Deception Technologies Have a Maturity Problem

INFOSEC23 — London — Deception technologies can offer a better method to detect attackers in your network, but questions remain on how much security leaders know about their maturity and capabilities.

In a discussion at Infosecurity Europe, panelist Debi Ashenden, a professor in cybersecurity from Adelaide University, described deception technologies as relatively immature. She said deception had "come out of the idea of honeypots" and while organizations may be on the cusp of seeing deception technologies mature, the technology lacks good use cases or reference customers willing to discuss their experience with deception.

Gonzalo Cuatrecasas, CISO of Nordic industrial manufacturer Axel Johnson International, said when technology is embraced, "it's got to be mature enough to do [the job it is intended for], otherwise it is halfway tech that gets [stuck] in the middle."

The Latest Cool Trend?

Lewis Woodcock, senior director of cyber operations for shipping concern A.P. Møller – Mærsk, said the challenge is for customers to fully understand what their underlying goals are. "I worry deception technology is the latest cool trend, but organizations need to stop and think [about] what they are trying to achieve."

While Ashenden said deception technology can also be very resource-intensive and that many CISOs don't understand why they need it, Woodcock wondered what an action plan for dealing with an attacker would look like, once deception technology got activated. That's not an endgame that many organizations are prepared to address or manage.

Ashenden also said there are questions on where in the network or SOC to deploy deception technology and that more work is needed to determine how this emerging technology fits into the cybersecurity portfolio. Cuatrecasas added that deception users should "be prepared to make decisions, as what you find may be something that we do not know about."

What You Need to Implement

As for implementation tips, Woodcock said familiarity and experience with threat intel could simplify deception rollout and management. He also recommended having an environment that looks real to an attacker — as if the network is very locked down and one server is open — as it is a giveaway to the attacker about what is going on. "Know your objectives, how an adversary will perceive it, and how you will respond," he said.

Ashenden recommended discussing with senior management what the technology will achieve and what it offers the wider organization, not to mention a strong business rationale for buying and using.