Deceiving the Attackers: A Q&A with Carolyn Crandall of Attivo Networks

In the latest episode of the Early Adopter Research (EAR) Podcast, EAR’s Dan Woods spoke with Carolyn Crandall, the chief deception officer of Attivo Networks, while both were at the RSA 2019 Conference. Their conversation covered Woods’ three big cybersecurity questions for the year, and Crandall also explained the position of Attivo Networks in the cybersecurity landscape. This is an edited version of their discussion that can be heard on the podcast.

Woods: Can you explain your job and what Attivo Networks does?

Crandall:  I am the chief deception officer of Attivo. The neat thing about this is that the deception marketplace is one that needs a lot of education, and I spend a lot of my time helping evangelize for the technology and educate the market on why deception technology is of high value for better detection and better investigation and response to attacks.

How would you describe deception technology to a newcomer?

Deception technology, just like you use in military, law enforcement, sports, gambling—it is a way of outmaneuvering your adversary. The way we apply this in cyber deception is that we put a variety of network endpoint application data and database type deceptions into the network. And so what you’re doing is creating a minefield inside of the network so that as the attacker attempts to do reconnaissance, they attempt to harvest credentials, they attempt to steal data, you get a lot of insight. So first a very high fidelity alert, because we detect them as soon as they engage with the decoy or attempt to use a deception credential or lure. That alert makes it very actionable for the responder to respond. It’s unlike a lot of other technologies that are trying to pattern match or guess. The attacker gets tricked. They can’t tell real from fake and they get tricked into engaging and then we say someone is doing something they shouldn’t inside the network, whether it’s malicious activity or maybe it’s just a policy violation of an employee.

So if anybody touches a decoy you know that they’re a problematic actor or there’s some big mistake happening.

It’s typically either malicious, it’s a policy violation, or sometimes it’s even a system configuration issue that is causing engagement with our environment. But nonetheless, that would also be something that you would want to investigate immediately because it’s an exposure the attacker would exploit as well.

I have three questions about zero trust. With zero trust, the idea is that we no longer can assume that inside of our perimeters we have a zone of safety. And then even if we could assume that, we have people who are going to be moving outside of that zone of safety to access important systems from the public internet and they’re going to be accessing the systems inside of our infrastructure but also accessing systems in the cloud, and we want to make sure that when they do that everything is secure. If you look at where it started and Google’s thinking about this when they did the BeyondCore architecture for their own cybersecurity, they implemented protection using these ideas using a whole custom stack of technology. It’s impossible to actually buy that stack from any vendor. So what can you actually do as a normal CISO to react to the assumptions behind zero trust?

I boil it down to an “it depends” answer. I would roll back to every company should have a security framework. It could be something following a NIST or ISO or MITRE ATT&CK framework around their process and policies for security. By mapping what you currently do today, then you start to understand what you have in your security stack and some of the gaps and holes in your security stack. It’s very easy to say let’s have a zero trust model, but then as you said you go to try to put it into implementation and you realize that you probably don’t have the money or resources to do everything that needs to be done, especially all at once. By looking at your framework, mapping your risk models, mapping your tools, you’ll be able to get more insight into the things that you need. You mentioned cloud environments, or with IoT devices connected to the Internet, or taking extreme views of the world saying everything is either the cloud or the endpoint. How does that security framework change? Do you have the right controls, do you have the right detections for things that either bypass security controls when they don’t work the way they’re supposed to. By having as much of a zero trust model as you can have but then putting in other tools to detect when they don’t work or a check and balance to those systems, you allow people to operate the business at the speed they want to, without falling behind.

So you can imagine a world of unlimited controls in which you can really protect everything that could possibly be protected. And if you could make that work and still enable all business activity, that would be a great thing. But it’s unlikely that you’ll be able to do that without some custom implementation. So what you can do is use the framework that you have to create a perspective about the most important thing you can do.

Yes. In a typical security stack, there’s not a lot of checks and balances, and that’s what makes people hesitate. My normal processes and tools may or may not work as I take something like a medical device that was never meant to be connected to the internet and people want access to the information and data about themselves as well as the physicians and the doctors. So how do you change or alter your models? And it’s going to have you open up things where sometimes the innovation to do that is going to outpace the security models. Especially when you put in DevOps and you’ve got supply chains, whether they’re software or physical, or the chain itself, there are lots of things that can happen where you’ve perfected everything around it, and something that you’re not expecting puts a chink in the armor. That’s what the attacker is looking for.

It seems like we’ve been in this long progression of development of cybersecurity where the cybersecurity portfolio has grown and we never seem to get a smaller cybersecurity footprint. Now, our attack surface keeps growing as well. But at some point it seems rational that we would be able to have pruning, a reduction in complexity, number of vendors, and capabilities so that a smaller set of capabilities delivers the outcome that you’re interested in. But we just haven’t seen that. Why do you think that is?

You look on the floor here at RSA and there are over 700 different vendors that are all trying to pitch their solutions. How you consolidate that is a challenge because everybody does something differently. What people need to start thinking about is when their focus on the perimeter and prevention is good enough, and when they should start to balance their portfolio and say attackers can and will get into the network, so have we made the proper investments into detection and response capabilities. And then look at their tools and how well they share information and allow them to automate the processes and scale across different attack surfaces. You don’t want different systems for your user networks, your data centers, your cloud environment, and your remote offices. I definitely see a big focus on information sharing and more integration and as much as possible trying to get toward automation, with the hesitation that we don’t want to automate anything that we’re not fully confident in. Everybody shouldn’t be trying to have their own dashboards and complete resolution to the problem.

So how can you support the incident response analysis cycle in a seamless way? How can integrations make things simpler?

The thing to be careful about is to not squash the security innovation that you need, because a lot of times the reason you see so many small startups is that we’re solving problems that the big vendors haven’t solved. If you say I’m only going to go with this company’s infrastructure, you may find that you’re not getting the latest and greatest in technology innovation. It’s tough. I think that the smaller vendors need to think through how they incorporate into the bigger vendors’ technologies to try to make it seamless, and the CISOs and security teams need to keep a certain amount carved out for innovation. Don’t just expect it to come from the big vendors.

Let’s talk about cloud migration. What sort of cybersecurity belongs in the cloud because the bulk of cybersecurity spending is still on on-premise systems? And how can CISOs support the migration to the cloud in a way that preserves safety and also doesn’t create more complexity for the cybersecurity environment?

Almost every CISO that I talk to is either in the process or planning to move to the cloud in some way. If you want to stay competitive and get the economics and the flexibility of the cloud, you’re going to have to select things to move over to the cloud. On the security model, it is different. Segmenting what you put there and protecting your data is all very different. What I think people need to do is to look at it and say what is the architecture we’re going to use in the cloud? And whether you chose AWS or Google or Oracle, it doesn’t matter as much—they all have their own nomenclature for each. But the functions are very simple. Look at what those security risks are, and those different models and say, what if you’re looking at an environment with serverless technologies and dynamic environments where the things you were doing before aren’t going to work. And so you have to look at some different controls and processes. And you also need to have those checks and balances we talked about before such that even if your cloud provider is offering you security, you have checks and balance if their controls don’t work as they should.

It seems it would be a great benefit to most organizations if they invested in increasing their operational discipline and capabilities rather than buying yet another cybersecurity component. What I mean by that is CISOs should ask themselves how much more progress can we make in configuration management, patch management, asset inventory capabilities, and automation, so that we can express our intent of what we want our environment to do and have it automatically configured to do that. That provides a huge amount of cybersecurity benefits. Yet as much as that makes sense to everybody, it’s not something that’s easily put on the agenda. Why do you think it’s so hard to maintain a focus on improving and expanding operational discipline?

Changing operational processes and approaches to things is hard. It takes time and many times it’s a cross-functional activity which that additional collaboration can be complicated in many ways. Sometimes it may seem like the path of least resistance is throw more technology at it. I think taking a look at what framework you’re using, whether it’s one of the known ones like NIST or something you create on your own, is going to be very valuable for taking a look at both the processes and the tools that you have in order to see how these things work together and interrelate. I carve out a certain amount on my budget for just experimental things for let’s just try something new and different. But that’s a little different than what I’m doing in my core production area. I should have that as a plan that’s very controlled and is incorporated into a framework or a plan but still keep the innovation coming in. It is a balance, but I think if you start with that framework first, you’ll improve your processes, your purchases will make more sense of how they fit into that and hopefully you’ll have less inefficiency of the model or risk.

It seems really hard to create and maintain a culture of cybersecurity awareness. What have you seen the organizations that are really good at doing this do?

It’s hard. We’re human. We want to do the right things, we want to help people out and so we’re looking—as we’re looking at email and other things to try to do the right thing. In that quest people are going to make mistakes and so organizations need to continue to do a lot of the security training, do phishing testing runs to try to get people to fall for it. And I think people when they make mistakes learn and those mistakes are the best way for them to know, hey, now I was caught once, I’m not going to click on that email again or I’m going to be more aware of the environment. But it is a balance. There’s definitely ongoing continuous testing, management, education of people but there’s also the reality that we are all human and so we are going to make mistakes. Companies need to put the right checks and balances into place too knowing that is going to happen and people are not necessarily bad for making those mistakes.

I’ve run into a lot of CISOs who are frustrated because they’re being forced by their CEOs or CFOs to buy cybersecurity insurance. They don’t like the idea of buying it because it’s a very young insurance product, it doesn’t often have a clear set of benefits that it’s going to pay for, and there are many escape hatches for paying. Very few CISOs or CIOs or CTOs I’ve talked to have been successful in arguing against it. So how can we turn this discussion into something that is beneficial?

It’s the way that people look at it. We have a choice in an extended warranty whether we purchase it or not. Or we can look like car insurance. We all hate paying our premiums on insurance but when we have it, and it comes time when we need it, it’s a good thing we do have it. Nobody wants to pay for insurance, and there’s always carve outs and things that you’re going to have to address but I think that if you can put things in place where you understand your premiums and policies, you’ll understand if you’ll be more liable or maybe you get less liability by adhering to those things. It’s actually a pretty complex process of understanding what insurance, what company, what premium levels, what qualifications you need to have; but in the end I think it’s just like car insurance. You’re going to need to have it but not rely on it.