Distributed Platform-Powered Deception Technology

Distributed Platform-Powered Deception Technology

At vArmour, we’ve spent a lot of time, effort, and energy these past few years building the world’s most effective application-aware microsegmentation solution: the innovative Distributed Security System (DSS). This system allows our customers to segment their workloads from each other, wherever they reside, with stateful Layer 7 awareness and fully automated policy controls. Doing so in an infrastructure-based approach, rather than an endpoint-based (agents) approach, was a more robust engineering undertaking for vArmour, and it’s resulted in an extremely powerful platform on which to layer additional security services and control them via the flexibility of advanced security policy. The first additional service to be added to our platform is our game-changing, patented Deception technology, for which we’ve won multiple awards (most recently, vArmour DSS Deception won Gold at the 2017 Global Excellence Awards® in Deception Based Security during RSA 2017)

What makes vArmour’s Deception technology unique is that it’s powered and enabled by a distributed platform architecture. This allows us to solve key problems that plague the traditional pure-play deception providers, such as:

  1. How do I get malicious traffic into my system?
  2. What do I do with them once they’re in there?
  3. How do I scale the solution to provide broad coverage?

1. How do I get malicious traffic into my system?

Traditional deception technologies typically take one of two approaches to this. They either build their technology as agents that reside on real endpoints or they stick a box (“One of your boxes would go right here in this rack. Let me show you the next location in which we’d install one of your boxes” - love that show -“Silicon Valley, S03E03, Meinertzhagen’s Haversack”) in the network and give it a bunch of unused IP addresses on which it hosts dummy services. There are significant flaws in each of these approaches for a number of reasons. The agent model competes and conflicts with other endpoint agents, relies on the system being protected to protect itself, and consumes resources on the workloads, while the box model relies on someone just stumbling across the system or a third party flow processor with a “dumb policy” to redirect traffic.  

vArmour is different. vArmour microsegments every single workload in the environment and wraps each with Layer 7 security policy. However, unlike a simple NGFW policy which might be limited to Permit or Deny actions, vArmour has another option: Redirect. This allows our customers to write security policy, which can be updated dynamically based on whichever triggers make the most sense, that redirects any traffic that matches the policy rules to vArmour DSS Deception.

Take a simple example: “I want my application servers to be able to talk to my databases over application type mysql, but if a database server reaches out to an application server or to another database server, instead of simply blocking, redirect that traffic to a Deception Point (DP) since that’s not a normal communication pattern.”

Here’s a more complex, but just as powerful, example: “My endpoint anti-malware solution saw server X pull down a file with a known bad MD5 hash. Set vArmour microsegmentation policy to redirect any traffic sourced from that server to the Deception Point, and quarantine based on the activity reported by Deception.”

Since vArmour controls the packet flow, vArmour determines where packets should go. To the attacker, it looks and feels just like he landed on his intended target machine, regardless of target IP address.

2. What do I do with them once they’re in there?

When an attacker lands on our Deception Point (DP), he sees a machine with the IP address of the machine he thought he was trying to hit. He can interact with it as if it were any machine hosting HTTP, HTTPS, SQL, SMB, FTP, Telnet, SSH, or a number of other services. vArmour DSS Deception captures and logs all interactions with the DP (including the download of pre-staged files), the upload and attempted execution of malware, attempts to encrypt the storage, attempts to laterally-spread malware, as well as things like dictionary, password file, or brute force attacks. Since vArmour is also providing the microsegmentation and forwarding capability to get the traffic to Deception in the first place, if an asset is deemed compromised, it’s easily quarantined. vArmour is the only solution in the industry providing a full closed-loop intercept-deceive-quarantine via microsegmentation workflow. Others may offer one or two of those but rely on other vendors for the missing steps.

3. How do I scale the solution to provide broad coverage? 

This is where the power of vArmour DSS really allows Deception to flex its muscle. A single vArmour Deception Point VM can cover *every IPv4 address* in existence whether it’s occupied or not, and it’s all controlled by policy and microsegmentation.

  • Want your Deception Point to look like your PCI database servers? No problem!
  • Want your Deception Point to look like your SWIFT gateways for anyone not authorized to access those assets? Go for it!
  • Want your Deception Point to be the destination for all of your unused datacenter IP addresses? No problem!
  • Want it to look like cows.com? That’d be weird, but OK!

While some products will assume chunks of unused IP space in the RFC 1918 ranges to mimic internal hosts, they don’t typically have the ability to assume the identity of real servers, since networks don’t really like that.

Bottom line: The ability to bring to bear all the logic and controls of an advanced policy engine to deception technology is a true differentiator, and allows our customers to transform deception technology from a science experiment (with limited scope and effectiveness) to an extremely impactful and simple tool for combating modern cyber threats through the power of microsegmentation and application layer controls in a single platform.

Additional information about vArmour DSS Deception can be found here:

 

Related Posts