Dear readers, please treat this post as a form of analyst psychotherapy! As we are entering our 4th month of deception research (with one deception paper out already and one more under development), this question is the proboscidean in the room.
Frankly, we are afraid to ask this question aloud: Will threat deception fizzle again?
Ok, us security old-timers (did I really say that?) remember the glorious rise of threat deception … in 1999. ManTrap, CyberCop Sting, SPECTER and other products represented a golden age of the honeypot. Honeynet Project launched in 1999 as well (I joined in 2002). Lots of excitement was there! A few great books came out.
And then … several years later (say, by 2004), all gone, turned to dust, products dead, concepts forgotten, hopes dashed. “Deception winter” lasts until about 2014 … 10 cold years.
As I write this in 2019, deception is a healthy – if small – security market. Our upcoming comparison focuses on six vendors that we see in customer inquiry (why?). Vendors report decent deal flow, happy customers, and show evidence of technology that works. Some even report seeing deception budgets at some clients.
However, and here is where the elephant becomes visible, the question remains: will deception stay this time or go again? Frankly, I can justify either position, and with passion. Hence, this post.
Will deception occupy a permanent spot in our security arsenal … or become a fad that died again?
Arguments for stay?
Arguments for go?
Posts related to deception research:
- Our Updated “Applying Deception Technologies and Techniques to Improve Threat Detection and Response” (2019) Publishes
- Deception vs Analytics, or Can Analytics Catch True Unknown Unknowns?
- APT-Ready? Better Threat Detection vs Detecting “Better” Threats?
- Better Data or Better Algorithms?
- Tricky: Building a Business Case for A Deception Tool?
- It Is Happening: We Are Starting Our Deception Research!
- “Deception as Detection” or Give Deception a Chance?
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
8 Comments
To me deception technology looks like to be treated as one of the techniques and methodology for deection and response in long run and will get merged with other technologies as a feature set.
As a market i do not see it will fly for long as it does kot completely run in defense architecture of the attack life cycle.
May be i am wrong but UEBA also os facing same identity crisis. Individually.
Sorry for delayed response. I was away for a while.
UEBA is finding a good home in SIEM and other places, so perhaps no more crisis.
However, UEBA has an obvious home (SIEM), but deception does not….
Personally – I believe that all innovation in security ultimately gets consolidated over time. Deception has a place in the attack kill chain but is not a panacea either. Just like many past techniques it is additive to prevention, additive to detection and enhances response and prediction through integrations and intelligence gathering. The biggest challenge we have in security is getting intelligence closer to the victim. E.g. intelligence must be gathered from our networks directly, harvested and taken to immediately bolster our defenses.
>The biggest challenge we have in security is getting intelligence closer to the victim.
Thanks for the comment. This makes sense, but it is also not hoe most tools deploy today. Intel gathering is of value, but it seems that most deploy it in “IDS mode”, i.e. for detection only….
Hey Anton, first super excited to see Gartner take a hard look at this field. As one of the ‘old-timers’ who was actively involved in many of those projects, I strongly believe Deception is here to stay. 15 years ago Deception provided itself as a concept, extremely effective at both detection and intelligence gathering (as demonstrated by numerous papers, books, conferences, etc). What held Deception back was not the concept, but the technology. Every honeypot back then had to be crafted, customized and managed by hand. Hugely time consuming. What makes Deception different today is with virtualization / Cloud and other advances, what took two people weeks to deploy, one person can now deploy and manage with the push of a button during lunch break. Definitely here to stay as it solves a really tough problem (simplified detection / intelligence gathering), but unlike 15 years ago, the technology is ready.
Lance, I am super happy to see your comment.
Indeed, I think virtualization/cloud/deployment “automation” are a strong vote for STAY and away from fizzle.
So, deception will stay because we can deploy and scale without having a Lance next to every honeypot 🙂
Deception is great for anyone needing to build intel. But that’s not most businesses. I think deception is here for a while, but not for most. It doesn’t solve a problem, it’s not a strong control, and has dubious value to most security teams.
Most business can’t even handle legitimate accounts and data and services, let alone also manage fake ones. If they are used as tripwires or detection canaries, then there is something wrong with the normal tripwires or detection controls.
Does deception increase the cost to an attacker and slow them down? Perhaps, but like 200 marbles down a pachinko machine, some still hit the money shot bin. And for the rest, so they’re slowed down…but if they keep bouncing around? And that’s not to talk about what they’re already doing inside anyway!
Deception, to me, is something that threat hunters think about when they’re bored, along with attacking back. Or they’ve burned out of the red team and join a reddish blue team.
Thanks a lot for your NO vote 🙂
I think this is complicated. In some sense, detecting on honeytoken accounts is easier than one real ones. Lots of noise, etc.
So, perhaps “why add more accounts to detect if you have plenty of legit accounts” can be answered. The “less noise” argument does work