Last week, Gartner held the latest iteration of its Security and Risk Management Summit in Mumbai, and Senior Director Analyst Gorka Sadowski echoed what Illusive has been saying for a while: the time has come for enterprises of all kinds to take advantage of next-generation deception technology. Sadowski divided his presentation into three sections, whose titles asked the following questions:
- Is it the right time for deception solutions?
- Are deception solutions right for any enterprise?
- What’s the future outlook for deception platforms?
Let’s take these questions one by one, talk about what Sadowski mentioned in his presentation, and discuss how it aligns with how organizations should think about next-generation deception technology.
Is it the right time for deception solutions?
Sadowski’s answer is an unequivocal “yes.” Even as many organizations leverage dozens if not hundreds of solutions to detect and mitigate threats, gaps in protection remain. Demand for filling in those gaps is through the roof, and deception’s ability to pinpoint threats early in the attack lifecycle provides the rapid detection that many organizations need for faster triage.
Why deception technology in particular? Because the deception is, as Sadowski put it, “simple, inexpensive, and it works.” Sadowski broke down deception into three main categories: decoys (fake systems), lures and breadcrumbs (fake resources that point to the fake systems), and honeytokens (fake data on real systems). Spreading these different categories of deceptions throughout a network gives a new and unprecedented advantage to defenders. Instead of having to identify and stop thousands of potential threats and being victimized if they are wrong even once, that same tactical disadvantage is transferred to the attacker. The attacker is faced with thousands of honeytokens, lures, breadcrumbs or decoys when they breach a system, and interacting with just one will alert defenders to their presence. It’s all about playing the odds, and deception tilts the odds toward the defender in a straightforward and lightweight way.
Deception technology is not the only technology aiming to quickly figure out which attacks pose the most danger. However, compared to big data solutions like Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA), or Network Traffic Analysis (NTA), deception is inexpensive, and the alerts are much less noisy. Gadowski notes that compared to deception, “we don’t know any other technology that has a better signal-to-noise ratio.” After all, deceptions will only be accessed by someone who shouldn’t be touching them, so there is no need to determine the correlation between multiple types of activity to determine if an action is abnormal. Any action that triggers a deception is a priori abnormal and very, very, (very!) likely represents a threat. Your organization will know as soon as a deception is accessed that something is wrong. This is even more relevant in technological areas where most threat detection can’t function properly for technical or economic reasons; for systems like X-Rays, SCADA, and many IoT devices, a lack of telemetry or logs makes deception the most effective way of identifying threats.
Are deception solutions right for any enterprise?
Specific use cases may vary, but according to Sadowski, industries of all sizes can receive important unique benefits from employing deception technology. Smaller enterprises that don’t have their own Security Operations Center (SOC) still need to find the most dangerous attacks with scant budgets and personnel. Deception provides high-fidelity alerts to the small teams running security for those enterprises, and helps them prioritize triage for the most urgent threats.
More mature enterprises might have a small or virtual SOC but still need to do more with less. The actionable alerts that deception provides extend the reach of those small SOCs, makes their threat detection and investigation more efficient, and delivers cost-effective protection to security areas such as third-party contractors an enterprise may otherwise struggle to cover.
According Sadowski, mature enterprises no longer have the option of choosing to detect and mitigate threats with deception; the technology is now “essential for any detection program and should be baked in the technology stock.”
A third type of enterprise is what Gadowski terms “lean-forward enterprises” – those organizations that have an extensive SOC along with mature counterintelligence and threat hunting teams. For these types of highly security-conscious organizations, deception is the “glue that binds advanced threat detection programs.” Not only does it measure the efficacy of other threat detection tools, deception helps provide a way to weaponize threat defense and use it to gain an advantage against attackers.
What's the future outlook for deception platforms?
Looking out on the cybersecurity landscape, Gadowski saw many possibilities for the expanded use of deception technology for various enterprises. Gadowski predicts that smaller enterprises will use deception as the starting point for detection projects moving forward. Larger enterprises will learn that deception data provides essential threat data that plays nice with all the other detection tools they already have in their security ecosystem and it will become an essential part of detection going forward. The largest enterprises will focus on specializing in specific verticals or technologies where the most realism in their deceptions is required, and champion the fact that the best intel and counter intel they receive comes from deception-based technology.
Here at Illusive, we know that security teams are pummeled with options for detecting and responding to threats, so much so that it is difficult to know where any new technology may fit into a current strategy. Analysts like Gartner are useful for separating slick marketing from tools that genuinely stop threats. When they say it is time to bring a new type of approach into the mix, people take note.
Now that Gartner is recommending deception as an important centerpiece of threat detection for enterprises of all sizes, why not learn more? Our approach isn’t slick, it is fact-based and practical. We are here to help – Illusive invented end-point deception, and as the first vendor to commercialize deception at scale, we have a wealth of experience and knowledge to share.
See how Illusive Networks offers the fastest, easiest, and most effective way to detect cyberattackers early in the attack, set up a meeting with one of our amazing technical experts or request a demo today.