As we gear up for the 2018 edition of the Cyberthreat Defense Report (prospectus here), I’m reminded of two “emerging” technologies we highlighted in the 2017 edition, published this past March.

Deception technology. Sophisticated attackers are still penetrating enterprise defenses and subsequently operating – often unimpeded and for months – on internal networks. Compounding matters is the high volume of events and false positives generated by incumbent detection, behavior analysis, and analytics technologies. Deception technology promises relief on both fronts. Extending beyond the basic intelligence gathering of traditional honeypots/honeynets, these solutions offer a broader set of capabilities that promise to deliver:

• High probability alerts that are almost always indicative of an ongoing attack
• Increased costs, and, therefore, greater deterrence for attackers
• The ability to trick attackers into making off with useless files/data
• Enhanced event prioritization and threat actor intelligence

Attack/breach simulation platforms. Penetration testing, vulnerability/configuration scanning, and other validation technologies help uncover implementation and configuration issues and other types of weaknesses present in an organization’s security infrastructure. However, these solutions are not without their challenges – such as being dependent on testers’ skillsets, having a narrow focus, and only providing point-in-time assessments. Attack/breach simulation platforms seek to overcome these and other shortcomings, for example, by: incorporating a comprehensive “hacker’s playbook” running continuous (non-disruptive) simulations against an organization’s production environment, and integrating with existing security infrastructure to enable automated response and remediation. The result is a new class of security solution that provides a clearer picture of both (a) whether an organization’s security systems are truly working as expected and (b) what its actual risks are at any given time, while also helping to:

• Shorten the duration of exposure, such as to newly discovered vulnerabilities and threats
• Proactively understand the impact of a new attack
• Train your security operations team
• Ensure compliance with regulatory mandates

In my opinion, both of these technologies have significant potential, just at different points in the threat defense lifecycle. But I’m keen to hear what you think. Which of these technologies do you feel has the most to offer today’s enterprises when it comes to establishing effective cyberthreat defenses?