinking the attackers’ dwell time,” says Cole.

Today’s deception decoys aren’t your father’s honeypots: They are realistic enough to fool attackers and may be deployed at scale in cloud-based data stores, on endpoints, even in IoT networks and point-of-sale systems.

Besides Attivo, MSPs can look to Fidelis Cybersecurity, TrapX, vArmour and a number of other deception specialists. For those looking to partner up to deliver deception tech, Cymmetria offers its technology as a service, as does Kudelski Security as part of its managed security services and managed detection and response offerings.

The draw is a market that Technavio expects to grow to $1.4 billion by 2021. An even more upbeat report by Market Research Engine says sales will exceed $2 billion by 2021, accelerating at a CAGR of 15 percent. The concept of deception tech came into mainstream use in 2015 and has been gaining traction since; MSPs serving government or financial services firms that don’t have an offering are behind.

As to what to look for in detection tech, decoys – whether fake credentials, encryption keys, documents or network drives – must be realistic for the customer’s business and hardened so they can’t be tampered with. The ability to automatically and dynamically scatter decoys like breadcrumbs across the network is key to spotting attempted lateral movement, and an MSP must be able to monitor and control them from a central location. If a decoy document is exfiltrated, look for the ability to track where it ends up; that sort of counterintelligence functionality may help identify the data attackers are seeking.

Cole, who uses the Twitter handle @nohackn, is a U.S. Army veteran and comes to Attivo from roles at FireEye, McAfee and Symantec. He sits on the boards of Silent Circle and the (ISC)² and serves on the NASA Advisory Council.

Channel Futures: For those who are unfamiliar with your company, please give us your version of your CEO’s elevator pitch.

Tony Cole: Cyberattacks continue to occur at an unrelenting pace as sophisticated attackers continue to find ways to penetrate perimeter defenses. CISOs now understand that an exclusive focus on prevention technologies is a flawed strategy since breaches will inevitably continue.

Tony Cole

Tony Cole

A balanced strategy on prevention and detection – where organizations incorporate deception as a major component of detection as a layer to shorten dwell times, the amount of time an intruder has undetected access to a corporate network – is the key to minimizing the impact from the eventual breach. This deception layer is a major component of an active defense strategy, which is not solely based on stopping attacks, but instead provides an equal emphasis on detecting and neutralizing attacks in real-time. The Attivo Networks ThreatDefend platform uniquely provides visibility throughout the attack life cycle, detects activity overlooked by traditional security controls, and accelerates incident response with automated attack analysis and incident handling.

CF: What in your opinion is the technical “special sauce” selling point for MSPs?

TC: Any MSP in today’s market must be differentiated from their counterparts and must continuously drive value for their customers. A comforting and frequent touch to the customer on what they’re doing for them is key to customer retention.

Innovation is the other crucial component: Show how your organization is continuously monitoring what’s going on in the world in cyberattacks, and demonstrate how new technologies can detect and counter those attacks to keep your customers as safe as possible. An MSP contract is really a journey that you must be on together with your customer to solidify and deepen the partnership. 

CF: How many MSPs are using your product or service? Do you work directly with end customers, or are you exclusive to channel?

TC: We are in discussions with a number of MSPs globally that wish to deploy our technology to help protect their customers. Several are already under contract and are working out their service.

CF: Who are your main competitors, and what makes your offering better from a technology perspective?

TC: We do have competitors, although they approach this challenge from a different and often more limiting perspective. Attivo has been recognized by analysts, and innovation awards have been earned by the company for its superior deception technology, and our customers agree with us after testing our offerings against others’.

We use a comprehensive deception layer across the entire enterprise covering deception on endpoints, networks and in the cloud. Deceptions provide device decoys, credentials, application and data deceptions for computers, servers, medical devices, IIOT, IOT, SCADA, POS, SWIFT and infrastructure systems. Customers can achieve mirror-match authenticity by loading their golden images onto the decoys and can authenticate credential deceptions with Active Directory-integrated verifications.

It’s a very comprehensive model that covers detection of attacker reconnaissance, lateral movement, credential theft, ransomware, insider threats, man-in-the-middle attacks and even provides attack path assessments. Attivo was an early entrant in the deception segment, and our technology is mature, proven, scalable and can be delivered via the cloud, on premises as an appliance or in a virtual infrastructure. Attivo competitors tend to be focused on either the network or the endpoint level, which provides an incomplete view inside the customer’s world and less comprehensive ability to detect threats of all methods.

CF: When you talk to an MSP partner, what is their biggest technical challenge today that’s NOT addressed by your product, and what’s your advice?

TC: Attivo is focused on the early in-network detection of attackers, not on perimeter defenses. The downside is that enterprises typically will not be able to remove or replace existing infrastructure, and they will need to establish a new manual or automated process flow to share detection data. Our advice to MSPs, since this is a new security control being incorporated into the stack, is to help their clients align each device to its value during the phases of an attack, and optimize deployments accordingly. 

Attivo recommends that MSPs leverage a comprehensive set of native integrations for most of the major prevention vendors to simplify the task of information sharing and to automate incident response. By activating integrations and fully automating response actions for many alerts, MSPs can help their enterprise clients improve the effectiveness of their in-network threat detection and response capabilities.  

CF: Say a potential attacker trips an alarm by trying to exfiltrate a decoy file from a customer network. What level of security expertise would a partner need on staff to respond effectively? Is this a specialized skill set, and does Attivo offer consultative expertise and certifications/training? 

TC: It would be standard incident-response procedures based on their current practices and policies. The expertise already exists in most security teams and MSPs for this type of response, if they already do incident response. Our team does provide training for our customers and partners to ensure they understand our products, the value they provide and the critical information on adversaries they can extract from alerts.

CF: What’s your favorite customer success story shared by an MSP, where tech you developed solved a business problem or enabled a new product, for example?

TC: We partnered with an MSP that talked about the adversary having long dwell times inside many of their customers’ enterprises. The technology stack did not focus on detection and instead was structured to try and stop all breaches.; therefore, it was failing on the more sophisticated attacks. Our solution gives them the ability to slow, confuse, deter and quickly identify an attacker inside any of their customers’ enterprises.

CF: How did you come to the CTO role?

TC: I first became interested in honeypots in the late 1990s while still in the military and joined Recourse Technologies, the first commercial honeypot company, when I retired. We were acquired by Symantec just months after I joined, and Symantec didn’t do much with the technology. I moved into running global government consulting for Symantec and then McAfee for several years.

Five years ago, I moved to FireEye as their global government CTO, and late last year I had decided it was time do something new. Late last fall, I was talking to an old friend and he asked me if I had looked at deception. I spent a few months talking to companies that had deployed this technology, and clearly Attivo Networks was leading the pack in detections and in customer satisfaction.

Soon after, I met Tushar Kothari, our CEO, and the board. They decided I would be a good fit and we were off to the races.

CF: What didn’t we ask that you’d like MSPs to know?

TC: Attivo is making significant progress in closing the detection gap and reducing dwell time; however, not all detection – or for that matter, deception technology – is created equal. Today, analysts sitting inside a security operations center generally suffer from alert fatigue, driven from best-of-breed products that generate tons of alerts that are mostly false-positives.

When Attivo issues an alert, it indicates that someone has touched something inside our deceptive layer. That’s bad. It’s either a malicious actor that broke in, an insider threat, a policy violation or a misconfiguration that must be fixed. It’s that straightforward. It works exceptionally well across all attack surfaces and for all attack methods, which is why it’s really taking off as a new solution that dramatically shrinks attacker dwell time and accelerates remediation.