If ever there was a need for new ideas in IT security, the time is now. All one has to do is mention hacking victims like Target, Home Depot, Sony and the IRS, and the images come wincingly to mind.
It’s pretty obvious that passwords, firewalls and private networks simply aren’t going to cut it anymore. It’s all too easy for even a semi-sophisticated cyber-criminal to scan for passwords and find back doors into Shangri-Las of personal and business data that sooner or later amount to illicit money in his bank account.
Well, truth be told, there are some new ideas coming that may finally cut the bad guys off at the pass before they can do significant damage. Most of these initiatives involve proactive schemes that use analytics to predict what might happen in a data breach, assess risk and either warn the stakeholder, halt the action in progress, or both. Others are more data-centric, guarding individual items within a store and sending out alarms if anything is moved by someone who shouldn’t be doing any moving.
Four-year-old startup Attivo Networks of Fremont, Calif. is one of those new-gen thought leaders, bringing its own approach to security in a sector called honeynets. A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that a hacker’s activities and methods can be studied and that information used to increase network security.
How a Honeynet Works
Honeynets draw the attacker in, study his methodology, hook the bad actor on data that looks valuable, then slams the door and locks him up in quarantine within the system. Attivo is a self-contained, on-premises-only installation that works throughout a network.
Attivo Networks is getting so much attention lately that it may soon become known as Honeynets R Us. The company, which has only been shipping product since mid-2014, nonetheless has a list of marquee-type clients in the financial services, health care and IT industries.
Attivo landed an $8 million venture capital influx from Bain Capital Ventures last April to add to an original $8 million from an angel investor.
“In just the last few years, we’re seeing the market now coming to us, whereas they realize that just doing prevention by itself is not enough,” CEO Tushar Kothari, a 25-year veteran of IT business and financial management, told eWEEK. “They now know that they need to detect a breach before it can do significant damage. In the last 12 months we’ve seen the headlines indicating the issues created by those breaches and the damage done to those companies.”
Most conventional solutions are not efficient enough to detect those breaches quickly. “In most cases, it takes six months-plus to find out that they’ve been breached,” Kothari said.
Attivo Gaining a Following
Attivo is not exactly a household name in the Silicon Valley — or elsewhere, for that matter — but it is gaining a track record. As one might imagine, it has a number of customers who would rather not let the world know that they are using a honeynet package.
Honeypots and honeynets aren’t exactly new, but the all-encompassing way Attivo Networks is using the genre to go with some patented components is a singular approach.
Here’s how Attivo Networks works inside an IT network:
–Lures bots and advanced persistent threats (APTs), scanning or targeting valuable corporate assets to “attack” Attivo’s high-value self-sustaining honeynet;
–Detects and identifies bot and APT infections that already exist inside the network;
–Isolates bot and APT activities, including sleeper and timed triggered agents, before damage to network assets;
–Alerts validate bot and APT threats with intelligence to take immediate action, and
–Provides full forensics on each attack to help extract signatures, determine tactics, techniques and procedures throughout malware lifecycle.
How Attivo Networks is Raising the Bar on Honeynet Security
Multiple Linux, Windows Versions in the Trap
Attivo can turn off servers, routers or other devices as needed when they are compromised, Kothari said. The software uses three versions of Linux, three versions of Windows, and runs a list of services on them to provide the honeynet.
“Once a device is infected (in an exploit), then it will look for services and servers it was designed to exploit. We take some unused IP addresses in every subnet, and present ourselves multiple times across networks and across every device as a very attractive target,” Kothari said.
“Essentially we have a full platter of cheese with all the different varieties; underneath it is a very sophisticated technology that comes pre-positioned. Then we watch and see if somebody comes and bites it.”
When an attacker does bite, he doesn’t know what hit him, because the system is invisible.
Kothari said Attivo protects systems against zero-day exploits. A zero-day vulnerability refers to a hole in software that is unknown to the system owner. This hole is exploited by hackers before the vendor becomes aware and hurries to fix it; this exploit is called a zero-day attack.
Stops Zero-Day Exploits
“We are ideal for zero-day attacks because we are not relying on any prior knowledge of the attack. All we are doing is watching our own servers to see who’s attacking us, so we don’t need any signature or anything else to compare,” Kothari said. “So there are no false positives.”
Kothari, who joined the company in 2013, said that Attivo installs and works well with existing security infrastructure and does not interfere with network operations. It can be deployed either on a physical commodity server appliance or as a virtual appliance, he said.
Along with Kothari, the Attivo team includes serial entrepreneur and Executive Vice-President Mano Murthy, and Srikant Vissamsetti, senior vice president of engineering.
Earlier this year, Attivo landed a well-known Silicon Valley name in Enrique Salem, former president and CEO of Symantec, for its board of directors. Salem is managing director of Bain Capital Ventures.