An early holiday gift: a tale of butter, cyber deception and the wall street journal
If there was a global holiday wish list for marketing leaders, a Wall Street Journal feature story would surely be on it. So, how did I feel when I got a recent interview request? I was merry.
How did this unfold exactly? (Spoiler alert: it starts and ends with customers.)
The Wall Street Journal publishes an annual Technology Journal Report on cybersecurity. This year’s edition included a story on Deception. The writer on this project began by interviewing security leaders who use Deception technology. She found that one of them uses our product, TrapX DeceptionGrid™. That led her to an interesting customer case study on John Muir Health, posted on our website, which prompted an interview request later the same day.
The ask? Could we connect for an interview with the reporter the following morning, and could we also introduce the Wall Street Journal reporter to a customer willing to talk about their personal experience? Media deadlines are often tight, but how are we supposed to get a CISO to commit to an interview with less than a day’s notice? I immediately called Brian Pfeffer, our VP of Customer Success, after hours. I caught him in the car, but he was able to respond quickly. Within a few hours, we had four customer volunteers willing to speak with the reporter.
The next morning, I met Wall Street Journal writer Heidi Mitchell, a switched-on New Yorker who now lives in Chicago. I’m from the Boston area and have family in her Chicago neighborhood, so we did the whole small world, Boston versus New York thing for about 5 seconds. Then we got on with it. I asked her what she knew about Deception.
She explained that The Wall Street Journal had done a piece a couple of years ago where they spoke to researchers about honey pots. Her belief was that the technology wasn’t new, and she didn’t believe it was widely used. She wanted to talk about “the next generation.” Her impression was that honey pots required significant cost and effort to be usable, and only allowed you to observe, not catch the bad guys. But today’s Deception solutions make more realistic systems (traps and decoys) that are sprinkled throughout a network. The bad guys interact with these traps disguised as real corporate assets, trip a wire, sound an alarm, and get caught before the damage is done. She pretty much nailed it.
I offered this hypothetical: “Imagine a thug about twenty yards away, set to charge and attack you. You’re armed with traps to defend yourself. How many traps would you throw, and where would you throw them?” The obvious answer is: as many as possible, in the attacker’s most likely path. Then I asked, “OK, now what if traps cost $250,000 each? Just as she was about to answer, I then added, “or what if they were only $10 per trap, but weighed 100 pounds. How many would you throw then?” The answer? Not many. Now you have to decide whether it’s worth the expense and effort. But maybe there’s another way. Maybe you should just buy more insurance.
My point? In theory, traps are simple and compelling, but when they’re also heavy and expensive they force risk-based trade-offs. Next-generation Deception solutions remove that trade-off because unlike their honeypot ancestors, they’re light, fast, and cost-effective.
This premise is at the core of TrapX’s approach to cyber Deception. Our patented technology is light, fast, and practical. It can scatter hundreds of authentic traps in minutes – without breaking the bank – so you’re not limited by weight, cost or reach. Why reach? Because our traps don’t actually touch anything in our customer’s environment. They only emulate them: servers, routers, printers, cameras, blood gas analyzers, manufacturing controllers, you name it. So now security teams can protect systems and devices that are vulnerable, but almost impossible to protect.
And that brings us back to our customers.
Heidi decided to interview Land O’Lakes CISO Tony Taylor. Heidi had previously interviewed lots of insurance companies and banks – your usual cyber-invested suspects – but she was fascinated by Land O’Lakes. She asked, “What is it about butter that requires Deception?”
Here’s how Tony explained it in the resulting story: “If a hacker shuts down a dairy plant, we lose hundreds of gallons of milk that we’ve already paid for. And we can’t make any butter.” Of course! It’s not about butter. It’s about system downtime which equals dollars. Millions of dollars.
We used to only worry about CIA (confidentiality, integrity, and availability), but ransomware changed the game. It is now the fastest growing form of cybercrime, monetizing disruption to open massive new revenue channels via attacks against new targets. The global ransomware market is expected to reach $20 billion by 2021, which is 57 times larger than it was in 2015. In 2020, governments, enterprises, hospitals, even public school systems were held ransom more than one hundred times. So, for companies like Land O’Lakes, the Baltimore School System, or any number of “unlikely targets,” it’s not just about sensitive information but about having your entire operation held hostage.
I really respect the vision and passion of our customers. Deception is strategic to them because it buys them time. It gives them visibility they’ve never had before while protecting the unprotected. In the words of a customer who shall remain nameless, “You’d have to be goofy not to use Deception today.” Our customers remain our biggest advocates and they want us to be successful.
Tony Taylor did a wonderful job, and we are incredibly grateful for his support. I was equally impressed by the other customers who were ready and willing to tell their own Deception story at a moment’s notice. It’s uncommon for security leaders to do this sort of thing, but they want to educate the market on Deception, and build a community that can learn and grow together.
2020 has been one for the books. The current ‘New Normal’ chaos has exposed conventional security practices alone as ill-fitting. There are simply too many gaps, and attackers waste no time in exploiting them. Security leaders are looking for light, fast defensive measures that match the speed and agility of both the attackers and their business.
This year also welcomed MITRE Shield, a critical new framework for Active Defense. While we compete for business with the other vendors mentioned in The Wall Street Journal article, we also share a responsibility to educate the market. This article certainly helps. More than two million people read the Journal every day and nearly one million visit their website. This was a wonderful way to close the year. We can feel the momentum building!