ThreatMatrix: Deception-Based Threat Detection and Continuous Response Platform
9 out of 10 companies have shared that they have been breached in the last three years with 59% stating that at least one of these attacks resulted in physical damage.
Attackers are currently getting backdoor access into networks and are able to remain undetected for an average of 6+ months.
Worse yet, is that 4 out of 5 breaches are discovered by external parties vs. internal security systems.
The bottom line, traditional approaches to preventing the advanced cyber attacker are failing and breaches are occurring daily.
Prevention security solutions alone are no longer seen as a reliable line of defense against cyber attacks.
With a growing number of cyber attacks, organizations are aggressively adopting deception detection technologies to provide real-time alerts of threats, improved incident response, and to mitigate the risks associated with data and employee credential exfiltration.
The Attivo ThreatMatrix Platform, designed for high-interaction deception, provides a distributed deception and decoy solution that is designed to deceive, detect, and defend against BOT, Advanced Persistent Threat (APT), stolen credential, and ransomware attacks.
(Hear from founder, Marc Feghali. Courtesy of Attivo Networks, the OpenStack Foundation and YouTube)
The ThreatMatrix Platform is comprised of Attivo BOTsink engagement servers, decoys, and deceptions, the Multi-Correlation Detection Engine (MCDE), the ThreatStrike end-point deception suite, and the Attivo Central Manager (ACM), which together create a comprehensive early detection and continuous threat management defense against cyber threats.
The Attivo Deception Platform, which provides real-time threat detection and accelerated incident response, to support the Internet of Thing (IoT) ecosystem.
Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015”[1], bringing a whole new set of cybersecurity risk and the need for real-time attack detection.
IoT systems are network connected devices that collect and exchange data, allowing enterprises to increase efficiency and productivity.
IoT networks bring in a diverse amount of connected devices and can introduce multiple points of vulnerabilities in the networks.
High-availability and safety are important attributes of IoT deployments and downtime of IoT sensors/network can cause significant damage to an organization and in some cases public safety.
Just a few of the security challenges that these devices bring include a dramatic increase in unauthorized access, weak encryption, targeted attacks exploiting vulnerabilities in vendor software, weak passwords and many more.
Once inside the network, attackers can use stolen credentials or move laterally to gain illegitimate access to company assets and information.
Rich IoT targets include PACS (Picture archive and communications system) servers which store critical patient data such as x-rays and other digital images, payment gateways for credit card processing, and other data gathering and aggregation frameworks.
The Attivo Networks Deception Platform is designed to detect cyber attackers regardless of whether the attack is a targeted, stolen credential, ransomware, or insider threat.
Customers can configure the Attivo Deception Platform to look identical to IoT systems based on XMPP, COAP, MQTT, HL7 and DICOM based PACS servers in their networks.
The Attivo BOTsink® engagement servers and decoys can then be customized to appear as production IoT sensors and servers, deceiving attacker into thinking they’re authentic.
By engaging with decoys and not with production devices, the attacker reveals themselves and can be quarantined and studied for detailed forensics that can be used for remediation and future prevention.
“With the growing number of IoT devices in production networks, even minor security issues can turn into significant problems.
This new surge of IoT devices will be a cyber attacker’s playground with introduction of new data exchange mechanism and traditional security infrastructure being ill equipped to prevent threat actors from using these devices as an onramp to their network.” said Tushar Kothari, CEO of Attivo Networks.
“Given the inability to run anti-virus or apply typical prevention measures, deception will play a critical role in the early threat detection and response to IoT cyberattacks.”
According to Gartner analysts Ray Wagner, Earl Perkins,Greg Young, Anmol Singh and Lawrence Orans in their December 2015 report Predicts 2016: Security for the Internet of Things, “Discovery, provisioning, authentication and data protection will account for 50% of all security spend for IoT through 2020… by year-end 2018, over 50% of IoT device manufacturers will remain unable to address product threats emanating from weak authentication practices.”
The Attivo ThreatMatrix deception platform changes the paradigm with early detection of attackers that have bypassed prevention systems.
This early detection system provides real-time detection of attacker reconnaissance and lateral movement, considerably reducing dwell time.
Time-to-respond will also dramatically reduce since the ThreatMatrix BOTsink correlation engine will analyze attacks, provide forensic reporting, and allow automated response actions, negating an attacker’s ability to complete ransomware, stolen credential or other advanced malware attacks.
The ThreatMatrix deception solution is designed for efficiency and friction-less deployment.
- The solution is not in-line, so it doesn’t require process changes or network redesign to install. Organizations can be up and running deception in under an hour and can make their entire network a ubiquitous trap for cyber attackers.
- Attivo deception is exceptionally comprehensive and authentic, running real operating systems and with full golden image customization to the production environment. Dynamic deception techniques and sophisticated deception lures deceive an attacker into engaging regardless of whether the threat vector is a zero day, stolen credential, ransomware, MiTM or insider attack.
- The platform seamlessly scales to support user networks, datacenters, cloud, ICS-SCADA, IOT environments and provides a centralized threat management console.
- Detection is based on deception vs. database lookup or pattern matching, eliminating the need to cull through logs and deal with false-positive alerts. Attivo alerts are engagement-based and substantiated with attack details, which simplify incident response and negate the need for additional resources to operate the solution and respond to an incident.
- Attivo provides its own sandboxing technology that analyzes and provides forensic reporting of each attack. Full TTP information, infected IP addresses, signatures and other attack detail required to isolate and block an attacker are immediately provided, dramatically accelerating incident response and automating response actions with firewalls, NACs, SIEMs per an organization’s preference. Customers regularly cite the time savings of the ThreatMatrix analysis engine, which automates the analysis and reporting of advanced malware and suspicious phishing emails.
- ThreatPath™ attack prevention reporting provides continuous visibility into a company’s vulnerabilities and weak links by highlighting attack path risks based on misconfigurations or credentials on non-designated computers, by showing the infected endpoints, and automating trouble ticket requests for systems needing remediation.
- Deception is a game changer in both its high efficacy and in efficiency to operate and most impressively at a cost that doesn’t break the bank.
We recommend Attivo to be the award winner of Incident Detection and Prevention category based on the solution’s proven performance in accurately and efficiently detecting and responding to today’s most advanced cyber attackers.
Attivo Networks® is the leader in dynamic deception technology for the real-time detection, analysis and forensics of cyber-attacks.
The Attivo Deception Platform provides inside-the-network threat detection for user networks, data centers, clouds, and ICS-SCADA environments.