Our “Applying Deception Technologies and Techniques to Improve Threat Detection and Response” Paper is Published
As my esteemed and fast-fingered colleague has already noted, our deception paper has published. World, please behold the 38 page awesomeness of “Applying Deception Technologies and Techniques to Improve Threat Detection and Response” [Gartner GTP access required]! The abstract states “Deception is a viable option to improve threat detection and response capabilities. Technical professionals focused on security should evaluate deception as a “low-friction” method to detect lateral threat movement, and as an alternative or a complement to other detection technologies.”
- ”Improved detection capabilities are the main motivation of those who adopt deception technologies. Most [of those interviewed – A.C.] have no motivation to actively engage with attackers, and cut access or interaction as soon as detection happens.”
- “While tailoring lures to the environment increases the chances of detecting attacks, certain lures may cause users without malicious intent to accidentally touch the decoys.” <- so, many want NO false alarms, but really get LOW false alarms…
- “Testing detection tools is hard. Testing detection tools that seek to find advanced and, hence, rare threats is even harder. However, testing deception tools often takes the prize for being the hardest.”
- “Unlike with other security controls, the question of whether to inform the rest of the information security and IT team does come up with deception. Deception controls are sometimes deployed by a small team that keeps some details, such as the precise nature of lures and the locations of decoys, to itself. “
- “Are these technologies effective? At this time, the fact base Gartner collected from production deployments points to a […]” (read the paper to find out; sorry for my bad joke here!)
P.S. I suspect there may be a vendor or two who will say that “we are just not excited enough about deception.” Frankly, given the facts we possess, the paper shows an incredible amount of excitement about threat deception. In other words, if you don’t think we bring the good news, we assure you – what we bring is in fact good news
Blog posts related to the deception research topic:
- APT-Ready? Better Threat Detection vs Detecting “Better” Threats?
- Better Data or Better Algorithms?
- Tricky: Building a Business Case for A Deception Tool?
- It Is Happening: We Are Starting Our Deception Research!
- “Deception as Detection” or Give Deception a Chance?
Other blog posts announcing paper publications:
- Our “How to Plan, Design, Operate and Evolve a SOC” Paper Is Published
- Our “Comparison of Endpoint Detection and Response Technologies and Solutions” Paper Publishes
- Our Paper “Endpoint Detection and Response Tool Architecture and Operations Practices” Publishes
- Our “Understanding Insider Threats” Paper Publishes
- Our New Paper on Security Monitoring Use Cases Publishes
- Our 2016 SIEM Papers Are Out!
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.