Deception vs Analytics, or Can Analytics Catch True Unknown Unknowns?

This is a debate post, and not a position post. The question alluded therein (hey… I said “alluded therein” to sound like Dan Geer, no?) has been bugging us for some time, perhaps for 2+ years.

However, we deferred this debate and hid behind the fact that most organizations don’t really compare broad security approaches like “do deception” or “do analytics” (or even “do network” or “do endpoint” for detection) in furtherance of a particular goal. The extra-large enterprises always click “all of the above” while others just want to compare vendors.

But I think the time has come to tackle this, given that this quarter we are looking at both deception tools/practices and network analytics tools.

First, it is very clear that there are sets of security problems where the question of “how to handle it?” or “how to detect it?” can be solved in a set of principally different ways.

Let’s take many people’s recent favorite: attacker’s lateral movement detection (ATT&CK link).

So far, we’ve seen organizations use these approaches for detecting attacker movement in their environment:

  1. Network-centric: NTA (flow-based or L7 [better!]), and NSM as an approach.
  2. Endpoint-centric: EDR or various endpoint interrogation tools.
  3. Log-centric: SIEM or UEBA with relevant logs (network, endpoint, DNS, etc)
  4. Deception-centric: decoys, lures and other juicy honey-tools and deception methods.
[of course, there is still a “WHAT LATERAL? WE WILL STOP THEM AT THE BORDER!” crowd, but I am not talking about those people today]

Ok, so far, nobody is running away screaming “WROOOOONG!” Fine!

But one method is not like the others. As we alluded in Better Data or Better Algorithms? back in 2016, methods #1 – #3 above work like this:

  1. gather lots of data from network, endpoint, log or combination thereof.
  2. think up a sneaky method to glean the insight you need from this data you just collected
  3. when this insight is gleaned, it is shown to an appropriate human who then runs out and takes the attacker out (not out on a date, mind you, but out with the trash)

However, the #4 (deception) does not work like this, it works more like this:

  1. think up and prepare a bunch of traps for the attacker
  2. spread them all over the environment and then hope they are discovered by the attacker
  3. when the attacker touches one of the traps, you go and take them out.

See the difference?

Now, we can argue:

  • WHICH OF THE APPROACHES IS BETTER FOR DETECTING THE TRUE “UNKNOWN UNKNOWNS”?
  • WHICH OF THE APPROACHES IS BETTER FOR DETECTING THE TRUE “UNKNOWN UNKNOWNS” GIVEN MOST ORGANIZATIONS LIMITED RESOURCES?

Posts related to deception:



*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2018/12/07/deception-vs-analytics-or-can-analytics-catch-true-unknown-unknowns/