Automation is crucial for reducing costs and operational overhead - interview with Matan Kubovsky, VP of R&D at Illusive Networks

[eForensics Magazine]: Having too much data to sift through is becoming one of the biggest problems for SOCs around the world. How do your new tools help with solving it?

matan-photo-automation[Matan Kubovsky]: In today’s world, where overwhelming amounts of data are amassed from network activities, it is crucial for Security Operation Centers to adopt new approaches to filter, analyze and prioritize their alerts. If you want to easily accomplish this and reduce time and costs while doing so, Illusive Networks’ forensics capabilities, together with our recently launched Risk and API do just that. Our innovative, open API allows companies and security centers to collect important IR-related information for real-time investigation on the source host. Complementing this, our novel Risk Metrics feature facilitates a more risk-based approach, allowing SOCs to filter and prioritize the data accumulated from their entire security arsenal. Both the API and the Risk offer seamless and swift integration.

[eFM]: How can a risk-based approach to cyber attacks be leveraged from this?

[MK]: Firstly, the foundation for any risk-based approach is to identify what the most risk-sensitive assets are and to visualize these in relation to high-risk activity. While this may sound simple and obvious, maintaining asset awareness is an arduous challenge for most organizations. Our technology provides the ability to name and maintain constant visibility to a company’s ‘crown jewels’ - the systems, data stores, and other high-risk assets that matter the most to the business. It also allows SOCs to discover and map the systems from which it’s possible to obtain access to Domain Admins’ credentials or direct access to ‘crown jewels’ – from the attacker’s perspective, these are essentially the keys to the holy grail.  When an alert fires, be it via illusive deceptions or from a 3rd party security solution, we provide real-time visualization of where the attacker is in relation to these risk sensitive assets. An incident on a host that can connect directly to a client’s ‘crown jewels’ should be prioritized over another that is related to a host that leads the attacker to something less consequential. By analyzing attack vectors and measuring the number of lateral movements it takes to get from any host to ‘crown jewels’ and high-value credentials, Illusive helps SOCs prioritize high-risk incidents, and eventually deal with the most urgent tasks.

[eFM]: How does this play to Illusive Networks’ deception technology?

[MK]: With a clear picture of the potential attack vectors and the ability to quantify the risk level associated with individual hosts, Illusive automatically creates the optimal deception policy for each one of these hosts. Every machine is assigned different amounts and types of deceptions according to its risk level and the attack vectors it is part of. The risk insights in our Management Console Dashboard demonstrate to security teams the value these auto-deployed deceptions play in mitigating APT risk in their environment.

[eFM]: Do you think automation is the future of cybersecurity?

[MK]: Ultimately, human beings are moving toward automating anything that can be codified so the human brain can focus on more nuanced or complex tasks. Automation in cybersecurity provides analysts the ability to focus on the substance of what they’re doing—investigating impactful incidents in this case—instead of manually collecting endless data, parsing and so on. Moreover, automation is crucial for reducing costs and operational overhead within an SOC and can often spare the need of certain products.  Illusive devoted significant resources to automation. Intelligent automation makes it easy to design, deploy, adapt, and manage our deceptions. Furthermore, API enables automation of routine 3rd party incident handling tasks by making our risk metrics and forensic data available to support and enrich automation flows in the SOC based on risk prioritization.

[eFM]: Can you see risks associated with that approach?

[MK]: Automation, to us, enables the security analysts to deal first with what matters most and reduce cost. Automation can expedite some supporting activity (e.g., quickly collecting additional information to better prioritize incidents – as described above) but, unfortunately, it cannot yet replace the human aspect of digital forensics investigation. It’s great to use automation playbooks for data collection, analysis and response, but it still requires a human touch for making final decisions.

To read our first interview with Matan, go here >>

About illusive networks

Illusive Networks, leaders in deception-based cybersecurity, today announced the launch of its External Incident Application Program Interface (API) and Risk Metrics tools, minimizing the manpower needed to manage high impact incidents while expediting their investigation and prioritizing remediation.

Enterprises deploy a wide range of cybersecurity solutions to defend their networks which, in turn, flood their Security Operations Center (SOC) and Incident Response (IR) teams with alerts. According to Ovum analyst Rik Turner, many enterprises accumulate more than 200,000 security alerts each day. Many serious incidents go unnoticed as it is difficult to tell which represent real threats. Alerts often lack meaningful content or supporting data to help responders reduce threat impact. As the number of sophisticated attacks increases, security teams require further assistance in deploying proactive tactics to detect intruders.

Illusive’s new External Incident API supports the gathering and processing of incidents from any other prevention and detection technologies deployed across a network, producing forensics for each event in real-time. Facilitating the automation and parsing processes of all forensics data significantly enhances the efficiency and effectiveness of incident handling.

The API enables Illusive’s Attacker View feature to present a unified view of events generated from both Illusive and other external sources, aiding security teams to leverage the power of forensics data provided, gaining deeper insight that supports more rapid, decisive action.

Illusive Attacker View highlights possible hacker pathways from the compromised host to the most prized assets of an enterprise. Newly introduced Risk Insight capabilities analyze the number of lateral moves required in each pathway, generating a metric to better prioritize incidents and remedial actions.

CEO of Illusive Networks Ofer Israeli explains, “Our API-based capabilities empower the otherwise overburdened SOC and IR teams with richer forensics data, enabling them to anticipate the attacker’s next moves and take a more pre-emptive, risk-based approach. Reducing both costs and resources, our new tools and capabilities further assist enterprise teams to mitigate APTs at the earliest opportunity and minimize impact.”

At the vanguard of the next evolution of cyber defense, Illusive Networks recently received recognition by Momentum Partners as one of ten cybersecurity companies on their Watch List, by The Wall Street Journal in its inaugural Tech Companies to Watch and was named as one of CRN’s ’25 Coolest Network Security Vendors’.

For more information, please visit or follow @illusivenw on Twitter and Facebook. 

September 25, 2017
Notify of
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013