When shopping around for deception technology vendors, it can be hard to distinguish and determine which vendor is right for your organization. This is especially true with deception, a sector that is still growing and developing rapidly. Each deception provider has their own unique approach, but the end goal of detecting and halting threat actors remains the same.

So how do you figure out which threat intel solution and deception vendor is right for you?

One consideration may be budget, which is relatively straightforward. Another may be finding out who your competitors use. But in a sector where clients don’t want to be identified, how can you know if your vendor is working with companies like yours? How can you tell which vendor is serving the top organizations?

The first thing we advise when CISOs and other security managers are seeking a new solution is to take stock of their goals. Knowing how your team will make use of the intelligence provided by deception technology can help determine which provider is the best match for you.

Read on to find out

  • What questions to ask cyber deception technology vendors before you commit to a solution
  • The questions your service providers might be afraid you will ask
  • How to avoid making a big investment that won’t improve the security posture of your organization

Asking the right questions can help you avoid operational risk and reputational risk that comes with big data breaches. Read on for a helpful guide on the most important questions to ask.

How realistic are the decoys and environments the deception platform deploys?

When it comes to deception, believability is the most important indicator for effectiveness. The longer you can keep the bad guy occupied, the more information you can gather about them. Decoys should look and feel like real production assets—otherwise, skilled attackers will not be fooled. Emulated systems just aren’t effective enough. We believe in using real IT to make deception decoys and environments ultra realistic.

Does the solution work both pre- and post-breach?

Many deception technology vendors focus on detecting threats once they have entered the network. While that is a must, wouldn’t it be even better to detect attackers while they are still in the pre-breach, scouting phase? A deception solution that detects actors operating outside your organization means you can shift to the risk response way down the kill chain. Ideally, a deception solution will be able to provide threat intel on an attack before the attack has even taken place, giving you time to react and strengthen your network.

Can I integrate it with my systems/software/workflow?

This is a critical issue. Whatever threat intel product you decide to use, it must be able to be integrated into your systems and workflow. Look for a deception solution that allows you to add the data gathered to your SIEM, an excel, or any other application or format your team uses. You should be able to gather the info and easily share it with your team.

What do the deception technology vendors do to ensure the security of your platform, and how do you protect data that goes in and out?

Security is not a “nice to have”—it is essential. As security practitioners, you must avoid introducing a weakness through a new system, and the same goes for a deception platform. Make sure the vendor you use has a rigorous set of security guidelines in place at every point in their product chain.

How quickly can we process the intel gathered by your system?

If you only look at one metric, it should be the speed with which you are able to process the intel gathered by your deception technology vendors. As we are fond of mentioning, threat intel is broken. If it takes three weeks to process threat intel you’ve gathered, or if the intel is generic and not specific to your business, you’re giving the adversary a major advantage. Deception should work to offer you immediate, real-time threat intel…zero-day attacks become zero-day plus five minutes when you have an effective threat-intel solution, which means you can mitigate risk. Look for integrations with Signal and other software and apps that help you create an automated notification and incident response system for use against attackers.

How is intel delivered, and is that customizable?

When looking at deception technology vendors, be sure to ask how the intel they gather is delivered. You want comprehensive reporting that can be categorized and presented at different levels. Ease of consumption is key. Depending on your organization’s needs, you may want threat intel that can be shared using STIX 2, Excel, or even a pdf. You should be able to break it down and serve it up for everyone in your organization, from the sysadmin to the CISO.

Can you show a live Mitre ATT&CK view?

Covering MITRE ATT&CK tools and techniques and being able to visualize that information will give your company a leg up when it comes to mitigating risk and dealing with threat actors. Ask how much of the MITRE matrix your deception technology vendor covers (hint-it should be all of it and then some). Check to see how it is integrated into the platform—does the platform integrate the MITRE ATT&CK information in a complete, visual way that will make your team’s job easier?

How much does it cost to scale the product?

Some deception technology vendors have hidden costs outside of the scope of the product license, charging by breadcrumb or by number of endpoints. If you have a large network of machines to protect, you may want to look for a solution that works for complex networks out of the box. Solutions that scale per threat intelligence requirement instead of per machine are a better value for your money.

Does the vendor have industry certification or are they aligned with NIST/ISO?

This question can give you an idea of the state of a company’s own security practices. If a vendor has ISO 27001 certification, you know they have undergone a rigorous certification that assures the quality of their information security management system (ISMS). You’ll know they have policies, procedures, processes and systems in place to manage information risks, such as cyber attacks, hacks, data leaks or theft, up to par with big industry players like Google and Amazon.

How often is the system updated, and how are updates handled?

Deception technology moves at the speed of innovation, and so updates should be regularly scheduled and are important for maintaining maximum efficacy. Ask what kind of support the vendor offers for updates. You want a vendor that has flexibility to respond to issues, and may even need one that provides bespoke help and suggestions.

I have custom systems I want to include in my deception environment. Can your platform cope with custom or bespoke systems and sensitive or totally isolated networks?

If you have legacy, air-gapped, or other demanding systems to protect, this question is key. It can be difficult (and for some vendors, impossible) to function in legacy systems or air-gapped environments. It can be difficult to connect and protect very different networks, so look for a platform with the flexibility to be deployed in multiple different scenarios, where limited bandwidth and remote access may be par for the course.

Curious about the CounterCraft solution? Sign up for a demo today to see why we think our deception-powered threat intel solution is the world’s best.