Acalvio ShadowPlex Builds Deception Farms to Lure Attackers

Security firm releases its first generally available product release, providing a cloud-enabled platform for security deceptions that aim to trick and trap attackers.

security threats

Security firm Acalvio debuted its ShadowPlex deception technology platform on April 19, marking the first release of the company's platform.

Acalvio emerged from stealth in July 2016 with the promise of an new type of security defensive technology it called - fluid deception. The basic idea behind any deception technology is to provide some form of false front to trick attackers into thinking they are actually exploiting real users and infrastructure.

"The only way to have attackers announce themselves is to have some form of deception technology,"  Ram Varadarajan, CEO of Acalvio told eWEEK.  "If someone is attacking the decoy, then by definition, they are up to no good."

Since emerging from stealth last year, Varadarajan said that Acalvio has been working on how to effectively deliver deception technology in an efficient manner. As part of its development, Acalvio figured out how to deliver deception technology from the cloud, as a service. It's an approach that Varadarajan refers to as - deception farms.

"Deception farms technology allows us to project deceptions from the cloud in to networks," Varadarajan said. "So to the attacker, the deception looks like its on the local network, but it's really in the cloud."

From a deployment perspective, Acalvio's ShadowPlex technology installs a small agent on the customer's network that builds a secure tunnel and projects IP addresses on the local network that are not otherwise being used. The backend architecture behind ShadowPlex is a combination of virtual machines (VMs) and docker containers. Varadarajan said that VMs are used to mimic machines on network, while containers are used for applications and services. Acalvio uses an open-source Software Defined Networking (SDN) technology to help orchestrate the ShadowPlex offering.

A core element of the ShadowPlex platform is the Adversary Behavior Analytics (ABA) feature.  Varadarajan explained that ABA provides context into adversary behavior to look back and attempt to determine the attacker's path through the network. ABA helps to determine a root cause analysis for how an attack occurs.

"We take the facts we know, from the attacker's access into the decoy and then we go to the resident SIEM (Security Information and Event Manager) in a company and ask the right questions, to find out the bigger picture," Varadarajan said.

Varadarajan said that there is also a threat analysis engine in ShadowPlex that attempts to understand what is happening with a given attack. Over time the plan is to further enhance the threat analysis with additional capabilities and insights.

"Our whole plan is to detect, engage and respond," Varadarajan said. 

ShadowPlex can plug into various vendors security workflow platforms to help enable remediation, including Splunk's Adaptive Response program.

There are multiple vendors in the market today with deception technology including TrapX, Illusive and Attivo. Varadarajan sees his firm as differentiating in several areas including the cloud delivery and fluid deception model that scales as demands change.

"The objective is to make sure that the decoy response to the attack always looks authentic," Varadarajan said.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.