[Posted on behalf of Anton Chuvakin, Security Strategy - chronicle Google]
How do you develop a business case for a DECEPTION TOOL?! I just went through a whole bunch of deception vendor materials and I was unpleasantly surprised at the lack of advice from the vendors in this regard.
For sure, those few organizations adopting deception tools are struggling with this challenge. Naturally, there is no “deception budget” at most organizations and even “advanced threat budget" may or may not exist. Given that much of deception today is aimed at better threat detection, they have been decent attempts to justify the tool by hopes of better threat detection efficiency and effectiveness, cheaper alert triage, earlier detection, lower FPs (compared to what?), etc.
Others hope to push the deception vendors to broaden and eventually replace other tools (like say NTA or EDR or even UBA), but this route (apart from it being long and painful) may risk pushing vendors to build a spork – a spoon/fork hybrid that is at best mediocre at both functions. When I see some security tech, I see not just a spork, but “a tooth brush/toilet brush hybrid”; something that in theory can replace two tools with one, but in real life won’t be used as either….
Along the same lines, some vendors seem to contrast deception tools with preventative tools, but in this case customers have a lot more choice: SIEM, UEBA / UBA, NTA, EDR, etc; a bunch of proven (ahem … and not so proven) tools focused on detection & response. So, your screams “buy deception, not prevention” ring kinda hollow…
The reason for this struggle is easy to explain: deep down, we all know that today the deception tools are “a nice to have”, not “a must have.” As my wise mentor once told me “sell aspirin, not vitamin” … but how? Dear vendors, please let me know how your solution is not "a nice to have" today! We’d love to hear it!
So, our running list for deception tool business is:
Business case focused on improved threat detection quality (better detection of existing threats, detection of “better” threats, earlier detection) [so, in effect, lower detection cost and/or higher effectiveness]
Business case based on high quality of alerts, pre-triaged alerts [lower triage and investigation cost]
Got much to add?
Finally:
Our call to action to vendors: how do you help customers establish a business case for your deception tool?
Call to action to customers how did you establish a business case for the deception tool you purchased?
Comments