Deception technology grows and evolves

Deception technologies such as honeypots are becoming increasingly popular with enterprises

Deception technologies such as honeypots are becoming increasingly popular with enterprises as the products get more flexible and the tools allow security analysts swamped with incident reports to zero in on cases of actual ongoing infiltration.

According to a report released in August by research firm Technavio, the deception technology market is growing at a compound annual growth rate of 9 percent, and is predicted to reach $1.33 billion by 2020.

The technology includes not only the traditional honeypots but also a new class of multi-layered, distributed endpoint decoys, according to Technavio analyst Amrita Choudhury.

Another research firm, TechSci Research, predicts a market size of $1.7 billion by 2021, with a CAGR of over 10 percent.

According to TechSci analyst Karan Chechi, the biggest growth areas for the technology include the financial services sector, retail, healthcare and government.

No false positives

Current security systems send up a lot of alerts, many of them false positives.

And the move to a new generation of systems based on machine learning isn't helping, said Lawrence Pingree, analyst at Gartner.

"Those kind of algorithms tend to have a lot more false positives than other approaches," he said. "I've sat in front of a SIEM with 5,000 alerts an hour, and I've had to triage that. That's an overwhelming data set."

A deception grid changes this dynamic.

"In a deception system, the alerts you get are very minimal, and any alert you get says that something is awry," he said. "It's an almost zero false positive solution. That's a huge win for security professionals."

He estimated that today's deception grid vendors are seeing between $25 million and $50 million in total annual revenues, and that the amount is growing by the double digits.

"It will be between $80 and $100 million globally in the next year or two," he added.

In addition to the core market for the tools themselves, related managed services are also growing, he added, due to a personnel shortage in the industry.

"You don't have false positives," confirmed Doron Kolton, CEO at TopSpin Security.

And if a company employee does end up at a decoy, that's a red flag.

"He shouldn't be doing that," said Kolton.

That means that an overworked security team, flooded by incident reports that may or may not lead to anything significant, can look at the honey traps first.

"You can use the deception grid in order to prioritize events in the incident stream," he said. "You can look at the other events that were triggered on the same endpoint."

Deception grids can also increase the costs for the attackers, by making them spend time chasing shadows around.

"You can place them in essentially a hall of mirrors," said Gartner's Pingree.

The longer the attacks take, the less money the cybercriminals wind up making, said Shogo Cottrell, security strategist at Hewlett Packard Enterprise.

A deception grid can also trick a hacker into going home with files that, at the end of the day, turn out to be full of useless data.

"It's been made up, or protected with encryption," he said.

Plus, a sticky trap can help an enterprise do a kind of competitive analysis on the enemy, see what targets they are looking for, and what techniques they are using, he added.

Flexible net of deception

A traditional honeypot is a particularly tasty file, database or server, one that just screams out to hackers that its full of delicious proprietary information, credit card numbers, login credentials and other goodies. The attacker finds it, tries to get into it, and alarms go off.

But the honeypot approach never really scaled to the enterprise level, said Gadi Evron, co-founder and CEO at Cymmetria. "It's very limited in what it can do, and when it comes to attackers with more sophisticated attacks, it fails miserably."

Anthony James, CMO at TrapX

The bait also has to be good enough to pass as a realistic target, not a fake prop.

"Attackers are smart enough to realize that something is a honey pot because it's a simulation, it's not real," said Dean Sysman, Cymmetria's co-founder and CTO.

And there have to be enough decoys for the attacker to be able to find them.

"You have to hope that they'll land on one or two fake decoys that sit near the real server," said Anthony James, CMO at TrapX, one of the leading vendors in the space.

The new approach is to cast a wider net, of more subtle traps.

"We want to create a large decoy surface area -- a cyber minefield field," said James.

TrapX, along with several other vendors in this emerging space, uses automation to create phony workstations, servers, databases, even medical devices, point of sale terminals and automatic teller machines.

Then TrapX lays a trail of breadcrumbs that leads them to the decoys. The breadcrumbs are only visible to attackers, who are using backdoor tools or command line interfaces to explore corporate networks.

"The real trick is that the legitimate user never sees these links," James said. "They're never stumbling on a trap and tripping the alarm."

Then the TrapX decoys keep the hacker on the hook, giving the security team time to respond.

For example, there might be a realistic-looking interface that gives a hacker three failed attempts, then lets them in on the fourth try.

"We have templates with fake files and directories that look like a real directory," he said.

And as real network resources change, the deception net can respond.

"The emulations are very agile," he said. "We can spin them up and spin them down, and move them with the network as it moves around. If they want to do it manually they can, or we have tools to automate it."

And here's a bonus pro tip for those setting up deception grids: Don't just stop at making your decoys look like real targets. Make the real targets look like decoys.

"Take an ordinary file server, and manipulate the server banner to advertise itself as a honeypot," said Sean Sullivan, security adviser at Helsinki-based F-Secure, which provides managed services for enterprise looking to outsource their deception grid oversight.

The same trick can be used against malware, he added.

"Malware does not want to run in a virtual machine, because it assumes it is being analyzed by malware researchers," he said. "But you can take a non-VMware machine and give it VMware registry keys and the malware sees those registry keys, thinks its a VMware machine, and kills itself."

Join the CSO newsletter!

Error: Please check your email address.

More about CMOCSOF-SecureGartnerHewlett PackardHewlett Packard EnterpriseTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts