Emre Kulali Vice President of Business Development · 2019-09-18 · Gartner Report -“Improve...

Copyright 2019. Acalvio Technologies Inc. Proprietary & Confidential 1

Emre KulaliVice President of Business Development

CriticalAcclaim!

Copyright 2019. Acalvio Technologies Inc. Proprietary & Confidential

About Us

Seasoned, Proven team with deep experience in security, start-up, profitable growth, innovation and shareholder value creation.

25 issued patents, 15 pending

Dave Markel• ex-CTO, Mandiant• Co-founder, CEO, Expel.io

Dr. Taher El Gamal• Security CTO, Salesforce• Inventor SSL• Founder, Securify• Chief Scientist, Netscape

Dr. Gerhard Eschelbeck• VP – Security, Google• CTO, Sophos• CTO, Webroot

Prof Eugene Spafford• Prof – Purdue Univ• Co-inventor TripWire

Prof Dawn Song• Professor – UC Berkeley• MacArthur Fellow• Founder, Ensighta (acquired by FireEye)

Academic Advisors

Industry Advisors

Investors

TeamIzak Mutlu• ex-CISO, Salesforce,

Silicon Graphics, Solectron 2


Connected World poses new security challenges

3

Intelligent EDGE

DATACENTER CLOUD: Public & Private

ENTERPRISE

Attacks & BreachesKeep Growing

Source: Verizon DBIR 2018

Attackers will penetrate perimeter defenses.(And there will always be Insider Threats.)

Today it takes >100 daysto detect the attacker!(Too late!)

SOCs are burdened with false positives and skill shortages

While Dwell Time is in Months

Attackers are Getting In



Old Detection Techniques are not Effective

Anomaly BasedSignature Based

Generate too many False Positives and False Negatives

It is an asymmetric battle

We have to be right all the time

The attacker has to be right only once!

We are getting deceived all the time!

DEFENDERS CHALLENGE

Deception Changes the Game


Unique Deception Benefits• Total Visibility• High Fidelity, Low Volume Alerts

• Only True Signature-less Detection• Capture Current TTPs of Your Attacker

• Misinformation Increases Cost & Risk for the Attacker

Pretend Inferiority and ENCOURAGE HIS IGNORANCE– Sun Tzu

Gartner’s Top 10 Technologies for

Information Security for 2018

1. Cloud Workload Protection Platforms

2. Remote Browser

3. Deception

4. Endpoint Detection and Response

5. Network Traffic Analysis

6. Managed Detection and Response

7. ….


https://www.gartner.com/newsroom/id/3744917

Managed detection and response (MDR) providers deliver

services for buyers looking to improve their threat

detection, incident response and continuous-monitoring

capabilities, but don't have the expertise or resources to do it on their own. Demand from the small or midsize business (SMB) and small-enterprise space has been particularly strong, as MDR services hit a "sweet spot" with these organizations, due to their lack of investment in threat detection capabilities.

Deception technologies are defined by the use of deceits,

decoys and/or tricks designed to thwart, or throw off, an attacker's cognitive processes, disrupt an attacker's automation tools, delay an attacker's activities or detect an attack. By using deception technology behind the enterprise firewall, enterprises can better detect attackers that have penetrated their defenses with a high level of confidence in the events detected. Deception technology implementations now span multiple layers within the stack, including endpoint, network, application and data.

https://www.gartner.com/newsroom/id/3744917

Gartner on Deception

9

Gartner Report - “Improve Your Threat Detection Function With Deception Technologies” [ID G00382589, 27 March 2019]

“Security and risk management leaders looking for tools to build or expand their threat detection and response function should include deception tools in their stack. These tools are enterprise-ready and fully capable of delivering on five key use cases discussed in this document”.

A Closer Look at Deception


He Who is Prudent and LIES IN WAIT FOR AN ENEMY WHO IS NOT, Will be Victorious

– Sun Tzu


Deception in Nature

VENUS FLY TRAP BUFF TIP MOTH

ANGLER FISHRYEDEAD NETTLE

12

Deception in Warfare SECRET OPERATIONS are Essential in War; Upon Them the Army Relies to Make its Every Move

– Sun Tzu

Feigned retreat

Fictional units

Strategic envelopment

Smoke screens

Trojan horse



History of Deception Technology

Honeypots 1st Generation Deception• Static honeypots• Mostly low-interaction elements• Lacking density and authenticity• Expensive to manage

• Limited automation• Uses brute force deception • Limited integration with IT tools• Rules-based approach

Early 2000’s Recent years Today

Enterprise Deception • Distributed decoys• Self-learning & adaptive• Vast Deception Fabric• AI driven

13


Deception is NOT just Honeypots

Start with Multiple Decoy Types

Low Interaction

• Network services and applications

• Attacker cannot login

• Often done via emulation leading to lower quality decoys

• Can deploy many decoys

High Interaction

• Real VM Hosts, Applications, Database Servers, Shares

• Attacker can login – full interaction higher quality decoys

• Can only deploy Few Decoys


Add Lures to make Decoys Attractive

Deliberately place Lures1. Vulnerabilities in OS,

Application, Protocols2. Weak configurations and

permissions3. Fake Service Accounts

16Copyright 2018. Acalvio Technologies Inc. Proprietary & Confidential


Lead Attacks to Decoys

Breadcrumbs extend Deception to existing devices

Many uses for Breadcrumbs• Act as Micro-sensors• Give mis/information• Give booby trapped tools

Key Requirements:1. Need deployment Automation and

Intelligence2. Need to kept fresh and unique3. Avoid Accidental Alerts by Users4. Agentless

Blend Deception into Neighborhood


Need believable Deceptions

Hard to blend manually if there are 100s of VLANs

Need Automated and continuous Blending of deceptions• Networks can change• Adversary behavior will change• Threats will change


Keep Deception Dynamic

Static Deceptions• Hardly changes• Easy to fingerprint & avoid

Dynamic Deceptions• Always auto-changing• Hard to predict or identify

Shape-Shifting Mimic Octopus


Industrialize Deception

Industrialization requires TWO key

ingredients.

1. Enterprise Scale

Ø Ability to deploy thousands of deceptions

Ø Across multiple physical locations

2. Ease of Use

Ø In both configuring and managing

thousands of deceptions

Ø Automation, Automation, Automation

Finally - DO NO HARM

Deception must not introduce new risk into the environment.vA decoy cannot become a base for Pivot Attacks

• High Interaction decoys provide shell access to the attacker to gather TTPs• Decoys may have intentional vulnerabilities to attract attacks• Decoys may not be updated as frequently as enterprise hosts

vAttack containment should be designed into the deception fabric• Attacker will have privileged credentials to the decoy• Ad-hoc containment approaches can always be compromised


The Ideal Deception Solution


• Servers• Workstations• Applications• Database Servers• Printers• Custom Images• Network Services

DECOYSAdd to Network

• Registry entries• Files and Folders• Memory Credentials• Browser History• Mapped Drive• Credential Store

BREADCRUMBSLead to Decoys

• Files and Folders• Beaconing Docs• Database Rows• DNS records• Processes• Directory browsing• Content

BAITSTripwires

• Vulnerabilities • Mis-configurations• Default/Weak credentials

LURESMake Deceptions Attractive

• Weak Permission• Registration in Catalogs like AD• Entity names

Rich Palette of Deceptions


Autonomous Deception

• Scale• Efficacy• Ease of use/mgt• Cost Effective• Automation & Intelligence • Architected For Cloud


Threat AnalysisEngine

AI Engines

Sensor

Sensor

Enterprise NetworkOn-premises

SERVER

SOFTWARE TUNNELS

Network 1

VPC 1Projections

Projections

SERVER

SDNFabric

Cloud VPC

Acalvio Deception Farm

VPC 1

Network 1

SERVER

SERVER

SERVER

Patented Architecture : Deception Farms®


Scale – Supports Geographically Distributed & Hybrid Networks

• Central Management & Monitoring of Deceptions

• Decoys are dynamicallyProjected onto subnets

• Distributed Deceptions across multi-Cloud & on-premises network

• Automatically change Decoy count and façade on central ADC

• Enterprise scale

• Low TCO

• Resource efficient

A3

HIA4A5A6

LI

Fluid Deception: Scale AND Depth

SDN

Fabric

A1 A2

Sensor

A3

Low Interaction DeceptionsHigh Interaction Deceptions

ATTACK

A4 A5 A6Acalvio Deception Farm

B1 B2 B3

SOFTWARE TUNNEL

Enterprise NetworkOn-premises

Projected Deceptions


Deception Playbooks

Acalvio Confidential 27

Separate Design of Deception from Deployment of Deception.

DesignDeception Playbook

AutonomousDeployment & Management

of Deception


Authentic Deception : Reflections Technology

Effective – Authentic Deception

Unique Decoy TargetsProjected into real network

(hundreds or thousands)

Patented method of projecting false apparent hosts onto a network, while preserving fully authentic virtual machines for high interaction.

Adaptive Reflection FabricCreates One:Many RelationshipLow Processing Requirements

SQL DatabaseIIS Web ServerActive DirectoryExchange Server

File Share Services

DNS Services

Authentic Virtual MachineSingle Instance

One Set: OS / App Licenses

Integrations Woven into the Fabric

©2019 ACALVIO TECHNOLOGIES All rights reserved. 29

Acalvio stands alone

Deception 2.0C

ompl

eten

ess

of D

ecep

tion

Scale

BrandY

Deception 1.0

BrandX


Success Story



Strategic Partnerships

• Verizon offering a new service “Deception as a Service”powered by Acalvio

• Verizon projects 100+ wins in 18 months

Google + Acalvio will make a joint presentation @ Next 2019 in Tokyo

“See your Nemesis: The vital role of Deception Technology in Cloud Security”

Google strategic partnership• Google will resell Acalvio

The goal is to include Acalvio deception as a first party experience while interacting with the GCP console. The vision is a simple purchasing experience with highly automated management and deployment. Customers should receive notification and a recommendation when they do not have deception coverage...

• Acalvio and Honeywell Partner to Protect Industrial Control Systems and Critical Infrastructure

Ensuring the security of our customers’ critical assets (plants, machinery, control systems, processes, intellectual property, etc.) is an important imperative. We are very excited to partner with Acalvio to enhance its award-winning Deception Platform to support CyberDefense capabilities for ICS and IOT assets” Honeywell.

Increasingly, our enterprise customers want to detect malicious activity with precision and speed. Acalvio ShadowPlex is the most innovative solution in the Deception space. Combining our security expertise with Acalvio’s award winning ShadowPlex platform offers customers a highly efficient and cost-effective solution to thwart advanced attackers.”


World’s Largest Deployment at Broadcom

• ShadowPlex deployed since Jan 2018• Global deployment: US, UK, Germany,

Japan, China, Malaysia, Singapore, India, Israel, South Korea

• Data Center, DMZ and End User networks

• Proven efficacy, scale, ease of management and cost effectiveness

10countries

12datacenters

80enterprise sites

Acalvio Benefits

• East-West visibility for the very first time

• Detection efficacy: “zero day” attacks, Ransomware, APTs, vulnerabilities due to mis-configuration

• Precision in response• Low IT overhead

Enterprise-wide Deployment at Eide Bailly

• ShadowPlex deployed since Jan 2018• US wide deployment: 14 States• Data Center and End User networks• Proven efficacy, scale, ease of

management and cost effectiveness

USA 14States

32Offices

Top 10 CPA firm in USAFounded in 1917

Fortune 500 CompanyFounded in 1961

CyberSource Data – July 2019 – Analyst Report

34

35

ShadowPlex Summary

ü Award winning NextGen Deception solutionü Innovative Patented Solutionü Largest Global Deception Deployment ü World Class partnerships to ensure Customer Success


Acalvio provides Advanced Threat Defense (ATD) solutions to detect, engage and respond to malicious activity inside the perimeter. The solutions are anchored on patented innovations in Deception and Data Science. This enables a DevOps approach to ATD, enabling ease of deployment, monitoring and management. Acalvio enriches its threat intelligence by data obtained from internal and partner ecosystems, enabling customers to benefit from defense in depth, reduce false positives, and derive actionable intelligence for remediation.


Thank you.

Emre [email protected]+1 (408) 807-4529

36

mailto:[email protected]

Date post:	25-Jun-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Emre Kulali Vice President of Business Development · 2019-09-18 · Gartner Report -“Improve...

Documents