The Role of Deception Technology in The Network Security Reference Architecture

According to the 2024 Gartner^® Reference Architecture Brief: Network Security report, “Network security underpins connectivity across the extended enterprise, encompassing public cloud, private cloud and on-premises. This brief provides guidance for security and risk management technical professionals on implementing networks securely.”¹

Figure 1: Reference Architecture for Network Security

The reference architecture shown in Figure 1 above as part of the Gartner^® “Reference Architecture Brief: Network Security” consists of eight core components linked by typical logical network flows: enterprise network security, Enterprise edge security, Secure access service edge (SASE), Security service edge (SSE), DDoS mitigation, Transmission security, Cloud network security, and Network security processes.

Deception technology in the network security reference architecture

As the Gartner^® report indicates, “Deception is deployed to monitor and respond to a network intrusion. In particular, deception technology detects lateral movement, as the attacker moves from a compromised endpoint toward a deceptive network artifact.” ¹

Acalvio’s analysis and opinion on network security and the role of deception technology

The traditional network architecture consisted of an on-premises enterprise network, with the computing infrastructure all hosted on-premises and protected by a perimeter firewall. The increased adoption of cloud computing and multi-cloud, SaaS services for applications, remote work, and the adoption of branch and remote offices has resulted in a redefinition of the enterprise network.

Network security evolution: moving beyond prevention

Network security was traditionally focused on breach prevention through perimeter-based defense. The expanded network boundary provides an increased attack surface that can be exploited by threat actors. Adversaries have multiple pathways to gain a foothold in the organization and perform lateral movement.

With the increased attack surface, network security has evolved to combine prevention with threat detection and response for a layered defense approach to protect the network.

Each component plays a unique role. Enterprise network security, for example, concentrates on on-premises and private cloud deployments. Key tools comprise intrusion prevention systems, network detection response, network access control, and network packet brokers. The overarching goal is to arm your network with robust security detection and protection capabilities.

Enterprise edge security is equally critical. It focuses on curtailing unauthorized network ingress while keeping an iron grip on egress from secure enterprise networks. This is achieved by strategically deploying enterprise network firewalls, virtual private networks (VPNs), remote desktop gateways, and secure web gateways.

The roles of both SASE and SSE are also highlighted. SASE combines network and security capabilities, supporting secure access for branch offices, remote workers, and on-premises scenarios. SSE, residing within SASE, facilitates secure web and cloud access, streamlining complex security tasks through a single vendor management platform.

DDoS mitigation and transmission security, on the other hand, protect against external threats. The former shields organizations from devastating DDoS attacks, while the latter prioritizes secure data transmission over untrusted networks.

Cloud network security mirrors the components of network security within IaaS and PaaS cloud environments. Combined with network security processes, such as risk assessment or DDoS emergency response planning, organizations can segment and control cloud networks effectively.

Architectural Principle: apply defense in depth to network controls

The defense-in-depth approach to cybersecurity combines prevention-based controls with a set of detection layers. Controls such as micro-segmentation, NAC, and firewalls are focused on prevention, while intrusion prevention systems (IPS) and Network Detection and Response (NDR) are focused on threat detection. The detection layers are focused on detecting known threats based on signatures or known patterns.

Adversaries are leveraging sophisticated and stealthy offensive techniques to bypass prevention and traditional forms of detection and perform lateral movement. These include leveraging valid credentials for lateral movement, stealthy and difficult-to-detect living-off-the-land (LotL) exploits, hijacking existing connection pathways, evolving threats, and zero-days.

The network security reference architecture outlines deception as a core detection layer to expand detection coverage and eliminate blind spots associated with traditional forms of detection. Defense teams can deploy network decoys that provide targets for the adversary and baits on production assets to divert the adversary toward the decoys. Deceptions are not used in existing workflows, and any use of the deceptions is indicative of malicious activity. A carefully crafted deception overlay provides a set of deceptive targets that enable early detection of adversary lateral movement. Defense teams gain visibility to current and evolving threats, enabling response actions to prevent attack propagation and protect the network.

Architectural principle: design Zero Trust into your network

The network security reference architecture has the architectural principle of designing the network on the principles of Zero Trust.

The Zero Trust principles are based on least privilege access, never trust, always verify, and assume breach as the primary guiding principles.

SASE, SSE, and the prevention-based approaches for micro-segmentation, NAC, are based on the first two principles of zero trust: granting the least privilege access and ongoing verification.

The assume breach principle indicates that the organization must assume that an adversary has a foothold in the environment and should deploy controls to detect and respond to the threat. Deception is a foundational control for the assume breach principle, enabling early and precise threat detection of network threats.

Network security remains an indispensable part of any cybersecurity strategy. Cyber deception has emerged as a powerful weapon, enhancing any network security framework. It’s a breakthrough reflected in Acalvio’s ShadowPlex solution. Through the deployment of realistic decoys and deceptive tactics, organizations can divert attackers and gather critical threat intelligence, enhancing their overall security posture.

For more information on ShadowPlex deception for network security, schedule a demo.

¹Gartner, Reference Architecture Brief: Network Security, By Richard Bartley, 19 February 2024 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.