Improving and Upgrading Soc With Deception Technology

On August 18, 2020

Role of an SOC Team :

The Secure Optimization Center (SOC) is primarily responsible for anticipating and minimizing the attacks on the organization’s cyber network. It is a facility that houses an information security team in charge of continuously monitoring and analyzing the security posture of an organization. It is the integration of people, processes and technology. An ideal SOC team should be able to detect an attack even as it happens, take quick action, contain it and reduce the impact to the organization.

Use of deception in technology has been used by SOC strategists over many years in order to catch a hacker even as he infiltrates a network. He is then led to believe that he has access to critical information and is kept occupied till the threat passes over. Due to advancements in technology, decoys have reduced the need for human intervention.

How do decoys work ?

The aim of deception technology in cyber security is to prevent any significant damage being done by a cybercriminal who has managed to infiltrate a network. The technology operates through the generation of traps or deception decoys that mimic legitimate technology assets around the infrastructure. Such decoys can run in the context of a virtual or actual operating system and are built to trick the cybercriminal into believing they have found a way to escalate privileges and steal credentials. The trap is rigged to alert the centralized deception server of an intrusion. It further makes note of the decoy that has been affected and the attack vectors that the hacker used.

Who constitutes the SOC team ?

The SOC team is a closely knit workforce comprising security analysts, engineers, and supervisors. They work alongside incident response teams to continually monitor the network in order to address security concerns as soon as they arise. The SOC team is responsible for monitoring the endpoints, databases, websites, etc. in order to detect a breach, It is also responsible for accurately detecting, evaluating, defending, resolving and documenting possible security incidents.

How does Deception Technology strengthen the SOC?

Deception Technology makes use of highly automated response systems. It has evolved from basic static detection to a proactive model. It has provided SOC with state-of-the-art security systems and a host of other features as detailed below:

1. Enables Active Defense: Deception is an ‘active defense’ tactic aimed at rendering the network hostile to attackers and transferring the costs of staying undetected to attackers. As previously, static security monitoring fails in the wake of evolving attacker strategies, which is a huge advantage for the hacker as he can live in the network for months undetected.

Deception, however, is not based on static use-cases. By Attacking the human intent behind an attack as opposed to the devices, vulnerabilities or tactics that are being used; defenses based on deception will remain successful regardless of what the bad guys will do in the future. Which means the modern SOC can remain agile and adaptable to emerging threats without waiting to see them first. Threat-hunters and incident responders may also use manipulation to lay traps both to locate the bad aspect of an ongoing incident spreading.

2. Low False Positives: Even with considerable tuning, it is incredibly difficult to find the balance between too many warnings and missing actual events, and a constant operation. Reducing the number of false positives is crucial for the SOC team so that it can focus more on the real threats than imaginary ones. Deception technology has exceptionally low false positives as no one should communicate with a decoy, credential, or file system. Any interaction is worth studying, and can even cause an orchestral response. This happens when the SOC reduces the number of warnings to ones that are real and actual threats.

3. Planned Response: As data or information at stake is huge in terms of money or sensitivity, a fast and immediate response is of vital importance. Once an attack is detected, the response sent should be reliable without necessary validation by a human. Else it could turn out to be a false positive which could lead to obstructions in the business. An ideal deception system ensures appropriate response, detects compromised data, and removes the threat without any effect on the data. All this without the need for human intervention.

4. Detect Insider Threats: Although security teams have traditionally concentrated more on external threats, it is much harder to tackle the attacker with legitimate access. They also have extensive knowledge of the mechanisms of protection in place and can tailor their malicious intent to appear entirely innocent. Usually the hackers are after records of staff at a senior position, and also search and hack systems that are unauthorised and try to copy data of sensitive nature.

The decoys are placed in such a manner that only a handful of trusted employees are aware of its existence. These decoys are usually invisible to normal users. It also acts as a way of deterring internal workers from casual theft or excessive inquisitivity.

5. “Assumed Breach” Approach: There were days when the defenders could split their network neatly into trusted and untrusted parts. Unfortunately, networks are becoming more complicated than ever and, for the most part, adversaries are ahead. Therefore, the industry has taken on a defensive strategy. This strategy frees the defenders from attempting to plug any weakness into base-lining and testing for progressive compromise. It relies on a good baseline and reliable telemetry which ensures automatic transmission of data at end points to the receiving stations. This traps even the most sophisticated hackers residing inside the network. Deception works on the tactic of assuming that a breach has already occurred. It interacts with the intruder and relays their presence to the security teams.

Deception is an integral component of the SOC and is a game changer. Even as the hackers have become more aggressive and intrusive in nature, the adversarial nature of the deception technology makes certain that they stay a step ahead.

Even big organizations like the Reserve Bank of India (ReBIT) use an advanced Deception Technology supported SOC framework.