As part of its defense against cybersecurity attacks, a pharmaceutical company is adding deception technology to its overall cybersecurity strategy.
Deception technology uses decoys, or traps, that mimic a network's actual IT assets. In its early days, deception technology required considerable manual labor and expertise to deploy, monitor and maintain. But, partly due to virtualization and automated deployment, the technology may be seeing renewed interest among healthcare organizations.
"We all know that there are a number of attacks that occur even in environments where they have multiple security controls deployed," said Mac McMillan, CEO and president of CynergisTek, a cybersecurity and information consulting firm.
"Unfortunately," he said, "we're not going to catch everything with solutions we have out there. We still need to think about security in depth, we still need to think of security as an integrated solution that starts at the endpoint and works its way back to the core. And [deception technology] is just another layer, another aspect of a security architecture that complements other security controls that an organization might have in place.
"Today, with the virtual solutions, especially with the [managed security service provider] variety where somebody is running it for you and reporting to you what they are seeing, I think it's making it much more accessible to a lot more organizations."
Taking a hands-on approach to cybersecurity
One organization taking advantage of the new breed of deception technology -- although with a very hands-on approach -- is St. Louis-based Mallinckrodt Pharmaceuticals. "The deception layer is just a piece of the overall security architecture," said Robert Jamieson, Mallinckrodt's chief information security officer. "No piece here is 100%."
"As defenders we have to have people directing machines, directing our technology to defend ourselves," Jamieson said. "So from an architectural standpoint, you have a deception layer that's built out that gives you the ability to deceive the attackers and also ensnare the attackers. So we put honeypots, honey directories, other types of objects inside there that makes the deception layer look active, look real, but also do things we want to do as far as ensnaring the attacker."
Jamieson, who said he operates a mature cybersecurity practice, uses deception technology "to reduce the amount of noise that gets into our actual environment and to gather intelligence on the people who are attacking us so we can think about how we would defend against them when they try another attack vector."
It's all about strategy, he said. "There are three attack vectors ... one is email, one is exploiting system vulnerabilities by external attackers, one is insiders. Those are the things we're defending against. What are the attackers coming after, how are they coming after us and how should we respond. So my practice is more offensive countermeasures than it is passive security."
Cybersecurity strategy focuses on attack vectors
Jamieson said he builds his cybersecurity defenses around the attack vectors. "Phishing emails aren't the problem," he said. "Six to 17% of the population will always click. You can't fire them all. Some of them may even be your CEOs. It's really about getting control of email."
Robert JamiesonCISO, Mallinckrodt Pharmaceutical
At Mallinckrodt, email flows through a strong filter. "And we don't allow OWA or connections directly to email clients that don't flow through our security architecture," Jamieson said. "And then we built our security architecture so that we can do something about the emails. So, for instance, if we have a hacker trying to get into the system through email we can shunt that to our SMTP server, which sits in our deception layer, and we can start responding back to that attacker with false messages -- but also harvest information about whose attacking you, why they're attacking and what they're doing."
In addition to email vulnerabilities, Jamieson said, "you have your unpatched or unknown vulnerabilities ... and there's all kinds of people that scan you. But there is no good reason to allow them to scan you. We shunt those scans to a VLAN that's separate from our architecture. And in the VLAN we have set up a deception layer that emulates our environment."
When an attacker scans the network, Jamieson said, "We can spoof back a response to them indicating that they've got to the site they were looking to get to." Inside the deception layer, an attacker will unknowingly find traps "that will slow them down, allowing us to find out more intelligence about them."
The intent of the deception layer, Jamieson said, is "to shunt out traffic so it won't hit our actual environment, which reduces the noise in our environment, and by that reduction in noise we can see the other attackers who are more clever. We can see them more easily and we can work with those attackers quicker and look at addressing them much faster."
Automation plus customization fits the need
Jamieson chose deception technology from Fidelis Cybersecurity for more than its automation and virtualization capability. "Fidelis does have some automation, but I don't believe in 100% automation, so it is a lot of configuration capability that we have," he said. "We chose Fidelis because they had this ability to create an image of our systems in our VLAN. They are a small company, so they are flexible and they listen to us when we talk about how each piece needs to be designed."
Regarding automated deployment of the deception technology, Doron Kolton, Fidelis Cybersecurity's deception CTO, said, "We look at the environment, we analyze the traffic and we use this information in order to automate the deployment of the deception. Let's say you have an organization with 50 different VLANs. You need to know what kind of system is on each VLAN, what services are used, what data is used. ... The only thing we need is the organization to provide us the relevant IP address and you have deception running on each one of the VLANs. This is something you couldn't do in the past."
But for Jamieson and his cybersecurity team, the work doesn't stop with initial deployment. "We have had Fidelis about a year -- so it's a work in progress," he said. "Don't think of it as a one and done. It's not something you deploy and it's done. ... It's never completed, it's never done. You're always working on making it better, more integrated, making it more effective, and as long as we have a cybersecurity practice, there's no end to that."
The adoption of deception technology by Mallinckrodt fits the trend that CynergisTek's McMillan sees. "Generally, the health systems that we've seen considering deployment of deception technologies," he said, "are the larger systems that have more sophisticated IT organizations, more sophisticated security groups. We haven't seen it in the smaller healthcare organizations and many of the midrange. But there is discussion around it."
But McMillan believes the use of deception technology by healthcare organizations shouldn't be ignored. "I have a very strong opinion," McMillan said, "that for most healthcare organizations, if you're going to engage in deploying deception, you ought to seriously consider going the virtual deception route, not trying to build your own honeypots and managing them."