TopSpin Security’s DECOYnet Uses Deception to Defend Networks

Many IT security professionals have come to rely on perimeter defense technologies in an effort to prevent attacks. However, as demonstrated by continual corporate data breaches, traditional security measures even when properly implemented, have come up short, attacks undetected and critical data exposed. Simply put, how can the IT department protect business assets if hackers are able to penetrate perimeter defenses undetected? Herzliya, Israel based TopSpin Security aims to solve that security problem with its DECOYnet platform that is that is designed to protect resources using a different ideology, one of deception. DECOYnet incorporates advanced forensics with extensive traffic gathering capabilities to assist administrators to camouflage their subnets from intruders. DECOYnet uses technology that valid resources, while directing attackers to decoy resources and traps.

The dashboard shows summary information about various types of activity detected in DECOYnet. The top part of the window shows a graph view of all the incidents, decoy activity, amount of uploads and network activity (suspicious, but not yet over the threshold) detected in the platform. Red dots on the graph represent infected assets.

By hovering over the various data points presented on the graph, security personnel can drill down into specific assets and gain more insight about ongoing attacks or suspicious activity.

The Asset window provides users with the full profile of an infected machine, including the operating system, external data links, connected assets, browsers, which system and protocols the asset connects with and more.

The Incidents window displays all the relevant incident-related information. Incidents in DECOYnet represent a collection of events, where each event is based on some type of activity in the network, such as accessing or attempting to access a decoy and the command and control communication. Incidents can be shown in order of severity or time of occurrence.

The Communications Channels window displays information about the communication that go out of the organization to the Internet. These include anti-virus updates, Windows updates, FTP, Utorrents, shadow IT tools and so on. The channels are color coded as per the level of risk they pose to the organization.

The Networking Servers window displays information about the servers accessed from inside the organization. Each circle represents a different type of server. The size of each displayed circle indicates its associated server’s popularity. The larger the circle the more heavily that server is used in the organization.

Using the Internal Traffic window, security administrators can map the traffic going to and from servers. The information is presented in a graphical representation of all the servers within the network and the assets that are accessing those servers.

The table in this slide shows all assets that have uploaded in the system. The graph at the top of the window shows the total uploads and downloads since system installation. Users can hover over a specific day in the graph to display details for the uploads that occurred that day.

Using the Assets tab on the Environment window allows administrators to zoom in on decoys and mini-traps by double-clicking any icon on the Assets table. The deception coverage view at the bottom of the page shows exactly how the deception layer is spread out across the network.

DECOYnet’s Adaptive Deception functionality can be easily configured and deployed via the Subnets tab on the Environment window. Enabling adaptive deception on a subnet is done using an intuitive wizard. This wizard defines an entire decoy network and the Mini-Traps the point to it on any subnet. Once enabled, DECOYnet will automatically adjust the deception layer to changing network conditions.