Key Criteria for Evaluating Deception Technology Solutionsv2.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Summary
  2. DT Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Chris Ray

1. Summary

Attacker techniques and behaviors are constantly evolving. As cybersecurity vendors zig, attackers zag. This creates an environment where what worked in the past to detect malicious actions may not work today and most likely won’t work in the future. So, organizations need security tools that can evolve as quickly as attackers do, and perhaps even anticipate some behavior and take proactive measures. Deception technology (DT) tackles this quandary head on and enables defenders to set traps for attackers, granting defenders valuable information about attacker behavior so they can make more informed decisions.

Early examples of DT were emulations of a Linux or Windows host. These were called honeypots, and although they are still deployed with good practical results today, they have quite different capabilities than when they were first launched 30 years ago. With infrastructure as a service (IaaS) and DevOps practices using infrastructure as code (IaC), organizations have had to evolve their use of DT to meet the demands of modern enterprises.

Today, DT is more comprehensive. No longer do organizations rely solely on physical data centers and perimeters to protect their networks. Cloud computing, software-defined networking (SDN), remote workers, and on-premises technologies are leveraged to create a robust defense system that emulates and tracks activity across different areas. By incorporating these advanced technologies with other security methods such as zero-trust technologies, organizations can take advantage of the benefits DT tools bring without compromising the safety of their networks.

Modern DT is integrative in nature, bridging the gap between existing detection-focused technologies like endpoint detection and response (EDR) and the security information and event management (SIEM) solutions on which security teams base much of their workflows. Because SIEM detection capabilities are directly correlated with the quality of telemetry fed into the solution, SIEM solutions will always be limited by upstream telemetry sources. For organizations seeking the earliest possible detection, DT will be appealing.

This GigaOm Key Criteria report details the criteria and evaluation metrics for selecting an effective DT solution. The companion GigaOm Radar report identifies vendors and products that excel in those criteria and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading DT offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.