Illusive Blog May 9, 2019

Improve Security Operation Center Efficiency with Deception

By Beth Ruck

It’s no secret that SOCs are overwhelmed. Many organizations are under constant attack, but SOC teams are so barraged by alerts that they can’t discern real from noise. If you missed our webinar with Forrester, Improving SOC Efficiency with Deception, watch it here. Learn how a deception technology approach can end the nonstop “hamster wheel” reaction cycle—and significantly boost both incident response (IR) capabilities and the overall productivity of security operations teams.

Expense in depth

Most Security Operations Centers (SOCs) are saturated with security technologies. Intended to enable “defense-in-depth,” they tend to become what Forrester Principal Analyst J.B. Blankenship referred to in the webinar as “expense-in-depth.” They generate piles of alerts by detecting malware signatures, rule violations, and threshold exceptions, or patterns, sequences, or anomalies—signs that something bad may possibly be happening.

These indicators then require some sort of examination or validation process to know what’s worth escalating. SOC teams must filter alerts, separating millions of (hopefully) benign alerts to find and prioritize meaningful alerts that warrant further investigation. For verified incidents, they then collect data from multiple tools to piece together a picture of what actually happened, which can take weeks or months. In the event of a true attack, the attacker may already have been well entrenched in the network—or may already have exfiltrated data.

Incident response: a weak link

For all the resources invested, the typical incident responder still worries about what important alerts they may have missed seeing.  As one survey after another shows, the process suffers from a shortage of skilled security personnel, lack of real-time forensic data, and inability to accurately assess business risk.

Respondents to a recent Ponemon survey were asked to rate their ability to use forensic data to analyze and investigate incidents. Only 25 percent rated their organizations at 7 or more on a scale of 1 to 10.[1]

The Figure below shows that the second most-cited obstacle to incident response is an inability to prioritize incidents based on potential business impact. Without knowing which incident poses the biggest threat to critical crown jewels, teams can spend valuable time on non-critical incidents instead of leveraging scarce expertise where it’s needed most.

Figure 2. Which of the following are obstacles to your organization’s ability to effectively respond to cyberattacks?

Continuing to use the same tools and processes perpetuates the endless cycle of reactive response. When the primary detection method is based on finding potential indicators, the SOC will always be on a “hamster wheel”—never enough skilled people to sort through the noise, without the confidence they’re really getting the job done.

Stop, Swap, and Roll

With deception, you can turn the incident model upside down. Deception technologies tell you in real time when an attacker is actually DOING something—i.e. is in the midst of the human decision-making process to probe the environment and attempt lateral movement. These are high-fidelity alerts, generated near “Patient Zero” through fake data residing on endpoints. Responders know to immediately prioritize these alerts—and have essential decision-making context that provides:

  1. A wealth of precise forensic data collected directly from where the attacker is operating;
  2. Knowledge of where in the network the attacker is positioned, and how many “hops” they are from privileged credentials and “crown jewels.”


Now teams have clear options. They can isolate the attacker or take other rapid action to stop the attack, or—especially if they have honeypots or decoys—they can continue to observe and collect information on the attacker’s goals and techniques.

Of course, you can’t completely eliminate other methods of security monitoring. These technologies are necessary for a host of reasons: to meet audit and regulatory requirements; to compile essential log data; to validate and tune controls. But deception-generated alerts kickstart the triage process and give precise focus to the broader correlation, analysis and eradication efforts.

To learn more about using deception to increase SOC efficiency, watch the on-demand webcast Improving SOC Efficiency with Deception, and download the Ponemon report, Managing the Risk of Post-breach or “Resident” Attacks.



[1] Managing the Risk of Post-Breach or “Resident” Attacks, Ponemon Institute, November 2018