Data protection must at last become a fundamental standard of the Internet. With this in mind, _cyel is introducing a new cybersecurity strategy: not a new generation of patches and firewalls, but moving target security – we take away the targets. Without replacing your existing system.
Earlier security solutions responded to attacks, newer ones rely on intelligent attack detection, thus becoming more proactive. They do not solve the problem however, because the targets remain visible to attackers.
Moving target security provides a fundamental solution to this problem: we move, distribute and conceal the targets. Instead of preventing intrusions into a static network, the network becomes a dynamic system with moving targets. Users are no longer easily visible to the outside world. Every data transmission is encrypted. By the nature of the system, a laterally moving intruder stands out.
The operating principle
Software defined networking
We supplement the network topology introducing a software defined network in front of your existing infrastructure. All data traffic is routed seamlessly through it.
Stochastic target obfuscation
Because the network is constantly changing in different dimensions, the effort involved in an attack expands immeasurably. Security becomes predictable.
Dynamic flow checking
All data traffic is systematically controlled; network interfaces such as ports and services are protected.
Attack surface mutation
Instead of a fixed IP address, each device is assigned a new address for each transaction. Even in the event of third-party intrusion, they are unable to discern a pattern and draw any conclusions: sender and recipient are no longer identifiable with each new transaction. Accumulated information is instantly rendered worthless.
As you would expect, every communication is encrypted from point to point. In the process, the encryption changes at each node. There is no way of tracing back the data packages, the message is no longer identifiable as such.
Authentication, authorisation and accounting means: all network processes can only be carried out by authenticated devices; they must be explicitly permitted (white list) and are recorded. There are no external players, unknown routes, lateral movements or unaudited actions.
Identified attackers are diverted to a simulated environment, a honey pot. They can do no damage there and their behaviour can be observed. This means that you are always one step ahead of the attackers, instead of having to respond to leaks.
The system sends out traffic padding to disguise the real signal. Attackers can neither discern nor make use of behavioural patterns; heavily frequented servers are indistinguishable from individual users.
System-independent and backwards-compatible
The installation is carried out as an add-on to the existing network, without modification to the network cabling, user systems, servers or applications.
The solution turns your existing layer-2 or layer-3 infrastructure into a zoned layer-3 network.
The solution can be operated with next to no effort.
Security can be adjusted automatically according to the threat level.
Protection against eavesdroppers
Information leaks from metadata are totally prevented.
Protection against direct attacks
Every intruder is detected by the nature of the system; services and internal structures are efficiently protected.
Password theft pointless
Protection takes place at the network level, coupled to the equipment.