Honeypots.
Just those three syllables are enough to cause instant nausea with a cyber security professional. Why? Honeypots are hard to operationalize into an effective, easy to use and consistent defense. But times are changing with the proliferation of deception technologies (Gartner tracked 16 vendors in a September 2016B report). Can deception be easily rolled into a cyber security defense?
The problem so far has been properly operationalizing deception. Implementing is a lot of work. Todaybs deception approaches, like camouflage in the physical world, rely on consistent surroundings for concealment. When soldiers wear camouflage for snow, the desert or a forest and surroundings remain constant, youbre fine. But ascend from the forest to a snowy mountaintop and, unless you can rapidly change, youbre exposed. Every IT environment constantly changes. If deception canbt adapt like a chameleon, itbs useless. Thatbs Deception 1.0.
Enterprises need something that morphs. Modern deception must update dynamically with the environment being protected. For example, can your deception technology detect and recognize that you just updated a Linux installation? Thatbs Deception 2.0.
Thatbs the defense philosophy behind Deception 2.0. But the question is: how do security teams make deception deployable and effective? It has to be easy. And we mean dirt effing simple. A no brainer, easy as pie or any of other appropriateB idiom. A recentB reportfound that enterprises average 17,000 malware alerts per week so itbs a safe bet that alert number 17,001 wonbt be investigated. In such an environment, deception must be operationalized quickly, easily and with tremendous impact. How would that look? It should meet several key business, technical and usability criteria.
Technically, one should learn from the mistakes of many of todaybs security vendors who have built products with long deployments and complex configurations. Deception tools must able to:

• Hide in plain sight.B For aB Deception Solution, this tops the list. How does this work? A deception technology needs to have some machine learning to understand and conform to your ever-evolving organization. By implication, this also means deception should be autonomousbthe tool runs on its own, no tuning required.
• Deploy within minutes: Tool is deployed easily and let it understand your environment. Once installed, the deception tool provides a list of recommendations within just a few hours. The UI says herebs what you should do.
• Integrate with other security tools: Most security teams have their favorite tools of choice. At a minimum, a deception tool quickly integrates into your ecosystem.

From a usability perspective, security tools should:

• Fit into your current workflow. Rather than do health checks every morning in a separate UI, an alert from a deception system should go into whatever event monitoring tool youbve got deployed.
• Enhance productivity. Deception, with its attack visibility, can help tune, for example, Splunk logs and reduce alerts. At the end of the day, you have a secondary, more reliable tool to understand if something is true or false, reducing alert fatigue. This also means accelerated investigations with improved breach response and visibility as well as augmenting the ROI from other security tools.

Lastly, and most importantly, does the deception tool help the business? It should have clear, quantifiable impact that allows the security team to stand in front of the CEO and say, bherebs how we reduced risk.b

• Stops data/IP loss.B The name of the gamebenough said.
• Reduce time to discovery. We all know that stats that dwell times are long, often starting around the Mesozoic Era. As security professionals, compressing this time is critical for many reasons. For example, you have a better idea of who did it. What were they after? What did an employee click on?
• Improves executive awareness and understanding. With security in headlines almost daily, C-levelbs often ask, bAre we safe from [insert name of whatever spooky attack group a vendorbs marketing geek came up with]?b You want to respond, bYes, and herebs how we kept them out. Also, we aware of their attack methods and what theybre hoping to do.b In other words, the tool should help show that your team has its act together.

Deception, if done properly, can be a transformational shift in security strategy. By duping attackers and decreasing the attack surface, more of a burden of effort shifts back to the attacker. To succeed, deception efforts need to be inexpensive and usable by any enterprise, large or small, well staffed or under staffed. Today, many Deception 1.0 technologies are on premise and focus on large, well-establishedB companies. But deception should become foundational, a cornerstone of everyonebs security strategy. If anyone tells you that an expensive, professional services heavy deployment is requiredbdonbt be deceived.
Get notified of the next blog post