Our Updated “Applying Deception Technologies and Techniques to Improve Threat Detection and Response” (2019) Publishes
Esteemed Mr Barros has beat me to it this time, but here is my re-re-announcement of our updated “Applying Deception Technologies and Techniques to Improve Threat Detection and Response” (2019) deception paper.
Some of my favorite quotes follow below:
- “Many organizations report low-friction deployment, management and operation as the primary advantages of deception tools over other detection tools, such as SIEM, UEBA, EDR or NTA.”
- “Are these technologies effective today at real organizations? At this time, the fact base Gartner collected from production deployments points to a cautiously optimistic “yes,” at least regarding the effectiveness of deception technologies for threat detection.”
- “Test the effectiveness of deception tools by running a POC or a pilot on a production environment. Utilize breach and attack simulation tools, or perform a quality penetration test without informing the testers about the deceptions in place.” [A.C. – overall deception appears to be more challenging to test than other detection and response technologies]
- “Detecting advanced threats requires not only building and operating more credible deception, but also ensuring that the deception does not impact real-world scenarios. […] Suppose an organization creates highly credible documents about a fake merger or acquisition. The impact from that information being stolen and believed could be as damaging as a compromise to real data.”
- “Vendors describe deception as having “no false alarms.” In reality, lures and decoys may occasionally lead to false alarms in some environments.” [A.C. – well-hidden lures aimed at advanced attackers may well have a near-zero FP rates]
- “Based on the research conducted from 2016 to 2019, most organizations, including some of those that employ deceptions, consider deception as “nice to have.” However, for others, deception has become an essential part of their security architecture, and they view it as “a must have” component of their defense-in-depth strategy.”
Augusto also has some of the visuals here.
As always, PLEASE PROVIDE YOUR FEEDBACK to the paper via http://surveys.gartner.com/s/gtppaperfeedback
Posts related to deception:
- Deception vs Analytics, or Can Analytics Catch True Unknown Unknowns?
- APT-Ready? Better Threat Detection vs Detecting “Better” Threats?
- Better Data or Better Algorithms?
- Tricky: Building a Business Case for A Deception Tool?
- It Is Happening: We Are Starting Our Deception Research!
- “Deception as Detection” or Give Deception a Chance?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.