The Art Of Deception: New Class Of Security Startups Use Decoys To Disrupt A Hacker's Movement

As companies continue to get hammered by breaches, a clear gap in the effectiveness of many security portfolios becomes more evident with each attack. However, a new category of emerging security startups say they have the answer and are disrupting the threat detection space with what they call "deception" technology.

"Business as usual isn't working," said Carl Wright, executive vice president and general manager at TrapX Security, a San Mateo, Calif.-based deception technology startup. "Enterprises are spending millions of dollars and are continuing to have significant challenge and loss ... and we think deception technology is the very natural extension to enterprise security that can help them deal with what happens when an adversary gets in."

The idea behind deception technology is using decoy sensors as a defensive mechanism throughout the various stages of the kill chain -- the different stages of a cyberattack -- to delay or disrupt a hacker's movement through the organization's network and infrastructure. While honeypots have been using deception for a while as a threat detection method, this new wave of technology takes that to the next level and is being used for automated diversion and prevention of advanced threats.

[Related: Tanium Lands $120M In VC Funding, Says Partners Are Key To Continuing Growth]

Sponsored post

Research firm Gartner recognized the emerging category earlier this week in a new report, calling deception technology "game-changing" and predicting that by 2018 more than 10 percent of enterprises will actively use deception tools and tactics as part of their security strategy.

"For the past 20 years, most active security control responses built into network security products have remained fairly constant, offering only a limited number of response actions, such as log, reject, drop and quarantine, with very little innovation or evolution beyond these more-simple automated response concepts," the Gartner report said. "These basic defensive actions must evolve so that a strong hold against the attacker can be maintained and to increase the attacker's economic burden to attack; product managers need to support product marketing to articulate the types of economic burdens the product achieves using deception.

"Gartner believes that security technology providers must consider use of deception techniques during the course of their threat responses to enhance the value of attack disruption they desire within their products," the report continued.

Joining TrapX in the market, according to Gartner, are vendors and startups such as Allure Security Technology, Attivo Networks, Cymmetria, ForeScout, GuardiCore, Hexis Cyber Solutions, Illusive Networks, LogRhythm, Percipient Networks, Rapid7, Shape Security, Specter and Topspin Security.

Deception technology is designed to complement existing prevention technologies on the network, not replace them, and act as another layer to "fill the gap," said Tushar Kothari, CEO of Attivo Networks. Fremont, Calif. That detection gap was illustrated in a recent FireEye report, which found that the average hacker is in the network for 205 days before detection, down from 243 in 2012.

"We aren't saying you don't need prevention ... but there are limitations to what you can prevent by closing the door tight," Kothari said. "I think more and more customers are aware of the need to have the capability to detect something. ... It changes the game on the bad guys. It increases the cost for them dramatically, decreases their chance of success and it's very cost-effective to do that."

"We think in the next six to 18 months, this will become a mainstream security layer and having a layer of deception will become standard practice," Attivo Networks' Kothari said.

Because deception technology is another layer on top of existing network security, Kothari said it is a huge opportunity for partners to bring added value to their clients.

"It's a greenfield opportunity because companies haven't been solving this problem before and the escalation of breaches is growing at staggering rates. ... We believe that the market opportunity is huge and the partners look at it as an unfulfilled gap," Kothari said.

"[Partners] are bringing real value to their customers," he continued. "It prevents their customer from being a headline in the newspapers. For them, it's another way to provide value and managed services."

While Gartner said there is a lot of opportunity in this market, it is only in "nascent" stages right now.

False positives, producing believable enough deception measures to fool hackers, enterprise readiness, proof of concept and educating clients on the new technology could inhibit vendors and partners in this space from grabbing hold of the market opportunity, according to Gartner.

To be successful, vendors and partners will have to educate clients, communicate concepts to developers and orient their managed security services businesses around the offerings, Gartner said.