Friday, September 30, 2016

From my Gartner Blog - Deception as a Feature

One of the things we are also covering as part of our research on deception technologies is the inclusion of deception techniques as features in other security products. There are many solutions that could benefit from honeypots and honeytokens to increase their effectiveness: SIEM, UEBA, EDR, WAF, and others. We’ve been tracking a few cases where vendors added those features to their products and you can expect to see a few examples in our upcoming research.

Now, let’s explore this a bit further. The “pure deception” technologies market is still very incipient and not large in terms of revenue. The average ticket for this new pack of vendors is still small when compared to the cost of other security technologies, what makes me wonder if it is a viable market for more than a couple niche players. I don’t doubt there is a market, but it might not become big enough to accommodate all the vendors that are popping up every week.

Lawrence Pingree recently said, “deception is a new strategy that security programs can use for both detection and response”, and I certainly agree with him. My questions then is, considering deception keeps growing as an important component of security programs, will we see organizations adopting it via additional features of broader scope security solutions or will they necessarily have to buy (or build) exclusive platforms for it?

In the future, will we see organizations buying “deception products” or adding deception questions to their security products RFPs?

The post Deception as a Feature appeared first on Augusto Barros.

from Augusto Barros

Tuesday, September 27, 2016

From my Gartner Blog - Building a Business Case for Deception

So we’ve been working on our deception technologies research (have we mentioned we want to hear YOUR story about how YOU are using those?) and one of the things we are trying to understand is how organizations are building business cases for deceptions tools. As Anton said, most of the times deception will be seen as a “nice to have”, not a “must have”. With so many organizations struggling to get money for the musts, how would they get money for a should?

Anton mentioned two main lines to justify the investment:

  1. Better threat detection
  2. Better (higher quality) alerts

In general, most arguments will support one of the two points above. However, I think we can add some more:

– More “business aligned” detection: with all these vendors doing things such as SCADA and SWIFT decoys, it looks like one of the key ideas to justify deception tools is the ability to make them very aligned to the attacker motivations. However, in the end, isn’t that just one way of supporting #1 above?

– Cheap (ok, “less expensive”) detection: most of the products out there are not as expensive as other detection technologies, and certainly are cheaper when you consider the TCO – Total Cost of Ownership. They usually cost less from a pure product price point of view and also require less gear/staff to operate. This is, IMO, the #3 on the list above, but could also be seen as an expansion of #2 (high quality alerts -> less resources used for response -> less expensive).

– Less friction or reduced risk of issues: Some security technologies can be problematic to implement, but it’s hard to break anything with deception tools; organizations that are too sensitive about messing with production environments might see deception as a good way to avoid unnecessary risks of disruption. I can see this as an interesting argument for IoT/OT (sensitive healthcare systems, for example). Do we have a #4?

– Acting as an alternative control: This is very similar to the point above. Some organizations will have issues where detection tools relying on sniffing networks, receiving logs or installing agents just cannot be implemented. Think situations like no SPAN ports or taps available/desirable, legacy systems that don’t generate events, performance bottlenecks preventing the generation of log events or installation of agents, etc. When you have all those challenges and still want to improve detection, what do you do? Deception can be the alternative to not doing anything. This looks like a strong #5 to me.

– Diversity of approaches: This is a bit weak, but it makes some sense. You might have many detection systems at network and endpoint level, but you’re still looking for malicious activity among all the noise of normal operations.  Doesn’t it just make sense to have something that approaches the problem differently? I know it’s a quite weak argument, but surprisingly I believe many attempts to deploy deception tools start based on this idea. At least for me it is worth a place on the list.

With all these we have a total of 6 points that could be used to justify an investment in deception technologies. What else do you see as a compelling argument for that? Also, how would you compare these tools to other security technologies if you only have resources or budget to deploy one of them? When does deception win?

Again, let us hear your stories!

The post Building a Business Case for Deception appeared first on Augusto Barros.

from Augusto Barros

Tuesday, September 13, 2016

From my Gartner Blog - New Research: Deception Technologies!

With the work on our upcoming SOC paper and on the TI paper refresh winding down, we are preparing to start some exciting research in our new project: Deception Technologies!

We’ve been blogging about this for some time, but the time to do some structured on the topic has finally come. There are many vendors offering some interesting technology based on deception techniques, and we can see some increased interest from our clients on the topic. Our intent is to write an assessment about the technologies and how they are being applied by organizations.

An interesting question to ponder on is about when an organization should adopt deception techniques. I briefly touched this on my last post about the topic, but I need to expand on that as part of this research. For instance, when an organization should start deploying deception techniques? How to decide, for example, when to invest in a distributed deception platform (DDP) instead of in another security technology? Also, when does it make sense to divert resources and effort to deception from other initiatives? It’s clear that an organization shouldn’t, for example, start deploying a DDP before doing a decent job on vulnerability management; but when you consider more recent technologies or things deployed by more mature organizations, such as UBA: Does it make sense to do deception before that? How should we answer that question? Those are some of the questions we’ll try to answer with this research.

Of course, the vendors have been very responsible and willing to brief us on their products, but it’s also important for us to see things from the end user perspective. So, if you are using deception technologies, let us know!

The post New Research: Deception Technologies! appeared first on Augusto Barros.

from Augusto Barros