Gartner Blog Network


Deception Technologies – The Paper

by Augusto Barros  |  November 18, 2016  |  2 Comments

After some very fun research, we’re finally publishing our paper on deception technologies:

Applying Deception Technologies and Techniques to Improve Threat Detection and Response
18 November 2016 | ID: G00314562
Augusto Barros | Anton Chuvakin

Summary: Deception is a viable option to improve threat detection and response capabilities. Technical professionals focused on security should evaluate deception as a “low-friction” method to detect lateral threat movement, and as an alternative or a complement to other detection technologies.

It was a very fun paper to write. We’ve been using and talking about honeypots and other deception techniques and technologies for ages, but it seems that it’s finally the time to use those in enterprise environments as part of a comprehensive security architecture and strategy. Here are some fun bits from the paper:

  • Many organizations report low-friction deployment, management and operation as the primary advantages of deception tools over other threat detection tools (such as SIEM, UEBA and NTA).
  • Improved detection capabilities are the main motivation of those who adopt deception technologies. Most have no motivation to actively engage with attackers, and cut access or interaction as soon as detection happens.
  • Test the effectiveness of deception tools by running a POC or a pilot on a production environment. Utilize threat simulation tools, or perform a quality penetration test without informing the testers about the deceptions in place.

(overview of deception technologies – Gartner (2016)

The corporate world has invested in many different technologies for threat detection. Yet, it is still hard to find organizations actively using deception techniques and technologies as part of their detection and response strategies, or for risk reduction outcomes.

However, with recent advances in technologies such as virtualization and software-defined networking (SDN), it has become easier to deploy, manage and monitor “honeypots,” the basic components of network-based deception, making deception techniques viable alternatives for regular organizations. At the same time, the limitations of existing security technologies have become more obvious, requiring a rebalance of focus from preventative approaches to detection and response

[…]

Although a direct, fact-based comparison between the effectiveness of deception techniques and the effectiveness of other detection approaches does not exist, enough success reports do exist to justify including deception as part of a threat detection strategy.

Category: deception-technologies  honeypots-and-honeytokens  threat-detection  

Tags: deception  honeypots  honeytokens  new-research  

Augusto Barros
Research Director
1 years at Gartner
19 years IT Industry

Augusto Barros is Research Director in the Gartner for Technical Professionals (GTP) Security and Risk Management group. Read Full Bio


Thoughts on Deception Technologies – The Paper


  1. Augusto, Anton,

    Congratulations on getting this in-depth report out!

    It was a pleasure to have helped contribute to the customer and technology research for this report. We share your belief that organizations are seeing real benefit from deception technologies today and that there is an increasing interest in using this technology for high-efficacy advanced threat detection and response.

    -Carolyn

  2. […] my esteemed and fast-fingered colleague has already noted, our deception paper has published. World, please behold the 38 page awesomeness of “Applying […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.