Professional Documents
Culture Documents
GartnerSEC 2017 - Applying Deception For Threat Detection and Response - Augusto Barros
GartnerSEC 2017 - Applying Deception For Threat Detection and Response - Augusto Barros
Summit 2017
12 – 15 June 2017 / National Harbor, MD
Attacker
Firewall
Deception
Management
Server
Decoys
Lures
Decoy
Server
Endpoints
(Workstations
and Servers)
SIEM
Resource Requirements
Learning Environment
Characteristics
Lures and Breadcrumbs
Management and
Deployment
Source: Cymmetria
9 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
Other Deception Options
Honeytokens
Free/Open Source
– Honeyd
– Modern Honey Network (MHN)
– Conpot
– HoneyDrive
– MazeRunner Community Edition
– Domain Controller Enticing Password Tripwire (DCEPT)
LogRhythm
Microsoft
Rapid7
GuardiCore
vArmour
Source: Microsoft
...
Source: Rapid7
11 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.
But still ... why?
Isn't it just another "nice to have"?
Low friction:
– Usually lower implementation effort when compared
to other threat detection technologies (e.g., UEBA, NTA)
Technical or economic limitations for other
detection methods:
– Internet of Things (IoT) assets, SCADA, medical devices, nontraditional
vulnerable devices
– Wide, distributed networks
– Networks with encrypted traffic
Different Organizations:
– Financial Institutions: First Midwest Bancorp (TopSpin Security), Chicago
Trading Company (TopSpin Security)
– Manufacturers: Marvell (Attivo Networks)
– Retail: Home Depot
– Healthcare and Insurance: Aflac (Attivo Networks), John Muir Health (TrapX
Security), Delta Dental (Javelin)
– Governments: Israel National Cyber Security Authority Includes Deception in
Their Overall Cybersecurity Strategy
Threat detection with less friction or less risk of issues Reduce overall detection cost
Lower
Lower Deceit Difficulty Higher
Higher
Alerts from the deception tool should be included in the standard alert
response process:
– Some organizations skip standard alert triage and go straight into incident
response mode due to the "high confidence" profile of the alerts
If insider threats from security operations teams are a concern:
– Obfuscate the alert source
– Limit the visibility of the deception deployment to a "need to know" basis
Review incidents for any clues that the attackers were aware of
decoys. Use that information to improve and tune the deployment.
If high-interaction decoys are being used:
– Use your deception system as an internal threat intelligence source.
– Integrate it to a process to sweep all the production systems for the same
indicators (such as by using EDR tools).
The above research is from the Gartner for Technical Professionals Research Library. For more information,
please visit the Gartner Research Zone or visit http://www.gartner.com/technology/research/technical-professionals.jsp
28 © 2017 Gartner, Inc. and/or its affiliates. All rights reserved.