How honeypots can help stop data breaches (with related video)
Local government agencies face a disproportionately higher threat of data breaches due to a combination of factors: limited IT budgets, large amounts of sensitive personal information stored online, public-facing websites and terminals, and lower-paid staff with access to these systems. Not to mention, public utilities which must also deal with largely insecure industrial control systems.
While government IT departments often incorporate security products like anti-malware, intrusion detection systems (IDS) and firewalls to reduce the data breach threat, these have certain limitations which can lead to security gaps.
One security tool that’s long been used to fill these gaps is the “honeypot” — but it’s been largely overlooked by local governments. A honeypot is basically a fake network node, software application or device that exists purely to be attacked by hackers and malware. Due to its design, the honeypot solves several key problems for government IT teams:
• Early-Warning System – Honeypots can spot new malware that evades detection by anti-virus/anti-malware scanners, as well as “zero-day” exploits that bypass other security measures. They also catch sophisticated hackers that would otherwise avoid detection for months or years.
• Spots Insider Threats – Malicious activity by rogue employees or compromised internal accounts can be harder to spot by traditional cybersecurity methods, as the “insider threat” is done behind the firewall, via the agency’s own IP address, and it uses legitimate account credentials. A honeypot, however, can identify this early on, since any activity on the fake network is a red flag.
• Confuses Attackers – Honeypots can also slow down an intruder who’s already on your network by distracting him/her with decoys and fake data.
• Streamlines Security Alerts – Most cybersecurity tools issue a lot of low-priority alerts and false alarms. Honeypots cut through the noise as they only issue alerts about attackers and malware that are actively trying to infiltrate the organization’s network.
• Inexpensive: There are a number of open source and cheap commercial honeypot tools available, so deploying a honeypot is low-cost.
One drawback, however, is that it can be technically challenging to deploy honeypots, unless the IT team is highly skilled. To make this easier, we recently released a new open source tool called Modern Honey Network. The tool automates the process of setting up and maintaining a honeypot, so that any organization, regardless of technical skill or size, can set up its own network of honeypots (whether it’s 1,2, 10s or 100s). It also includes support for industrial control system networks.
While honeypots should never be used in place of traditional security measures like firewalls, anti-malware and IDS, they are an essential component for any comprehensive data breach protection plan.
About the author:
Greg Martin (photo at right) is founder/CTO of ThreatStream, a Google Ventures-backed cyber threat intelligence startup that serves the defense, tech, critical infrastructure and financial industries. The company is based in Redwood City, Calif. Martin is a former technical advisor to the FBI, Secret Service and NASA.
This video briefly describes ThreatStream’s security platform, which is called Optic.