Hello, this is Nick Holland with Information Security Media Group, and today we're going to be talking about deception tech with Joseph Kroll, who is a Senior Analyst at IT Group. Joseph, thanks for joining me today. So, lots going on, obviously, in deception tech at this point in time, but it's not a new technology in a lot of ways. So, what I want you to, I mean, just frame for the first part of our discussion is, basically, what is it and where does it fit into the broader arsenal of tools that's available for today's organizations when it comes to countering cyber attacks?
So, I first was exposed to deception technologies in 2016, and I was extremely positive about the concepts, the technologies, and the capabilities of deception tech. But what I found were two things that I think inhibited its ability to have an impact on our industry. The first, it was very, very difficult to explain. There were a lot of things about the technology and about the ability to provide this type of embedded deception in the existing corporate networks.
And the second challenge is that the deployment model was not as easy as it could be. I think a lot of folks that understood traditional cybersecurity just could not get their head wrapped around, how do I deploy assets which really are not assets? You know, how do I put documents? How do I put credentials?
And how do I put network assets like endpoints or servers that are emulating real things? And I think it was that they suffered from the inability to properly explain that to the target buyer who had a very traditional outlook about how cyber defense technology should be deployed. Obviously, if they're deployed correctly, they offer some incredible capabilities. And the fact that when you know an attacker gets into the network and they go after one of these deceptive assets or they take a document that is put there specifically for stealing, you know immediately that you've got someone in the network that shouldn't be there.
And then you can start to sandbox them. And most interestingly, you can watch their whole attack scenario without having to shut it down like you would with a traditional defensive technology. But again, I was really, really excited when I first saw it, but then it really just didn't catch on because of the complexities of trying to explain it and sell it. Okay, very good.
So, I mean, it has been around for a while as a concept going back to the days of honeypots and things like that, which were probably pretty straightforward. So, I mean, what technologies are at the forefront today of the evolution of deception tech? What's state-of-the-art as far as you're concerned, Joseph? Sure.
So one of the things you have to do with deceptive technologies, you have to keep them relevant and fresh because the attackers are starting to be able to understand when an organization has deceptive technologies deployed. They look for different activities or signatures, or they look for different behaviors, and they can say, aha. And in some cases, they can actually identify which vendor has provided those deceptive technologies. So today what you have to be able to do is rapidly deploy them across multiple environments.
So I mentioned, you know, documents which are placed there which are bogus that are enticing to an attacker. It could be an endpoint or a server that you're putting there, or it could be just lots of different stuff on the network which would be enticing. One of those things being an active directory instance, which is kind of like the jewel in the crown. When I pivot and I try to escalate my privileges, I want to go after AD.
But the problem today is keeping those things fresh creates a maintenance overhead for the organization that wants to deploy the set of technologies. So what they're trying to do is make these things more dynamic to use technologies that will change the nature of what's deployed on the network. And then it won't be, oh, okay, I see that. I know they're trying to trick me, and I'm going to evade that by doing something else.
They can do this using AI. And, of course, the whole AI in security is a bit of a hype, but this may be one area where AI can give a second or third life to deceptive technologies. More importantly, it could be by using dynamic deployments of having different types of agents or different types of deceptions that are deployed with very little user or administrator overhead. So they're doing these things dynamically on the fly.
So, and then just a final question here, Joseph. I mean, clearly, there's a lot of changes going on, not just in the cybersecurity industry, but in all industries. We talk about, obviously, digital transformation. But we really are on the cusp of some significant changes with things like 5G coming into effect, certainly the degree to which today's organizations are cloud or cloud hybrid.
And then, you know, clearly, there's a significant reliance on third parties for those cloud-based assets, and, in fact, fourth parties, as we have, you know, the third parties, the third parties, and so on. So how is that likely to change the deception tech landscape? In my opinion, it will have limited impact. Deception technologies are really great when you have your own network that you manage and you have your own team.
And let me explain. Deception technologies are really good if you're running a threat hunting team or you have the capability to react to the alerts. If you get the alerts and you're pushing them into your SIEM or you see that someone's hitting something that's a deceptive endpoint, you have to be able to react to that. And if you don't have the skills and you don't have the capabilities, I'm not sure that your, you know, second-tier managed security services provider is going to have that ability to react to that quick enough to allow you to contain that potential breach before they pivot elsewhere.
With regards to cloud, again, there are probably other monitoring technologies that can provide equal to or greater. But deception is just one tool in the toolbox. And I think it's really great for organizations that have already a mature and sustainable and repeatable process to their cybersecurity defenses. It's probably less important for those that have outsourced the teams or just don't have the capabilities to get the full use and the power of what they're buying.
Well, thank you, Joseph. That is Joseph Kroll, who is a Senior Analyst of cybersecurity at IT Group and for Information Security Media Group. I'm Nick Holland.