Illusive Blog June 25, 2020

Deception Platforms Positioned in the Peak of Inflated Expectations on the Gartner Hype Cycle for Security Operations, 2020

We’re excited to share that Gartner’s latest Hype Cycle for Security Operations, 2020 – available here to Gartner subscribers – has positioned Deception Platforms in the Peak of Inflated Expectations on the Hype Cycle. According to the report, “security operations technologies and services defend IT systems from attack through the identification of threats and exposure to vulnerability, enabling effective response and remediation. The innovations included here aim to help security and risk management leaders enhance their strategy.”

At Illusive, we generally like to get out of the way and let our success do the talking. We’ve always been singularly focused on stopping attack movement. We do that by creating a hostile environment for attackers – first by removing their ability to live off the land when attempting to move laterally, then by surrounding them with false information that disorients them, and finally by delivering real-time precision forensics to defenders to speed a response to them.

As attackers ran rampant during the current crisis, we doubled down. Other security technologies based on activity or behavior have struggled with the ‘new no normal,’ but Illusive is seeing consistent growth despite, or maybe because of these recent global changes. We’re helping protect all kinds of organizations, from the world’s largest enterprises, to critical national infrastructure, and even small shops with a single IT resource wearing multiple hats from helpdesk agent to SOC analyst.

When you stop to think about it, every attack is a form of deception. A fake email, a disguised payload, a stolen credential – it’s all meant to trick victims into handing over something valuable. Attackers have long held the deception advantage – they could try every trick in the book without consequence, while defenders had a limited set of tools to react and respond without ever having the option of being wrong lest an attack get through. Before modern deception, one mistaken move by the defender against this swarm of deceptive attack vectors meant disaster. Now that equation is flipped. Any wrong move by the attacker gets them caught. Now attackers are the ones that need to sweat every decision they make!

I’d strongly urge you to read the full report, which covers many other innovative technologies. Here’s just few of what we believe are key points raised by Gartner’s Gorka Sadowski and Rajpreet Kaur in the Deception Platforms section of the report.

“Modern deception platforms are not to be confused with honeypot systems of the past, as analytics and automation methods make them easier to deploy, manage and get value from.”

Today’s distributed deception platforms turn every endpoint in to a trap. Anywhere the attacker lands is flush with danger. Classic honeypots from decades past may have some limited use for gathering advanced threat intelligence (though let’s be honest – sophisticated attackers have gotten very good at sidestepping them). The goal of modern deception is to stop attacker movement, and honeypots don’t.

“Deception platforms offer high-fidelity artifacts (e.g., decoys, lures or honeytokens) that look real and useful, but are fake and created only for attackers to touch and engage with. These artifacts should not be interacted with — hence almost zero false positives — but attackers are statistically bound to trigger one as they perform lateral movement in organizations.”

There is no reason on earth for anyone legitimate to interact with a well-crafted deception. Only users with bad intent will find and use them on the underside of the network, where regular employees would never have a reason to look for them. As soon as an attacker engages a deception, organizations get an instant high-fidelity, top-priority notification that is almost certainly a malicious intruder or insider attempting something nefarious.

In the report, Gartner recommends to “evaluate deception platforms based on your maturity level. Low-maturity organizations not equipped to manage solutions such as SIEMs could find value in deception platforms as their main detection tool. Medium-maturity organizations already equipped with SIEM, EDR and NDR solutions should look at deception platforms as a complement to detect attacker movements inside your environment (for example, to detect stolen-data staging, lateral movements and internal reconnaissance). High-maturity, forward-leaning organizations should look at deception platforms for advanced use cases such as generation of local threat intelligence.” .

Modern deception, when done right, doesn’t rely on agents to provide security. IoT, OT and network systems are almost impossible to secure with agents anyway, so deception provides easy-to-install emulations that mimic these devices. These emulations solve the exceptionally challenging problem of securing what have historically been considered “insecurable” systems. To cite just one example, while you can’t load security software on a CAT scan machine, you can surround it with hundreds or thousands of emulated devices that look exactly like those CAT scan machines. As soon as the attacker inevitably touches any of those deceptive CAT scanners, organizations have all the intelligence they need to kick them out, far from any crown jewels they had hoped to move towards.

We have much more work to do, but in our opinion, being recognized as a Sample Vendor by Gartner is an important step towards ensuring every organization at risk of a cyberattack understands the transformational defensive value of modern deception.

Gartner “Hype Cycle for Security Operations, 2020,” Pete Shoard, 23 June 2020

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

View Illusive’s on-demand webinar, Faster Incident Investigation with Forensics-on-Demand, where we show how Illusive forensics can increase SOC efficiency and accelerate incident investigation.