Well, hello and welcome to another KuppingerCole webinar. My name is Alexei Balaganski. I'm a Lead Analyst at KuppingerCole. And our topic for today is "Using deception for early and efficient threat detection". My guest, the guest speaker for this webinar is Wolfgang Halbartschlager, who is a sales engineer at Illusive Networks. And before we begin just a bit of shameless advertisement for KuppingerCole, we do offer a number of online events, similar to this webinars in technology, but in a bigger context and scale, if you will. So if you're interested in any of the topics listed on the slide, please do not hesitate to visit our website and register in advance. A few housekeeping words: you are muted centrally. So you don't have to worry about your sound settings. And we are making the recording of this webinar. It will be published on our website latest tomorrow, and everyone will get an email with a link.
Also, we will publish this slide decks of both speakers as well. You'll have questions and answers, session beans out of the webinar, but you are welcome to submit your questions at any time, you can use the questions box on the GoToWebinar control panel, which you probably see on the right side of your screen. Now, the agenda, what did they tell you now is typically structured into three parts. First, I will start with my part. I will be talking about the theoretical and high level aspects of modern threat detection technology and their challenges and how distributed deception can actually overcome those. Then I will handle what guard who will be providing you a deeper technical overview of the technology is planning to have a live demo of the solution and action. So stay tuned for that part. And then I mentioned earlier, we will have a Q&A session in the end, and without further ado, let's just start with the first slide.
Oops. Right? Third one, the world is connected are on this slide. I try to represent the way a typical or crudely represent the way a typical modern it infrastructure looks like for a sufficiently large enterprise. So you will not only have that customer mode, that network period, or surrounding your on premise corporate network, because your network extends into many, many places, including cloud or clouds, but manufacturing areas, regional offices, mobile workers, contractors, partners, anywhere. And of course you have data everywhere. You have connectivity everywhere and everywhere you have potential attack surfaces, which somehow have to be protected. But the traditional approach no longer works quite a few years ago. This has led to a quote unquote great paradigm shift in cybersecurity basically are the experts told, okay, we are no longer able to protect you the way we used to do it for decades earlier. So at least let's try to detect and identify every attack on your infrastructure as soon as possible. And just as an illustration I've placed or the screenshot of the famous MITRE attack framework, your best controls you that on a different stages of a cyber attack, you can only think about protective measures wherever it early in advance during the initial stages of that attack. Although the surge, you basically have you resort to reactive measures to try to detect an attack, identify what's going on. And of course, try to mitigate the losses.
And of course, this has led to a massive expand, explosive growth in different kinds of security detection tools. You have tools for network security analytics, you have tools for endpoint, security, analytics, operational technologies, mobile cloud, you name it. And basically if we overlay our first slide with some of those security tools, it will have lots of disjointed disconnected security tools deployed across your it landscape. And all of them typically report to a central repository of security information and event the scene in the security operation center. And of course you have a person or some persons security experts who are tasked to respond into those security detections. And unfortunately more often than not, they are extremely overwhelmed because they are getting way too many.
Okay, this slide I've listed a few general challenges. Like why, why, why those seem to have, and other traditional detection, security detection tools not work quite as well as we're expected to. Well, as I mentioned, first of all, in a sufficiently large company, they simply generate too many alerts. We are talking about millions of alerts daily. Even if you are a small company, if you only have a few hundreds, that's still way too many for a person to actually meaningfully respond to them. The, just understand what's going on a lot on those alerts are actually false positives. They're just statistical noise generated by log management platforms or machine learning assisted or statistical methods, which try to identify something which is not known in the malicious, but at least looks suspicious. Many of those cases are simply false. And of course, all those tools are focusing on defense and detection.
They are not aligned in thinking if you will, the way attackers operate in the anti hype, all those challenges I've listed on the slide. Yes, you have what a highest, not the lowest level or, and of course the events and the loads are, are generating, generating storage volume. You have to pay for, or you have too many false positives. You have very little automation and intelligence in terms of understanding, which is more important than the other one. And of course, even if you do detect a problem, and if you do manage to identify it in time, you still have to manually respond to those alerts. So you have to switch to a different console or type your IP address, for example, manually and look up what's going on there and how to lock it, for example.
So yeah, sometime ago there was even a motto slogan. If you build it, the scene is dead. Of course, the modern scene is by far more intelligent and more sophisticated than those first generation tools, but still there are people that are experts to believe that traditional detection approach, when you only deal with every single you catch Emery alert, and somehow you have to manage those volumes, they need some kind of a more reasonable replacement. And if you just step back and look at the cybersecurity of the whole on the left, are I F based in that most traditional five stages of our NIST cybersecurity framework, which basically tell you with Emery cyber attack, or at least Emory mitigation of cyber, they go through five stages. So we have to identify what's going on. You have to take some proactive measures. You have to detect the attack, you have to respond to it.
And finally you have to recover. And this would be not, of course we are not focusing on identification recovery, because it has not much to do with, I think itself, we are focusing on three aspects like immediately before an attack during the attack and after the attack. And or basically these are, I mean, after a tech has obviously respond during the tech is detect, but how should we call the stage before the tech? Like when you are not experiencing an attack yet, but you are doing something, not just a patient preempt, maybe hard-on something like that. There is no established term, but let's just say preempt, if you take another step back and look at the whole, or kind of idea, why are you actually protecting your it infrastructure from an attack in the end? It's all about security, your business data, your information, the digital data you have scattered across your own prem cloud, mobile and other environments on this slide, I've included the concept of information protection lifecycle.
This is a high-level or largely theoretical even academic content that KuppingerCole has come up with. Recently. My colleagues are currently developing and going down into details and developing some additional research to explain how each stage of the information protection life cycle is translated into specific tools and technologies and techniques. But it's really important to highlight that you start protecting your data, even before you acquire the data and you have to do it externally through the whole life cycle. And then you have to even think about it after you dispose it until you safely dispose of the data. And some other technologies which are involved are listed on the right side. So you obviously have to secure the data in place. So you have to encrypted, you have to control access to the data you have to detect what's going on around it. You have to contain the breaches, but the last but not least, you also have to bring about something which is called deception.
And this is really the thing we are going to be talking about in this webinar, because deception is something which not many people think about as the principle part of this life cycle. But the fact of the day is spent in some regards and some experts. It offers you a very substantial reduction of complexity and effort, or you need to invest into data protection for the three of them. That if you manage to distract an attacker away from your real data, for some kind of or tripe, the not only you actually keep your real data safe, but you provide your security analysts a much more deterministic security are using data to identify what's going on. What kind of want to take her you have in your network and how to isolate them as quickly as possible?
Well, this is another ongoing part of our information protection life cycle research that we had to kind of understand which tools, which although additionally, disjointed security tools are used at each stage of the IPLC life, the life cycle. And of course, when you're talking about the assumptions, the first thing which comes into mind are honeypots honeypots are by no means new. They have existed for decades, and the honeypot of horses are simulated it environment like a simulated sober or workstation or a printer. If you will, which imitates activities you typically see on a real system, at least on the networking level, or if you manage to lure the attacker to actually connect to a honeypot, you will always be one step ahead them, because you will know about them. You will see what they do, which tools are they using before they even get into your real system.
The biggest problem is honeypots they are complicated. They usually are not sophisticated enough to emulate the full breadth of our system functionalities. There's only focused on the very narrow aspect. Like for example, you're relate on a network connected printer. And of course, or if you have many it's extremely difficult to maintain, or the overview of what's going on across all of them, this is why the next logical step was a distributed deception. So the approach, I would probably call a honeypots on steroids, or if this is like a crude representation of your existing corporate network, where you have workstation servers storage and so on, or you leave a lot of traces on our systems or cached credentials or stored passwords, or like links to, or remote desktop possessions to your server and so on. So when the hacker gets access to an initial entrance entry point into your system, he will actively look for those breadcrumbs. And those breadcrumbs allow him instead of wandering through your network, blindly to target the next important system. And then the next one, and they will pay directly to your crown jewels on the right, if you below the database with Europe or financial information or customers. And so on, the question is how do you deal with it?
Well, deception allows you, or deception gives you, or three major distributor deception gives you three major advantages. First of all, you start thinking like the attacker, you no longer need to monitor all of your systems. You can identify which systems are crown jewel, which systems are the most likely to be breached and monitor only those primarily. And then of course you can deploy the lures on those credentials, which look like real ones, but actually lead you to a trip with different system, which will allow you to intercept the attacker and understand their behavior before they actually get to your crown jewels, largely achieved through automation, or you can deploy thousands of credentials with a single mouse click, and you can manage dozens or hundreds of those or decoy systems centrally, but kind of the best thing that any security event, any alert generated by the systems will be a hundred percent deterministic because you can, you always know that no legitimate user or whatever, touch those ecosystems. So any alert generated by that system is a hundred percent true. So you basically avoid false, false, positive, yeah.
And animation, if you will, of how those distributed deception system works, because they identify nos or insecure connections between systems and try to block them, obviously, by, for example, removing those cached credentials, okay. Then they deploy the traps and the trap can be just a simple or quake or configuration file for your remote desktop tool deployed on your normal workstation, which will go to the court system. Or it could be a fourth fake administrator administrator password. And of course, if someone tries to log in with a password, it will trigger an alert on the active directory. Saba is basically mean that the hacker or the hacker's job is now not as easy as before, because he is helplessly lost among the trees is lost. He is driven away from the crown jewels into a trap, and then he will stay letting your security expert to react as quickly as possible.
No, it sounds almost too good to be true. And in fact, I float some people honestly believe in the distributed exception replaces all that additional security or it doesn't. No, it's not that as the say, oh, it's not Eileen milk in the wooly pig. You can see on the screen, or it does not replace your endpoint protection detection system. It does not replace your network detection and response system. It doesn't imply that you no longer need privilege management or throne authentication. You still do, but it gives you two huge improvements. First of all, at least about design distributed official system integrates with all of those solutions and gives you a tool, single pane of glass with the military, into what's going on in your system, both from the point of view or security expert. And from the point of view of a potential attacker. And second, as I mentioned, it gives you this nice combination of statistical and deterministic approaches.
So on one hand, you can detect anything you want. If you really are looking for detection, every kind of a load, then you have enough mind power to understand, react to all of those. On the other hand, it will give you a hundred percent risk score to notice deterministic protections so that you can always start with an easy one. So yes, a disability assumption does not replace all those, but it compliments and improve all of those existing security tools. And this is my slide. My last slide for today with some key takes away to take away. So yeah, traditional perimeter security is no longer about us. It has been dead for decades and yet that's a great paradigm shift was not the silver bullet. Forensic analytics is hugely important, but it won't save you from the text because detecting everything just doesn't help. You have too many false positive. You have this treasured alert, fatigue where even the best security areas simply have no time to react. But even to read every alert, corrective hardware is still largely irrelevant, but you have to understand that the old school approach like firewalls and intrusion detection systems no longer work.
And here, this is where distributed the assumption gives it a hundred percent deterministic risk score. So you no longer have that probability from zero to a hundred percent. It's always either a zero or a hundred percent because it aligns with the way hackers operate, not the legitimate users and placed integration is the key. So yes, a deceiver deception system is great, but only if it operates in a court with all your existing security infrastructure. And with that, I guess we should give the stage to work on who will be diamond into a much more technical or review of their companies, disciplinary assumptions solution. It will actually show you how it works in real life.
Yeah. Welcome to our webinar. I will guide you through the presentation for illusive networks and it will also be a part of a real demo environment. So I'm really appreciate that you are joining the webinar. Yeah. My name is Wolfgang Halbartschlager. I'm the sales engineer for illusive networks for a year, but I will do it in the same way. I will switch off the camera now. So not to disturb the presentation screen. So let's jump into in what, what I will show today. So first of all, we will have a short slide like who is illusive networks. Then we will jump. As Alexei told you already, we should sync like in a taker. So we are jumping into the mindset of an attacker. Then we will talk about how Illusive can solve these issues, these problems, this attack detection, the active defense. And then we will jump into a product demo and into a short summary.
So first of all, Illusive is a teammate company founded from teammate, I guess, many of you know them already teammate also from Israel, from Tel Aviv ex-military guys. And yeah, we are a cyber security startup. You can see, we already have a lot of customers here at the top global largest financial pharma, legal retailers and different branches. For sure. Alexi mentioned already also integrations. We are just listing out some of them here in the partner slide. And some of them are also like investors into Illusive. We also got a lot of, of ours. Meanwhile, although we picked some of them here to show you that up.
So now let's jump directly into the engineering part. So put on your hoodie. If you have one and knowledge champion to the attacker mindset, so jumping into inside of an attack. So first of all, the first step is some end point got breached. So think about HR department, they clicked on a CV. There is a remote terminal opening up and someone breached your windows 10 system in your company. So that's one of the first basic steps. And then the next step is if you think about the taker and if you breached already the end point, the next step would be, what's trying to stop me here. So you will try to look at the protest list. You will try to find out which kind of agents are running in their system, which kind of security solutions are installed in that environment. And which kind of system is trying to stop me here.
If you identify, let's say EDR AB or whatever you have in place here, you will search for ways to bypass it because they take her always wants to stay below the detection level. So he wants to stay undetected. The next step is after he bypass already your security able to try to get as many information about the endpoint and all other end points around him. So what he's doing is he will try to use specific model there and trying to get browser credentials. He will try to get windows credential manager information. He will try to get cached connection and cache credential information because one of the reasons is if he just reuses old connection data that is just lying around in your network, he can also stay undetected. If we are talking about behavior monitoring. So how does it work? He will collect this kind of tools. And then he will just reuse old connections and credentials on the system and moving laterally or sideways in the network until he reached your critical. I said, your crown jewel. That's the way how an attacker is moving nowadays in such a metric.
Now we want to jump in and want to see which kind of steps Illusive is doing here to help you in these kinds of situations. So Alexa told you already, we have a protect detect and respond part and let's keep it like that. The protect will be our preempt. So this is called our model like ethics, surface manager or DSM in a short way. And what we are doing is we give you the few often attacker of your network. So we give you exactly the pathways, the credential and connection information, the cached ones that align around into your network. And we will look really deep into that. So we are not identifying everything. We are looking for the risky stuff. So we are identifying based on a rule set. We are identifying critical connections, stored connections to critical assets. For example, browser safe credentials, for example, SSH Prudentials file sealer, credentials, NG, remote RDP, and many, many others.
And also use our data stored on these machines, service users and so on. And we will identify everything that is higher privileged as a standard domain user per default. And we will also identify connections to your crown jewels. We have also mechanisms to automate crown jewels detection. So if you don't know all your crown jewels, let's give us the possibility to look into your network. And we can tell you where are your credentials? We can identify these kinds of risks and ultimated, there is an option to clean them. So we are cleaning and doing a cyber hygiene through your whole network. So every risky connection that is in there, and we will speak about some examples later on in the product demo can be deleted automatically.
After we have done the cyber hygiene, the attacker already has no really options, no useful options to move in your network. There are no high privileged user credentials anymore. There are no critical connections anymore. So the attacker is already shrinking. So what we are doing now is we are planting through the whole network. We are planting these objects. That's the orange circles that you can see. So based on that, what we have learned already from your network, from the attack of you, we are adopting these kinds of information, your password policy, your naming conventions. We are also learning from each endpoint. So that means if this is an endpoint with Google Chrome, we will plant Google Chrome deceptions. If the endpoint uses a Firefox, we will use Firefox C-sections. So this will adopt automatically. And now imagine that someone breached your network and he's trying to look around, he's gathering all these kinds of data, and for sure he will try to move and he will try to use some of the deceptive data.
This will generate an alert immediately. So that's the detection card and we are doing a real-time forensic. So if we detect someone uses a deceptive data, it could be a user, it could be a password. It could be a connection or whatever. We have something about set. Yeah. Over 70 deception techniques, different ones, for sure there are spreads through the whole network. So every endpoint, every machine will be a trap from, from a tech point of view. For sure. And now you can also see, we are generating a real-time forensic. We are generating including a timeline. So even you can go back in time and take a look what was happening the past seven days, the past 14 days or whatever the Easter, what was happening before the attack, what was happening before the detection happened?
Now let's jump into the product demo. So I will move now my Google Chrome into that screen. And now you can see my Google Chrome, and this is already the illusive networks, graphical user interface. So we can see here these pink lines and the dots. And this is a network with round about 5,000 machines that we can see here from the attacker point of view. For sure you can Sue in, you can focus on one of these points. You can see where the taker from which end point to which machines you can move. You just have to Hoover it with your mouse, or you can use the filter section. You can see different colors for different kinds of connections that we brought up. So this is a really, really great tool to get different view of your network. So let's jump a little bit more into deep.
Let's take a look as an attacker point of view into the network. So first of all, I want to show you that everything here is based on a rule set, we are automatically suggesting rules. So the system is learning from your network and we are suggesting rules. So you don't have to think about that. We are helping you here. If you want to change something in the rule set, this is also easy to do. So you just click on the edit button and you can see, we can do exceptions based on hosts, based on organizational units. We can do exceptions based on user groups based on users. And for sure, we can also control per rule, which type of things should be cleaned up automatically. And you can also set up a reporting. So if there is a new revelation, you can connect it to your seam.
You can connect it to your report against engine, these kinds of rules that is available for different categories. For sure. So now let's jump into these type of categories. So first seeing is here. You can see Asia privileged identities. So what we are doing here, we are mapping, let's say the relationship between the on-premise stuff and the cloud stuff. So let's assume you have a domain user on premise and this domain user has special permissions in your Asia active directory or Asia infrastructure. So maybe it's a deployment user, a developer user. So it's a standard on-premise domain user, but he can shut down startup delete and add machines in your Asia infrastructure. So this is a high critical user there, and now we are binding them together and we can share their relation and Verdi's user is spread in your on-prem environment too. So, you know exactly which critical and high critical, or high privileged users you have in your environment and Verde are spread it.
So for a hybrid option, this is a very, very useful stuff to know how this is related for a domain user credentials. For example, you can see there are different kinds of examples. The first line will show you that somebody's stored on computer 24 user credentials for user 2, 6, 7 in the windows credential manager for an RDP session. And if we take a look to the user, you can see it's a domain admin. So this is really a high, critical stuff. So as an attacker, if I land on that machine, I can just use that. I can just use the domain admin. You can also see, we can edit here to the cleaning queue manually, or we can also do it as promised in a scheduled way. So we are cleaning up your inbox and ultimately Kelly weekend, for sure do much more than the RDP stuff.
We can also look for AWS, see like credentials, browser history, process, save credentials, FTP stuff, database, right, truck drives local user admins, SSH. So you can see it's a long, long list already. And just to give you an example from a customer that I had some weeks, we found a local admin that was spread it for sure, for installation purpose software, for installation purpose, it was spread it to let's say 90% of all the mission. And for sure this is not really something bad, but they were not aware of that. This local admin is not just a standard domain user. It was a standard domain user with special privileges. So like role delegation, like a shadow admin. And he was, I was able to be a domain admin in two steps. So this was very critical. So in that case, if an attacker lands on one of their 90% of machines, they take our niche, just two steps to be a domain admin.
And they were not aware of, it was just some kind of misconfiguration. And we were really, really, after some hours of installing our software, we were able to show that up. Another point of view could be the crown jewel connection stuff. So the crown jewel connection stuff is focusing on the critical. I said, so you can see here the domain controller, for example, or we can also see Amazon web services stuff here. Let's filter on another few. You can see the has credentials column and it has credentials. Yes. Column is here. Then we can also somebody stored credentials for this critical assets. So here we can see computer 21 and computer 21 stored to this terminal server for Amazon, their credentials. The same, for example, if we look into the Chrome stuff. So also Google Chrome stored credentials on computer 55 users, 310, the stored credentials to Amazon web service.
So if I was from a technical point of view, if I can grab that, I can just use that and log in into your infrastructure, your cloud infrastructure, and not a point of view could be the local user administrators. So somehow maybe you'll have already a solution like labs, privileged, Xs management, CyberArk beyond trustee touchy or whatever. And this solution should take care of that. You have an automated password rollover for your unmanaged administrators. And we always see on the customer side that sometimes the password rollover is not really working or sometimes still there are unmanaged local admins that are even with managed with your pump solution. And just another example, it was another customer from my POC installations. We found a user, a local admin user on a very, very critical server. And this user had lost password set 2010. And we ask them the chief information security officer, like, okay, what's about this user because you know, it's a critical machine.
Last password set from the local admin was 2010. So I would maybe, I guess that user and password could be the same. And the guy told me, yeah, it's not used anymore. It's doesn't matter. And then I was clicking here and then I was able to show that this user was in the case of the customer locked in one day before, and now it turns out really critical. And by the way, username and password was the same. So yeah, sometimes it was done in 2010 and these times, so it was just a miss yeah. Misconfigured service user. So they changed this user for sure. They managed now the local admin with labs and they edit the service user standard domain user with local admin permissions and password rollover and all this kind of stuff for the machine and then the, all the salt. But also in that case, we were the only solution that were able to show it up.
On the other hand, we can also show you the shadow admin stuff. So for example, we have here users 3, 5, 3, and use a 3, 5, 3 is just a standard domain user, but still, as you can see on the right column, shortest distance, this user can take over a domain admin in one step and it can be done because this user had add member permission to the domain admin group. And this has happened for, for so many things. So w w we had another customer with HR department and the HR department, each HR guy had a software on his computer for new employees. So if a new employees entered the company, they get a picture to get the card, the smart card and all this kind of stuff. And they also just choose the department where this new employee will work. And then the software automatically adds the active directory user and put it into the right groups. So the service user for that software needs for sure to add member permissions. But now imagine it's an HR department and especially in HR, our department gets covered or taken over very easily. So even the taker glance, and one of the HR machines taking over the service user and then can be a domain admin in one step.
We also take a look to suspicious files. So we are taking a look for hashes for running processes on all this, on all the machines that are in the scope. And if the virus total score yeah. And show you the virus total score of that, because it could be that your antivirus one week ago was not able to detect it because it was not, it was not common already, but it could be that later on, it gets detected. So let's jump now into the next step. You can see here in the right side, the top crown chills , and we can see that it's reachable from 22 sources. So we can also show you the pathways. So let's, let's click on that. And now you can see the domain controller on the right side, that D C zero one, and I'm increasing the scope now. So now we can give you the few how in a taker can move in your network.
So in how many steps he can reach your critical asset. And now think about all the, all the violations that I was able to show you. Now, the safe RDP, credentials, the SSH credentials to task scheduler stuff. So everything that I was showing to you, we are cleaning them. So we can clean that up per click, or we can do that automatically. So we are doing the cyber hygiene in your network, and now you can see it's not reducing the risk already. It's also like the attacker has no option anymore to move sideways or laterally in your network. That means that with this cyber hygiene, all other security tools that you have in place already are getting much more effective because you're forcing the attacker to be more aggressive. The next step will be that I'm clicking on the deploy deception button to concede a progress bar and a bottom, right.
And if I switch to the deceptive view, now it looks like that. And for sure, I take, or has no idea what's deceptive. And what's real because in the way how we plant deceptions, it will be really, really, really authentic based on that, what we've learned for sure, if your SOC team or your incident response team wants to know which is deceptive and which now we can highlight it, and then you can see which deceptive connections are there. So from the incident response team, this is not an issue. They know exactly what's deceptive, and what's not only that take our point of view is like they had no idea what's happening here.
They had taken out, touches a deceptive or a deceptive user. And then we have the red blinking I couldn't hear. So it will generate an incident. And that means it will do automatically is source-based real time forensic from that source end point. And if we jump into that, let's click on some of the incidents we can see there was a share excess, and there was RDP access. So multiple events summarized in one incident. If I scroll down a little bit, we can see the triggering protests. We can see system information, which user profiles are there. We can see a desktop screenshot if you like to do the, to do so. It's an optional stuff. We can also get risk insights, protests, information. We can get common prompt history. We can get PowerShell history and all this crazy stuff, just with a click. So for your incident response team and the response part here, this will help you in a really fast way to reduce your incident response time, because this forensic is great to read.
It brings you up all the necessary things and even with a forensic timeline. So if you want to go back in time, you open up the timeline, it's UTC based for sure as it should be. And you can see here, the Sherry went and before we have to share the wind, I just scroll down a little bit. It's down, down downtown, and we can see the rest of comma X. We can see there is an email X, the email X's phoning home. We go back a little bit more. We can see here that the email XL phone home, and then there was a Mimikatz Mimikatz executable. We can also see there was a DNS ARA cord query. So we can really go into details and give you all the data that is necessary to do your incident response. And for sure you can connect it to your soar and to all of these stuff.
So switching back to the presentation. So what does this mean? This does mean, okay. We are reducing your attack surface, giving you the few of an attacker. We are planting deceptions fake data on the whole network. So it doesn't matter where the breach will happen. The attacker will be confronted with deceptions from the beginning, and for sure, we're collecting forensic information from the source based endpoint. And we are doing that with all this remote tools with the preempt detect respond. So we are covering the protect detect and respond surface here with the ethics surface manager, with the attack detection system, and for sure with our attack intelligence system. So that's from my side and I hope you enjoyed it. And I guess it's now time for some questions.
Well, thank you very much, indeed. Let's just quickly switch back to the Q and a session and Miami. This is exactly the time where we can share our webcams again, just to say hi to our audience. I'm not sure that we are here live to listen to your questions. And indeed, we already have a couple, let me just quickly turning them aloud for you will eat a peanut or that you can flood the system with both credentials and thereby extending the hackers might get to them rather than real credential, but what if they get to real credentials crossed?
For sure. It's, it's just a mathematical thing to be honest. So that's, that's one of the reasons why it's so important to do the attack surface few in the first step, so that we really can take the attacker view. And with that, we already can give you the attacker mindset so you can really decide, okay, this is how my network looks like from an attacker's perspective, then we are cleaning it from the real high privilege stuff. So we are cleaning it upfront and then we're adopting our deceptions. And then we are rolling out the deceptions. So it's not like flooding. It's really like if you know how your network looks like from a tech perspective, then you can really adopt to that. And then you can adopt the settings, the rules in our system, that it will really look authentic for the attacker. So we will not flooded in that way. We will really adopt to your network here.
Right? And I guess just kind of to reiterate the important that, although we are talking about deception today, your platform is actually not just doing the assumption alone. You'll have an important, but not the single purpose of it. And indeed this whole preemptive, how the mean aspect even alone without the deception part is extremely important. It's often overlooked. Right? Next question. And I guess it's the line for a while with my own impression of your presentation. To me, the most impressive part was that with a single click, you were able to deploy like 63,000 with those credentials, right? So how do you do that quickly? Do you what's the technology behind it?
So the technology behind this, like, as you can remember, the inside of the tech slide where I talked to Kate attacker is always trying to find out, what's trying to stop me and looking for agents. And I can tell you that the whole solution of Illusive is going agentless. So we are doing everything agent list, and now you think, oh, this sounds like magic, but it isn't, it's a very simple stuff. So we are pushing, let's say a small binary to the end points in the scope. And the binary will run for some seconds with very, very low CPU load. So it will not impact your infrastructure. And during the, yeah, it will run for some seconds. And during that, it will take a look for the risks. It will clean up the risk and it will plant deception. So all these three steps are done each and less with a small binary. And for sure, we have to do it on a scheduled way because the binary, after some seconds itself dissolving, so it will be removed. Yeah, it will remove itself. So we have to do it on a scheduled way. So we are pushing out, let's say this binary every X hours, depending on your network infrastructure and network topology, it's very easy and straightforward,
But isn't there a chance or maybe a slim one, but a hacker would actually notice you pushing that binary while he's already on the system.
So the cool stuff is that we are changing. So it's not exactly, let's say every X hours. It's also, it's always with a random timestamp. So the attacker knows, do not know upfront when the next deployment will be. For sure. And there is also, let's say no relation between the deployment and the deception. That's, that's the cool stuff about agent-less
Right. Okay. I've got another question. And it's a really head-scratcher because I've never thought about it myself, but from a legal perspective or is it really not a problem that you are forcing at tech to kind of act upon or the commercial you've placed yourself on basically you are acting a little zone provocateur as though I think they called it, or wouldn't that be a problem when the attacker is later, for example, being prosecuted for the section, because he did not actually do anything wrong because he was only hacking through your false credentials.
Yeah. He was taking sort of false credentials for sure, but we will get the forensic. So we can really, let's say with the forensic, you can even get data, how he was able to breach the end point for example, and what he was doing upfront. So I've never heard that question. So it's the first time to be honest. So I also was not thinking about that too deep, but still it's not only let's say that only for, yeah. Only if an attacker trying to move or using deceptive data, we will catch them for sure. And the forensic will help you and to see what other kinds of stuff that they can maybe try already on the end point and how he breached already and this forensic data, for sure. This is the necessary for the further incident investigation and response.
And I guess it also boils down to the kind of the ultimate question, what exactly is your security team's ultimate goal? Is it to catch or an attacker and bring them to justice or either to protect your crown jewels? If the letter then kind of legality is almost secondary, right? As long as you're not breaking the law yourself, or the only thing that matters is that you have prevented a data breach, right. If you're interested in their legal aspects and I guess yes. Place in the whole chain.
Yeah. It doesn't matter for us if it's like say an insider, if it's an external guy or whatever, is someone tries to get a data breach or to steal data, or let's say to connect to shares with critical data. And this year is let's say a deceptive share. We just give you the forensic and can tell you, okay, from that machine, this user account tried to access this and that. So we give her the forensic. And if you want to, let's say mitigate or current time to host, or if you want to view the attacker a little bit more, that's the decision of the customer,
Right? And I guess this also leads nicely into the next question, which if I may expand from my side a little bit, what about integrating this solution to other types of tools? Like the question you mentioned for, but I was caught about our seams or ticketing tools or forensic legal, old assumptions of how do you build your tool into the existing infrastructure? How does that work together?
Yeah. For soar, for example, there are already pre-defined playbooks for the different kinds of source solutions out there. We have many, many different API connection options, two different kinds of solutions. So integrating in your seam so that we can for sure lock everything in your same and also your scene can trigger our solution. So for example, you get an interesting incident and you want to have forensic and you like the forensic from illusive networks. So you want to have illusive networks doing the forensic for you. So your SIEM can trigger our solution. And we are doing the forensic for you. That's also an option. So we can integrate, let's say to keep it short, vice versa with many different kinds of options, if you're interested, which kind of Wenders we already integrated and how we can do that, for sure. We can do a separate session, just reach out to KuppingerCole or to us directly. And we will cover that in the session because that's too much here,
Right? The other interesting aspect, or to discuss sometime maybe with a customer or a one-on-one between the, because most vendors believe that they offer the best possible UI and the most comprehensive forensic capabilities, but arguably the users, the actual experts, they already have an environment where they want to keep all their forensics. Yeah. That will be over their existing tool, not the vendor's tool. So it's really critical in the bottom that this two-way integration is supported. Right. Next question, I guess it's a follow up for that legal one. So would you recommend disclosing the usage of deception technology in published security policies? Because I guess it's akin to a video surveillance, which you have to disclose within the EU, for example.
Yeah. It's kind of more, more stretchy question I would say. So it depends really on the customer strategy, how he wants to play with that. So there are different kinds of options. So for sure also take her meanwhile knows that there could be deceptions in place. So as for that, it's really important that if you choose a deception solution that this deception solution will be authentic. So even if the attacker let's say can imagine that there could be a deception solution in place or whatever, it's very, very important that the deception is really adopting to your network and looking at attentive because then the attacker still has no chance to bypass just to add here. We never lost the red team and we have done many of them. Meanwhile, and yeah, we never lost it. And if you want to try, stay in contact with us, contact us and I see
All right, next question. Do you, or sorry, does your offer, I mean, I assume that your forensic product include a service, even optional to identify the attack thoughts for GRC purpose, legal action and so on.
I didn't get it Alexei. I had an internet connection issue, I guess, from the line. It
That's your solution in incorporate a service option optional or not to identify as a tech source, I guess, do you provide some kind of additional human service if you will, on top of the technology to investigate further?
Yeah. So like managed service or something like that. So we, we are working together here with partners all over the world. So like resellers and they are doing, let's say managed service with illusive networks and they can for sure help you with incident response, but I just want to enter something else. All forensic is really, really easy to read. So our graphical user interface, as you were able to see the forensic gives you the ability without to jump really, really deep into it, to identify, is it the real risk? What's the reason behind and so on. So if you use our forensic, for sure, you can do much more on your own, but yeah. Managed services for sure.
Right. Next one. So if a hacker breaches your, to watch you gain access to all of the deception of deployed and, or other info given by the tool against it,
It, it, it never happened because yeah, if you, if you rethink, I told you already, we never lost the red team. And there are really, really a lot of red teams, what w what we did. And also some red teams, they tried really to focus on our solution, let's say, okay, we told them, okay, Illusive is in place. So be careful what you're doing. And to really also try to in Westgate, into our direction, into our software. Yeah. But no chance until now. So I would say,
Okay, so you, you do have some measures built in, but of course, to show them all would not be exactly the policy, but yeah. We have to show that you do have those. Yeah. Yeah. Okay. Do we have any more questions left? I think we have
One more.
I have to confess. I'm not entirely sure what it's supposed to ask, but, so what's the app update mechanism and policy. It's a call to discuss the update mechanism, that policy.
Is it mean for the software itself or does it mean for the deceptions and these kinds of stuff?
Well, maybe the original attending elaborate. You still have a minute left, but let's, let's talk about how do you update your solution when it's already deployed?
Yeah. So the software itself, the management software, for example, it's been upgraded, let's say in 10 or 15 minutes, double-clicking next, next, next. So that's very easy ongoing. And then for sure there are different components in the network and they can be centrally upgraded from the management server. So you just have to do it on one machine and the management server can upgrade all the others ultimately.
Okay, great. And I guess we have just reached the top of the hour and we don't have any more questions. So thank you very much for Ghana. Thank you very much to all of our attendees for sticking with us for a whole hour. Hope to see some of you in our future webinars, stay safe, stay healthy, and have a nice day.
Thank you. Bye-bye.
