KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
There is growing interest in deception as a methodology and as an integral part of cybersecurity architecture, as organizations seek more effective approaches for detecting and responding to threats in real time. Distributed Deception Platforms have made this approach practical and affordable for the first time, but choosing the right solution can be challenging.
There is growing interest in deception as a methodology and as an integral part of cybersecurity architecture, as organizations seek more effective approaches for detecting and responding to threats in real time. Distributed Deception Platforms have made this approach practical and affordable for the first time, but choosing the right solution can be challenging.
Good morning and good afternoon. I'm John Tolbert, a Lead Analyst here at KuppingerCole. Your goal in today's webinars, a market overview for distributed deception platforms. So before we begin a little bit about our next event, that's the Cybersecurity Leadership Summit coming up in Berlin and online it's a hybrid event like EIC was between November 9th and 11th. And as you can see, we've got a full agenda it's published. We have over 200 speakers, 500 delegates, 15 exhibitors, and lots of social events and networking opportunities.
So hopefully you can join us for the cybersecurity leadership summit. So some logistic notes: we're controlling the audio. Everyone is muted centrally, so there's no need to mute or unmute yourself. We will run a couple of poll questions during the webinar, and we'll look at the answers at the end. We'll also do Q&A at the end in the go to webinar control panel. And you'll see there's a blank for questions. So you can type your questions in at any time and I'll take them at the end. And we're recording this, both the recording and the slides will be available within a few days.
So let's start with a poll. Are you familiar with, do you have a good understanding of what is distributed inception platforms do and how they can be useful? So we'll give you a few seconds here to look at that. So I'm going to give an intro to a distributed deception platforms. And then I recently published a leadership compass on the subject looking at some of the major vendors in the field. So we'll talk about what the key evaluation criteria were and the overall methodology for how we produce leadership compass reports.
Then I'll show you the leadership graphics and ratings at a glance and summary. We'll also look at the future of DDP and where we think it's going. So to start with a little bit about what deception technology is, I like to think of it as an active defensive measure. Many of you probably remember honeypots of the past. This might be, you know, a machine or machines that might stick outside your organization, outside the perimeter. They may be designed to sort of collect some information about what happens outside your networks.
They were usually standalone not really integrated in any way, but you know, a lot of good information came from honeypots in the past. What makes deception platforms different? As you know, that's a fully integrated system and it's designed to look very realistic, like, like your production environment to have the same kinds of servers, same kinds of assets inside, and then to be able to manage it centrally.
Well, the idea of may you want to draw attackers into the deception environment, the simulated environment, instead of keep them away from your real assets. And to do that, you can do things like make your DDP look a little bit less secure. Maybe not be fully patched in some cases, and maybe that makes it more attractive to attackers. So once you get them there, then it's a place where you can watch what an attacker would do. You can observe their TTPs, their tactics, techniques, and procedures.
See what kinds of information they may be looking for, you know, how they decided to attack, or they, you know, escalated, privileges, you know, how do they move light early? You can get a real feel for the kinds of actions that they would take in a real attack, but no preferably keep them outside your, your real assets and deception makes a good compliment, I think, to other detection and response kind of security tools. So you think these days, most organizations have an EDR endpoint detection and response many also have NDR network detection and response.
That's good for a certain passively picking up information about what's going on in that, on the network. But if you properly deployed a DDP then, and conceal it from your real users, then you can almost be assured that anything that happens within that deception environment is attacker activity. So not only can you catch them there, but you can get real high quality Intel about what they might try to do to your production assets.
Maybe, maybe, you know, if it's a very sophisticated attacker, you might see the use of zero days, you know, compromised machines. So you get very, very specific threat intelligence that is for your organization. So let's look at some of the common deployment options. There are a couple of the three major ways that the DDPs can be deployed. So looking at your production environment, you know, you probably have some clouds, you know, infrastructure as a service software, as a service, you know, laptops, mobiles on-premise data center servers.
You know, you may also have IOT operational technology and you call us your production environment. So some DDP solutions can be deployed in parallel. They're outside.
You know, they're not really on the same production. You might choose to separate them on a different villans, but there may be no confusion between, you know, production environment and your DDP environment. Other ways to deploy are mixing them together. So you would deploy your will, your trapped servers. We'll talk more about that in a minute and lures things that are designed to attract the attackers, you know, files and whatnot, right in your production network, but you use the BDP to manage those.
So you can conceal them again from your regular users, but only, but, but manage them in centrally from a DDB console. This is increasingly common. And lastly, a more probably cost-effective in many ways, approaches to use.
I, I would call it like an agent on your production systems that can serve as a trip for when an attacker is looking for information for, you know, on your various servers. Once that's tripped, it uses SDN projection, software defined networking, which then points to deception assets that are hosted by the vendor in their cloud environment. And these two of them look very realistic. I think this makes it more cost-effective because, you know, as a customer organization, you don't have to buy or lease space to deploy deception assets.
And they, they sort of said, you know, virtually, but not necessarily online consuming the licenses all the time. They only activate when an attacker happens to check the age. So this is, you know, a pretty innovative approach that actually makes it easier for customers to deploy as well. So who or why might you want to use deception technologies? What are they best suited for?
Well, they're great for enterprise it environments, but you know, there have been a number of high profile attacks against critical infrastructure and other, you know, power grids and, you know, manufacturing environments that are using IOT, internet of things, devices or industrial IOT, OT, operational technology, SCADA systems, things like that. And in many cases they can't run these devices, can't run other security agents.
So, you know, being able to simulate some of these devices on these networks and serve as a way to alert your staff, if somebody is tinkering with the, you know, the simulated device, this is a way to get, you know, better Intel on what may be happening, happening in these specific kinds of environments. And again, you know, power grid, oil and gas, you know, various manufacturing, critical infrastructure can make really good use of DDPs as a way to collect additional information.
Same thing with medical device networks, a lot of medical devices, even the ones that may run standard operating systems, customers may be prohibited by contractor warranty from installing security software for monitoring. So having a DDP solution that can emulate different kinds of medical devices, again could be a way of catching nefarious activities in those environments that you may otherwise miss.
And it's becoming more commonplace, especially in these particular kinds of industries, healthcare, manufacturing, you know, power generation, and also even us and this national Institute of standards of technology and their 800 dash 1 71, the draft document say, you know, this is a good idea to confuse and mislead adversaries. So this is a pretty innovative kind of technology on the whole, but it's, it's rapidly gaining acceptance as a mainstream security architectural component.
So looking at what I consider the key evaluation criteria for DVPs, you'll see this again later, these are the, the, the main functional features that evaluate in the leadership compass. I thought it'd be good to define those traps trap servers. There are different kinds of servers, application servers that can be email servers, file shares, end points, lots of different kinds of applications. Even instances within the cloud lures are, you know, specific assets like office files.
You know, everybody uses office files, one kind or another, and some can be set up to beacon. And by beacon, they mean, you know, have code that let's say an attacker infiltrates into your environment, exfiltrate the file. If it's a beaconing file, then the code will send a signal and when it gets out, but you know, this works sometimes if they happen to be in a place that doesn't allow them beaconing file and call out, it may not help, but it does help in many cases. So a lot of DDPs allow for beaconing office docs.
It can also include credentials, scripts, you know, scripts are commonly, unfortunately contain username, password combos, XML files, even media files, things like RDP sessions, SSH keys, all of which are things that, you know, an attacker probably be looking for to be able to do things like gain access to information. They should then the next two enterprise it and operational it enterprise.
We consider, you know, the typical things that we've all been dealing with for many years, like DNS HTTP, RDP, abreast, you know, all the, all the protocols that applications within our normal it infrastructures use every day. So you'll see this later on the spider chart, this is a measure of how well does each DDP platform cover enterprise it applications and protocols operational. It is about, you know, industrial controls, SCADA, industrial IOT, you know, in many cases it's a totally different set of protocols that are involved. They're in different kinds of communications.
Many of the EPS allow you to either have a semi or a light simulation of different kinds of devices that you might find in these different kinds of environments. And some also like customize traps that fit into the operational environment. So if you're using something that may not be a part of their out of the box configuration, and many of them allow you to sort of create your own device simulations, but you know, some of the common protocols that we see there are things like backnet my bus DNP three test set.
And, you know, for IOT there's XMPP and MQTT are very popular Koa protocols there. So being able to understand those protocols, if you're, if that's something that you're running, that would be something you'd want to look for in a DDP solution. I am we call this out separately because there's, for two reasons, well, an identity is instrumental in just about any attack, especially escalating privileges to get access to machines that they shouldn't, and then how well you can simulate those. And then there's regular user accounts, there's domain, user accounts, service accounts.
And then also looking at you want to deploy those within your active directory or LDAP, or do you want to set up a parallel active directory or LDF and then have a trust between the two? So that's, that's how we measure the, I am simulation point here then comes TTP analysis. The biggest benefit is being able to understand what your attack or maybe trying to do to your infrastructure. So here we look at things like integration of various cyber threat intelligence sources, and then looking at how the attacks that they may be trying to use, how do they map to MITRE attack?
Miters become pretty commonplace and, you know, an upon framework in which to look at different kinds of texts. So it's useful to, you know, display this information to Analyst in a way that aligns of minor. And then lastly architecture, and this covers sort of that earlier slide versus, you know, a fully parallel environment, a hybrid environment where you've got deception assets mixed in with production assets, and then the, the saw SDN projection to vendor SAS.
There's also the notion of deploying lures, not just within the DDP, but placing them other places say on the dark web that if found by an attacker, interests them and going to look at your or your DDP environment, especially. So taking a step back to our overall leadership compass methodology, we rate against nine major categories. We'll quickly go through that here, security. Now this is about internal product security.
You know, how well is it designed? Does it use multifactor authentication for evidence analysis, you know, are the different roles that can be put into place? How is information generated and secured within the DDP functionality? Is it featured complete? Does it have, does it cover those seven evaluation criteria really well, integration and deployment aligns again with, you know, the different deployment methodologies are they, does each product allow you to have the flexibility to deploy it the way you want to, you know, does it come as an easily integrated product?
Is it, how, how much effort does it take to deploy and maintain interoperability? Even though you want to build a separate environment for DDP, you know, you probably want that information to go back to your SIM. You want your analysts to be alert and something happens there. So how well can it integrate with, you know, through various standard protocols, like rest API APIs as an NP, CIS log, things like that, usability, this is a measure of what does it look like, you know, from an admin or handle us perspective. These are the two main kinds of users you'd have in a DDP.
So, you know, how, how easy is it for them to use? Then we have innovation.
This is, you know, how, how well is each vendor doing in terms of providing, you know, groundbreaking technologies the customers can really use are they, do they have all the basic capabilities and they're offering additional features or, you know, they have a few basic capabilities that may be missing and are kind of playing catch up to the other leaders in the field. It's hard to be really, really innovative.
If you have some basic features that you need to add to your product, then market, this is looking at, you know, how many customers does a given vendor have, are they targeting particular industries is a global, you know, you'd want to pick a product that has good support in the region where your operating ecosystem looks at. You know, how many partners a vendor has, you know, resellers system integrators, and then even support personnel within their own organization.
And again, how well are they distributed globally? Do they meet your particular requirements, financial strength, you know, as a company profitable or really profitable, is it a new startup or is it mid to late stage? This is a measure of just how well they're doing. Do they have enough money to execute their roadmap and, you know, sufficient runway for getting there.
So then when you combine these into product leadership, you know, four major categories, your product leadership, that's the functionality, primarily market leadership that looks at, you know, the market ecosystem and financial strength together, innovation, leadership, centering, you know, how innovative do we think they are compared to the others in the market. And then how we see a product and DDP and market should be. And then those three roll up to an overall leadership score.
So for this leadership compass here, the nine companies that I looked at, and we've got a Calvio technologies, TiVo networks, counter craft, Fidelis, cybersecurity, Z scaler, we're rated, and then sidetrack, Fortinet, elusive, and Zillow. We're in the vendors to watch section. And we'll start at the top, looking at the overall leader section here, you can see, you know, a pretty good distribution.
Again, this takes into account all the major factors, the product completeness, the security, the market size and innovation, and, and kind of foreshadowing where we're going with, you know, where DDP will be DDP, I think will initially wind up being a part of XDR. We'll talk about that more in a minute, but we see some acquisitions that are happening in this space. And one of the, one of the vendors here actually offers DDP as part of their overall XDR platform, which is a really good, innovative feature.
So the product leaders here, again, good spread of capabilities, the ones that we have in the report, I think have, you know, a lot of really good features. And that includes good usability too.
I think that again, you know, if you're, if you're thinking this sounds too much like a honeypot, the management of a DDPs is really what makes this, I think I, a good thing to think about deploying, especially if you're in one of those industries that is heavily targeted by, you know, very sophisticated attackers, so easy to manage good set of features, especially around native, in different kinds of traps servers that can be emulated. The kinds of lures that can be created you.
I should probably add here too, that many of the vendors in the list use things like ML machine learning technologies to go out and do, let's say network discovery on your environment, and look at the kinds of servers that you've got in place. You don't understand things like the use of IP addresses the, the server names, the service names, how they're load balanced, and then create these lures and trap servers that really look like that.
So that it's not something that is so, so different from what an attacker would see in production that they they're actually drawn in because these assets will look real. So there's the use of ML for network discovery and trapping we're creation. And then again, there's things like the protocol fluency, you know, the different kinds of traps servers that are available out of the box and the degree of sophistication with which different kinds of I am credentials can be created and used innovation leadership here.
Again, it's purely just about the overall innovation. I think, especially given the, the kinds of tasks that have been seen in the recent years in OT, ICS and medical environments, there's a big advantage to using DDP technologies there.
So, you know, the vendors that have really good implementations out of the box for, you know, specific kinds of OT environments, plus the ability to customize those, that's, that's a very key innovation feature, as well as, you know, how easy is it for an admin and Analyst to use is the, just the console out for things like, you know, regular expression searches and, you know, things like that, just things that facilitate the use of the console as well, market leaders, again, that's a combination of, you know, market position, financial strength and ecosystem, the bigger, the better, the representation here in the graphic.
This is a growing market. It's, it's fairly new.
I mean, some of these companies have been around for several years already. So I wouldn't exactly say it's an emerging market.
It's, there's a number of key features that you can point to there, you know, a fair number of vendors and there's, there's growing interest in this market. So this is just the way we see the market leadership positioning as it is today. What are the graphs we have or the tables that we have, and our reports are we call ratings at a glance.
Again, we look at those nine categories across the top there's security functionality and all those, and then rate each company that participates from, you know, weak or critical all the way up to strong positive. So I'll let you take a look at the ratings here at a glance. And of course more detail is in the actual leadership compass itself in our chapter five and leadership, Memphis, we do a more detailed look at each vendor list includes a good writeup, as well as strengths and challenges and our spider charts.
So the spider charts here, again, back to those key evaluation criteria, so kind of group things like traps, Lewers, enterprise it, and operational technology as a major functional area. You know, this how they're differentiated in the different graphics. You'll see here in a minute, you know, it's about how many different kinds of operating systems or devices, protocols, or applications can they simulate the, I am point measures the sophistication and flexibility of how you can set up a separate AB or eldap environment or use production, but keep it separate and protected.
So, you know, the goal of having a DDP is to be able to learn about attackers and what they may be doing. So TTP analysis, I think is one of the more important points. So we represent that here on the aspire chart.
And again, that really is about how much information can you glean? How does the DDP solution present the, to your analysts in a way that is actionable? And then architecture is about, you know, the support for the different kinds of deployments and how flexible is it? So we will go through the, the various ratings for the, the companies that were rated, keeping in mind that, you know, you know, there's the, the tracks lures, enterprise it and operational technology. I am a TTP analysis.
And then the architecture with architecture, more flexibility tends to give a higher rating, more information, and the way it's presented, it gives a better score on TTP analysis. I am again, you know, does it support both ADT and Hilda? Can you do parallel? Can you do you know, again, C2 80 accounts and that's, that's the way the spider charts look so that we're ready to go to poll number two, it's after seeing a little bit of information about it, a real brief intro, what do you think, do you see potential uses for DDP solutions within your organization?
We'll give you a few seconds here to take a look at that and just answer yes or no. Well, as I mentioned earlier, I think DVP will have a role to play in XDR. You hear a lot of vendors talking about XDR today. I think we're kind of early in that cycle, you know, XDR is meant to be extended detection and response.
So you've, you have things like EPR, which, you know, over the last 10 years, a lot of EPP next gen antivirus companies have been adding EDR enterprise endpoint detection and response capabilities. So you have, you know, these PDR platforms that are agent-based that you put on all your end points or most of your end points, except for those cases that we were talking about earlier, maybe on operational it, and, you know, medical device networks, then you have NDR, which is, you know, more of a listening on what's going on in the network.
Seeing if you can find signs of attacks that your end points may have an endpoint agents may have missed. And both of these really depend on advanced machine learning algorithms and detection models to find attacks these days.
But, you know, you also see overlap there with this cloud workload protection platforms and, and even vulnerability management system. So I put DDP in here because it really is about detecting and helping you respond to different kinds of attacks. I think this is where we'll be heading, but, you know, XDR in general, it needs to be informed by other systems that you have like identity governance, administration, unified endpoint management, and user behavioral analytics tools.
So that's, this is what we see as the future of XDR MDPs role inside that. So to sound about parents, you know, there are really good products. The ones that I reviewed, I think each has individual strengths in different areas.
You know, if you were going to conduct an RFP to look for one of those, you'd want to pay close attention to your specific requirements, especially in the, in the OT area or even in the it enterprise it area, to make sure that you're getting all the functionality that you need, or, you know, maybe the case that none of the vendors has a specific proprietary protocols. So you'll want to pick a vendor that, you know, could help you develop a simulation for that. It is a growing market. I think DDPs, they are not just honeypots.
I mean, it's gotten far more sophisticated, you know, especially the management. I think that's one of the key advantages.
It's, it's much easier to deploy, especially with some of these newer deployment options where you essentially put an agent in production and it points to an offline deception environment that the vendor essentially runs for you. And then only gets the link only gets built at the time, an attacker trips. So it's much easier to deploy and, and cost savings can, can be pretty substantial there. Especially if you think about trying to run your own set of honeypots compared to a DDP, this is I think a much better long-term solution.
And as I said, you know, I think in the next three to five years, you're going to see XDR platforms take off. You know, this is again, more than just the EDR and NDR coming together. I think DDPs are really going to have an important role to play there as well.
And, and even during the course of the report, there was an acquisition. And, and like I said before, one of the major companies here already offers DVPD as part of their XDR solution. So that encourage you to take a look at the actual report. If you have any questions, you can enter them in the control pale here, and we'll take a look at them. You can contact me offline to this report and all of our other research as it Casey plus cover your coal plus, as you can see the link right there. So thank you. And I will move to see if we have some questions here or actually let's look at our poll.
So the results of the poll, have you heard of distributed deception platforms? Wow, that's interesting. 25% said yes. 75% said no, that is, that's very interesting that that shows there's a lot of room for getting the out about What DDPs can do in different environments. That's very helpful to know. So then let's look at, do you see potential uses for an AP?
Well, well, that's excellent. 100% believe that there's some use for DDP and I really think it's coming. I think if you're the kind of, if you're in an organization that's going to be looking for XDR solutions, this will, this will eventually wind up in it, but I think it's probably good to, you know, investigate this.
I mean, especially if you're in one of these critical industries or you're, you know, you're running a healthcare environment, there's, there's a lot of, I think short-term value that can be discovered by using GPS. So with that, I would like to thank everyone for attending today.
And again, if you have any questions, feel free to follow up with me and please join us so that our next upcoming event, thank you.
