One of the big thing that many organizations lack today is visibility into their information security posture. Sure, they have vulnerability management and some have “false positive generators” (otherwise known as NIDS), some even have log analysis and event engines. But, with all of that technology, they still are very likely to miss insider attacks and attacks of a subtle nature.
I am continually amazed when organizations demo HoneyPoint technology and they have their first real “AH HA” moment. Usually a bot-infected machine triggers a HoneyPoint during a scan (like with Conflicker) or makes a login attempt against a decoy virtual machine. Occasionally, you see full on attacks underway that get caught by the demo. For example, one unlucky client caught a scan against a POP3 HoneyPoint that was a brute force attempt with VALID logins and passwords. The HoneyPoint alerted and they began an incident that lead to the discovery of a compromised domain. The attackers had cracked the SAM and were using the key admin accounts to see what else they could get into. You can rest assured, that client very quickly went from demo to customer.
Until organizations understand the value of putting forth bait to lure suspicious activity, it is hard for them to grasp that this is not just another source for noise. Once they get their head wrapped around the idea that since a resource is not real, any activity with it is, by default, suspicious at best and malicious at worst, they struggle to understand the leverage that HoneyPoint brings. But, the bad news for attackers is that more and more are getting it. More IT managers are flipping on that light switch and stepping out of the “dark ages” of infosec and into the age of the HoneyPoint.
What can I say, once security folks think differently about the problems, the game changes for the better. The time for threat-centric security has arrived. Things will never be the same again…