I recently wandered around the RSA security conference in San Francisco, where the latest cybersecurity technologies were on display. And I came across the blue-bearded Chris Roberts, the chief security architect at Acalvio.
Roberts assumes that hackers will be able to break into just about any company. So his company makes software that allows security managers to detect the break-ins, monitor the activity of the hackers, and steer them into harmless containers for faux company information.
The hackers may not realize that they’re inside a “honey pot,” a kind of trap where the cybersecurity people can figure out their motives and intentions. It’s part of an ever-escalating game of cat and mouse. I interviewed Roberts about the technology and how game companies have become a primary target.
We’ll be doing a breakfast panel on games and security at the Electronic Entertainment Expo on June 14. Here’s an edited transcript of our interview with Roberts.
GamesBeat: I’m curious about the intersection between security and games. What’s your expertise? What does your company do?
Chris Roberts: My background is all over the place. Obviously it’s security-related and has been for years. I come from the screwdriver-wielding techie side of the world, through networking, and then into security. I did a bunch of gaming in the middle there as well. I’ve been at Acalvio about a year and a half, almost two years, working as their chief security architect.
They acquired a company I was part of, because they built this really cool deception product, but it was built from their perspective, as opposed to building it from a hacker’s perspective, and then the actual hacker coming in and saying, “How well does this work? How well is this architected? How well does it deceive me?” Or, in a gaming analogy, how well does it bring the hacker in? How engaging is it? How much can you tell that you’re in an environment or not in an environment? How much can you tell that what’s in front of you is the reality of an actual enterprise, or is basically an Alice in Wonderland environment that you’re put into to keep you out of the main corporate environment?
GamesBeat: What do you call that? A honey trap, so to speak?
Roberts: Acalvio calls it Deception 2.0. If you look at the history of deception technology, at least in the computing field, we go back to the old Honeynet projects from 15 to 20 years ago. All you really had was a Windows or Linux environment, or a server or a switch, that was very static. Again, take the gaming theory. I had a very non-dynamic, non-engaging environment that I could poke at. I didn’t really poke at. It didn’t change based on my mood, my feeling, or my adjustments. You remember the old text games from years ago? They had a set of algorithms that were very static. You went north, south, east, or west. That was really the beginning of the Honeynet projects, in the early days.
Fast forward to where we are now, the ability to drop an architecture into an enterprise platform and have it learn and understand what that enterprise is — health care enterprise, critical infrastructure, finance — it has the ability to adapt to its environment. Is it a Windows environment, a Linux environment? Again, you have an adaptive architecture that goes into an enterprise environment and it can have camouflage.
As an attacker, I land on your first computer. I break your computer, get you to click on something, I’m in. My job at that point is not only to extract data, but to look around and see what I can find. I have to elevate my privileges, which means I need to rifle your file system, look through your registry. If I’ve done my deception job properly, I’ve put something in the registry, something in the file system. I’ve put up a file server or a print server. I’ve put in something where the attacker doesn’t see a difference between what you see logically and what you see in the Alice in Wonderland environment.
That’s the whole idea, building something that does a good job of — the assumption is simple. The attacker is going to get in. 90 percent of the crap out here at RSA isn’t going to stop any of us from breaking in. It might log it. It might do something about it. It might cut down the 200 days it takes you to find out about it. But it’s not going to stop us. If you look at Deception and some of the other technologies out there, their role is to say, “The perimeter is broken. There is no perimeter.” When your fridge can read the email from your corporate system, you don’t have a perimeter anymore. When your car has your address book, you have no perimeter.
What do you do about that? You build an environment, a gaming architecture, that draws the attacker in and runs them through a set of scenarios. It brings them into this environment, this Wonderland, if we’ve done our job properly.
GamesBeat: What do you lead them to? Are you benefiting by simply using up their time and keeping them at something harmless?
Roberts: Think of a regular attacker. If you think of a normal corporate environment, typically a firewall, an intrusion detection, something on an endpoint will only detect once it sees something bad happen. Yes, there are predictive architectures and other things out there. But for the most part, until something leaves the environment, until something’s stolen, until I encrypt your hard drive, you won’t know I’m there.
The whole concept of the deception is to get ahead of that game. As an attacker, you see this entire landscape in front of you. You don’t know what’s real, what’s fake, what’s booby-trapped. As an enterprise I can say, “I want to know as soon as someone steps on the land mine.” When the attacker gets into the registry and thinks they’ve found a set of credentials that were planted there, you can see those credentials as you’re watching the network and grab them. There are companies that just want to know that. Most of them are that way. Most of them just want to know that someone is doing something they shouldn’t be doing and that their other systems won’t alert them on.
There are also a lot of companies that take it to the next level. Let’s bring the attacker in. Let’s start telling them a story. We present them with a file server or FTP server or web server that looks like the main corporate one, but is different. Now you’re in this virtualized environment. It’s served up to you in a bit of story at a time. Again, it’s a game system. I give you a snippet. I give you the next clue. I keep drawing you in.
From a mentality standpoint, the attacker thinks they’re on to something. They’re getting into the database. They’re getting into the SQL server. I’m bringing you into my world. You’re a mouse in the trap now. As the defender, as the enterprise, I can look at you and learn from you.
GamesBeat: See what they attack next.
Roberts: Exactly. Can I put up a defense, or do I just want to watch them? Can I give them disinformation? There’s maybe five or 10 percent of companies that care about that. Most of them just want to know, before that average of 100 to 200 days, if somebody’s in their systems.
You take the camouflage from mother nature. You take the architecture from gaming. How do I keep somebody engaged? How do I tell a story in a digital way that brings you through an entire engagement cycle and all the events that go with it?
GamesBeat: If you give someone disinformation, can they go off and sell that, and you see where it surfaces?
Roberts: Exactly. Now, when you’re talking about that, you’re talking maybe Fortune 50 companies or nation-states that care about that. Most organizations that buy from here don’t have the sophistication to deal with that. It’s limited. But that capability is there, to be able to do that.
GamesBeat: Do you look at the gaming vertical and how this applies to it? Do you notice any pattern among your customers there? Are they attacked for particular reasons?
Roberts: You have a mix. Acalvio, and not just Acalvio, a lot of the organizations here in the deception space — this technology can be used everywhere. The gaming space is an interesting one. Obviously, depending on the games — am I using my computer to interact with it? Am I using a game console to interact with it? As an attacker, if I have you come into my system, then I can use your processing for mining. You look at the bitcoin miners, the attack vectors they’re using across multiple gaming architectures — we can start to detect that level of intrusion and get ahead of that game. If we can start seeing spurious traffic coming out of your system, we can get ahead of it. You’re definitely looking for that.
When you look at the gaming platforms, the amount of money they put into intellectual property to build those platforms — it’s their secret sauce. It’s their coding engine. It’s their architecture. If we can put deception in there — it’s like the movie industry. When you look at the convergence of those two industries, it’s the same challenge. I’m building something now that won’t be released for three to five years. How do I keep it safe and secure? How do I make sure I’m the one that releases it? Our job would be to drop deception in there and make sure they don’t become another Sony.
GamesBeat: That’s a cautionary tale these days.
Roberts: It’s one of many. You look at HBO and the other guys along those lines. Their intellectual property is on a three-year cycle, everything they’re building. The game industry especially, the amount of money poured into the development cycle — being able to protect that without putting more files, more intrusion detection, more crap on an endpoint. Just having something inside that says, “Hi, come on in, let’s try this.” It’s a game inside a gaming organization. It’s actually kind of a fun way of doing it.