Esteemed Mr Barros has beat me to it this time, but here is my re-re-announcement of our updated “Applying Deception Technologies and Techniques to Improve Threat Detection and Response” (2019) deception paper.
Some of my favorite quotes follow below:
- “Many organizations report low-friction deployment, management and operation as the primary advantages of deception tools over other detection tools, such as SIEM, UEBA, EDR or NTA.”
- “Are these technologies effective today at real organizations? At this time, the fact base Gartner collected from production deployments points to a cautiously optimistic “yes,” at least regarding the effectiveness of deception technologies for threat detection.”
- “Test the effectiveness of deception tools by running a POC or a pilot on a production environment. Utilize breach and attack simulation tools, or perform a quality penetration test without informing the testers about the deceptions in place.” [A.C. – overall deception appears to be more challenging to test than other detection and response technologies]
- “Detecting advanced threats requires not only building and operating more credible deception, but also ensuring that the deception does not impact real-world scenarios. […] Suppose an organization creates highly credible documents about a fake merger or acquisition. The impact from that information being stolen and believed could be as damaging as a compromise to real data.”
- “Vendors describe deception as having “no false alarms.” In reality, lures and decoys may occasionally lead to false alarms in some environments.” [A.C. – well-hidden lures aimed at advanced attackers may well have a near-zero FP rates]
- “Based on the research conducted from 2016 to 2019, most organizations, including some of those that employ deceptions, consider deception as “nice to have.” However, for others, deception has become an essential part of their security architecture, and they view it as “a must have” component of their defense-in-depth strategy.”
Augusto also has some of the visuals here.
As always, PLEASE PROVIDE YOUR FEEDBACK to the paper via http://surveys.gartner.com/s/gtppaperfeedback
Posts related to deception:
- Deception vs Analytics, or Can Analytics Catch True Unknown Unknowns?
- APT-Ready? Better Threat Detection vs Detecting “Better” Threats?
- Better Data or Better Algorithms?
- Tricky: Building a Business Case for A Deception Tool?
- It Is Happening: We Are Starting Our Deception Research!
- “Deception as Detection” or Give Deception a Chance?