Whether it’s the rise in encrypted attacks, hands-on-keyboard threats, human-operated ransomware, or, for that matter, successful breaches, we don’t need to throw more doom and gloom statistics to tell you what you probably already know – the prevalent castle-and-moat approach to network security is a failing endeavor.
Many analogies come to mind – “fighting with one hand tied behind your back”, “bailing water while plugging holes in the boat” – but the simplest way to understand this failure is that in a world with accelerating digital transformation, cloud adoption, and globally distributed workforces, the hub and spoke network has come to a breaking point.
Global leaders like Siemens, Genpact, and Ciena have adopted a Zero Trust architecture to drive secure digital transformation, improve productivity, lower cost, reduce cyber risk, and offset the disadvantages of a legacy hub-and-spoke network.
Zero trust is a fundamentally different approach to cyberthreat protection that helps organizations cope with today’s top security challenges.
Let’s take a look at some of the challenges that are making traditional security approaches a game of whack-a-mole and accelerating the shift to Zero Trust.
Extended attack surface
Gone are the days when you drew a perimeter and assumed that everything inside was good and everything outside was bad. The network now extends to branches, remote offices, factories, employee homes, and the cloud. Cloud firewalls further extend your network to locations where they’re spun up. Everything that’s exposed to the internet becomes an attack surface. An expanded attack surface makes it easier for attackers to find and compromise you.
Identity is the centerpiece of security. With credentials being actively stolen using phishing attacks and from the dark web, identity compromise is a key challenge. Once attackers assume a trusted identity, they get the same access to IT assets that the identity they have compromised has. Given that modern networks are extremely complex and provide limited visibility, attackers can move laterally and find high-value targets to exploit.
Big data proliferation
Traditional security operations run on big data. The premise is simple – Place sensors across the environment (NTA, NDR, EDR, antivirus, and UEBA) collect everything and use AI/ML to find evil, pass this evil on to human analysts to rule out false positives and investigate the serious threats, and finally, leverage orchestration and automation to contain the threats. This sounds good in theory but in practice, 56% of security alerts are false positives, there’s a dearth of skilled analysts, and automation has fallen short of its promise due to a lack of high-confidence alerts to orchestrate response on top of.
Zero Trust is a necessary strategy to address these security challenges. A key principle of zero trust is assuming breach, and therefore implementing least-privilege access along with continuous monitoring and authentication to stop attackers and mitigate damages.
For a security architecture built on the ‘assumed breach’ philosophy, Deception is the most pragmatic and effective approach to threat detection.
It works by planting decoys resembling legitimate IT assets in your environments to intercept advanced attackers when they attempt to use stolen credentials, compromise users, or move laterally once inside the network.
Decoys can be fake documents, credentials, and application lures on endpoints. You can also have decoy workstations. In the server zone, you can add decoy servers and applications. You can even add decoy users and computers to your active directory. And in the DMZ, you can create decoys of internet-facing applications like VPN and internet apps that need to be remotely accessed.
When attackers access any of these decoy resources, a silent alarm alerts the security team to adversary presence. The SOC can then use the telemetry to study adversary behavior, hunt for threats across the network, or cut off access.
Deception as a threat detection approach addresses all the key security challenges that organizations deal with today. Let’s take a look at how.
How Deception helps
Extended attack surface
Decoys can be placed across the environment – at the perimeter, on endpoints, inside the network, on the cloud, and in the active directory.
They don’t have any operational impact and provide extended visibility and threat detection capabilities.
When an attacker breaks into your environment, they have no idea what's real and what's fake.
Your decoys turn into tripwires that alert you to adversary presence and enable you to cut them off before they can cause damage.
Use of decoy credentials or stolen credentials to access decoy applications alerts you to compromised identity and diverts attackers away from their targets.
Big data proliferation
No legitimate user is aware that decoys exist in the environment and they are planted strategically in places where only adversaries go snooping.
Since no one is supposed to touch the decoys, any interaction with them is a high-confidence indicator of a breach.
Deception alerts, therefore, have an intrinsic low false-positive property. Security teams can leverage these low false positive, high-confidence alerts to correlate threat activity in other parts of the network and automate containment.
The Zero Trust journey comprises several steps – Making apps invisible to the internet, using segmentation to securely connect users directly to public or private apps without exposing unnecessary data, and improving protections with security tools like deception, browser isolation, and traffic inspection.
Zscaler has built deception into our Zero Trust Exchange to secure this journey.
You could be in the initial phases working through a VPN replacement project, implementing segmentation, or towards the end of total transformation – irrespective of the stage, Zscaler Deception can secure and accelerate this journey by enabling you in three key cyberthreat protection areas:
Detect compromised devices
Zscaler Deception plants lures on endpoints in the form of decoy passwords, cookies, browser sessions, and files. These lures point to decoy applications. This does two things – alert the security team to compromised devices (both on and off network) and divert the attackers away from their targets by pointing them to decoys. It acts as an added layer of defense for a network that extends beyond the office.
Identify stolen credentials
Use of stolen credentials to compromise users is a key challenge for security teams. Zscaler Deception creates decoys of internet-facing infrastructure. These could be VPN portals or other remotely accessible services that adversaries tend to go after. When attackers scope out these public-facing assets to find targets and try to use stolen credentials to gain access, they are instantly detected without false positives.
Detect lateral movement
Whether you’re still on the old hub-and-spoke network, making a transition, or have fully embraced the Zero Trust architecture, there will always be some residual exposure from legacy systems and low visibility areas that attackers might leverage to compromise you. Once inside, they move laterally and escalate privileges. Zscaler Deception plants application decoys that mimic servers, databases, and other internal applications that are frequently targeted during lateral movement. Having internal decoys de-risks your attack surface and detects serious threats that have bypassed existing security measures.
If you look at any ransomware attack, it is executed as a series of steps called the kill chain. The attacker starts by exploiting the perimeter to find exposed applications. Then they get inside and scan the active directory to find privileged targets. Then they use stolen credentials to move laterally. And finally, when they are in a good position, they detonate the ransomware and encrypt the data. With deception, we place decoys at every stage of the kill chain. In other words, deception defenses are mapped to the attack steps. This creates an opportunity to detect and disrupt the ransomware attack at every stage. We have several examples where Zscaler Deception was able to detect ransomware attacks before they could encrypt data.
How it works
Deception is being embraced as part of a holistic zero trust strategy by forward-leaning security teams that understand that traditional cyberthreat protection measures are inadequate when it comes to defending against serious threats like human-operated ransomware, hand-on-keyboard adversaries, supply chain attacks, and advanced nation-state attackers.
MITRE has launched a new framework called Engage to help defenders operationalize deception defense programs. As ATT&CK helps security teams study attack techniques, Engage is a knowledge base of approaches and techniques that defenders can use to actively defend against advanced attacks. The MITRE Engage framework will accelerate the adoption of deception for threat detection and active defense. Zscaler Deception already delivers 99% of the capabilities covered in MITRE Engage and is seamlessly integrated into the Zscaler Zero Trust Exchange.
“The appeal of deception is how it turns the tables on would-be attackers. Security teams don’t have to hunt for network threats, rather the bad actors are lured to decoys, dramatically slowing their progression in order for security teams to quarantine the threats. While the ultimate answer is to migrate to a Zero Trust architecture thus eliminating the risk of network access, deception is founded on the similar concept of trusting nothing and assumes that the network is already breached. This offers organizations a pragmatic path to Zero Trust and provides a simple, yet effective way for them to identify and remove attackers who may already be expanding laterally while compromising resources on the corporate network.”
– Jay Chaudhry, CEO, Chairman, and Founder at Zscaler
Whether you’re just starting your Zero Trust journey or are already a Zscaler customer, learn more about Zscaler Deception and contact us to understand how you can leverage this new capability to accelerate and secure your shift to Zero Trust.