KuppingerCole Report
Leadership Compass
By John Tolbert

Distributed Deception Platforms (DDPs)

This report provides an overview of the market for Distributed Deception Platforms (DDPs) and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing DDP solutions.

1 Introduction / Executive Summary

Cyber-attacks are on the rise as we all know from the seemingly constant breaking news stories. Government agencies large and small are under attack. Businesses and non-profit organizations are under attack. Small to medium sized business (SMBs) that at one time felt as if they had no major cybersecurity worries find themselves increasingly targeted by cyber criminals and fraudsters. Ransomware attacks continue to accelerate, abetted by the cyber insurance industry. Ransom demands are jumping. To combat modern cyber threats, organizations have been investing in more and more tools focused on threat detection leveraging big data analytics and user behavior modeling―generating massive waves of alerts, which too often turn out to be false positives.

Analysts spend too much time chasing benign behavior and consequently, real attacks are slipping through. Behavioral detection solutions powered by machine learning offer better efficiency, yet they are probabilistic in nature, requiring cycles of manual effort to truly track down and confirm if a threat is present. Facing these challenges, further complicated by the growing shortage of skilled security analysts, many organizations started looking for alternative approaches for detecting and responding to threats in real time.

One of the oldest of such alternatives, predating modern IT by at least a couple decades, is using honeypots to lure attackers with strategically placed fake computing resources. Like police sting operations, this involves deploying carefully crafted traps within and/or adjacent to the corporate computing environment, which appear to be a legitimate part of the IT infrastructure and seemingly contain information valuable for hackers. However, these fake resources are distinct from the real assets and are closely monitored; since there is no reason for legitimate users to use them, any access attempt can be considered a reliable sign of an ongoing attack.

This deterministic nature of honeypots has made them a useful tool for both academic researchers and security experts. Unfortunately, such solutions have been difficult and costly to deploy at scale, unless deployed as part of distributed deception platform; they also generate lots of security telemetry which requires expertise to analyze properly. And yet, as the continuing de-perimeterization of enterprise networks makes traditional security tools like packet filter firewalls or signature-based antivirus less and less relevant, the interest in deception as a methodology and as an integral part of the overall cybersecurity architecture is growing.

Distributed Deception Platforms are systems that are designed to simulate a variety of computing assets and environments for the purposes of drawing in would-be attackers to clearly alert IT security teams to the presence of attackers, drawing attackers away from real assets, and allowing IT security teams to study the TTPs of attackers in order to better defend against current and future attacks.

DDPs are the logical evolution of honeypots and have been productized for easier commercial deployment and use. DDPs can work well in conjunction with Network Detection & Response (NDR) and Endpoint Detection and Response (EDR) tools for enterprises with high security needs. One of the advantages of DPPs is that when activity is detected within a properly deployed system, it is almost guaranteed to be malicious. This makes detection of malicious activity comparatively easy. On the other hand, Endpoint Detection & Response (EDR) and NDR tools work by analyzing many endpoint events and network traffic, applying machine learning (ML) detection models to probabilistically discover outliers and identify potentially malicious events. DDP solutions have progressed toward common features sets, architectural patterns, and topographies. DDPs are becoming easier to afford, deploy, and manage for both SMBs and enterprises.

EDR solutions operate in areas where software agents can be installed on devices. This can provide coverage for typical office environments, but is not effective in places where agents cannot be installed, such as ATMs, IoT devices, Industrial Control Systems (ICS), medical devices, etc. In these settings, NDR solutions can offer visibility and controls, and DDPs can be an active defensive measure on the frontline with decoys that emulate these devices and through IAM protection (most commonly Active Directory).

The network security industry is moving in the direction of "XDR", sometimes standing for eXtended Detection & Response, which is a union of EDR and NDR. DDPs can be considered an advanced element of XDR solutions, as they aid IT security teams in discovering anomalous and malicious behavior at various layers across the infrastructure.

Deception technology is also a constituent of the KuppingerCole Information Protection Life Cycle (IPLC). The IPLC and Framework describes the phases, methods, and controls associated with the protection of information. The IPLC documents three stages in the life of information and multiple categories of controls which can be applied to secure information. The "main sequence" of information is Active Use Life. Active Use Life is a concept borrowed from the field of archaeology, defined as the period when a human made artifact is actively in use. Information is a human construct, with a beginning and often an end, thus the definition works well for the IPLC. Deception technologies fit into the Active Use Life phase of the IPLC.

At a high level, DDPs are composed of traps, lures, misdirection, and management systems. Some vendors use the term "decoys" synonymously with traps. Others call lures "breadcrumbs", "baits", or "honey tokens". Given that digital identity is a primary vector in attacks, DDP vendors provide deception assets for IAM, which are specific combinations of traps and/or lures. Identity Detection and Response solutions add the ability to show potential attack paths, and they can hide legitimate credentials and Active Directory objects, which prevents credential theft and privilege escalation. Attackers can also be identified when they conduct unauthorized queries against identity data stores. Disinformation can be provided as a response to those unauthorized queries, which will redirect the attacker to a decoy for the monitoring and analyzing their TTPs.

  • Traps: servers, virtual servers, or appliances that host simulated assets for the DDP. Trap servers can be Windows servers or desktops, Linux machines, Macs, cloud instances or containers (in either public or private clouds), VPNs, industrial control servers, sensors, meters, specialized manufacturing and medical equipment, etc. In cloud computing environments, traps can be access keys, storage buckets, serverless functions, databases, and containers. Trap servers should run applications that are typical in the reference or production environment, such as web servers, mail servers, content management systems, collaboration services, file shares, financial applications, remote desktop "jump boxes", industrial control applications, IoT device management applications, etc. Application and service simulation detail can vary between vendor solutions, and devices or applications simulated; the range of simulation runs from listening on standard ports, session establishment, full protocol responses, and customizable interactions.

  • Lures: objects that are designed to appear interesting to attackers in order to get them to interact with the full DDP. Lures can take many forms, examples of which are listed below. Lures can be hosted in many locations, depending on customer preferences.

    • Services

    • Files

    • Credentials

    • x.509 certificates

    • SSH application configurations and keys

    • Scripts

    • RDP sessions

    • Database content

    • DNS entries

    • Beacons

    • Cookies

    • Shortcuts

    • Network shares

Lures should be placed on endpoints and servers within customer organizations as well as in SaaS apps where appropriate.

  • IAM deception: given that credential takeover and escalation are critical vectors in most cyber-attacks, DDPs offer a variety of techniques for creating and managing fake IAM infrastructure and credentials. Most vendor solutions support to differing degrees the deployment and management of Microsoft Active Directory (AD) components, credentials, and objects. Some DDPs deploy parallel AD components with trusts back to the customers' production AD domains. Other DDPs create fake accounts and other objects in customer production AD infrastructure. A few vendors interoperate with generic LDAP and IDaaS. In order to make sure that attackers do not bypass fake credentials and use real credentials, full IAM and AD monitoring and PAM should be in place.

  • Management consoles: interfaces for customer and/or MSSP administrators to deploy, configure, manage, and monitor traps and lures. DDP solutions often have facilities that perform automated analysis of customer assets to suggest and create traps and lures that appear realistic to attackers. These interfaces also allow customers or their MSSP delegates to modify configurations as needed, monitor activities within the deception environment, and conduct investigations on in-progress attacks. Management consoles can be deployed on-premises, in public or private IaaS, in the vendor's cloud, or at MSSPs.

Management components should adhere to pertinent standards and offer API integration. DDPs need to be able to interoperate with other parts of the security architecture, especially SIEM and ITSM systems.

1.1 Highlights

Top Ten Findings in the Leadership Compass on Distributed Deception Platforms:

  • Deception is an established and growing specialty in cybersecurit ...

Login Get full Access

1.2 Market Segment

The Distributed Deception Platform market is a small segment of the cybersecurity market but is actively growing and still evolving. Some vendors offe ...

Furthermore, KuppingerCole research indicates that the particular market segments that vendors choose to target often have a direct effect on the type ...

Login Get full Access

1.3 Delivery Models

Several different deployment models exist for the components of DDP systems. Trap servers can be deployed in customer data centers, parallel to custom ...

Login Get full Access

1.4 Required Capabilities

  • Deployment, maintenance, and monitoring of deception assets that are configured to mimic customer assets in traditional office environments, inclu ...

Login Get full Access

2 Leadership

Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Compass. The Compass provides a compa ...

Login Get full Access

2.1 Overall Leadership

In this first edition of the Leadership Compass on DDP, we find Attivo Networks, Acalvio Technologies, CounterCraft, and Zscaler as the Overall Leader ...

Login Get full Access

2.2 Product Leadership

Product Leadership is the first specific category examined below. This view is mainly based on the analysis of service features and the overall capabi ...

Product Leadership is where we examine the functional strength and completeness of features within each product. In the DDP field, DDP product leader ...

Login Get full Access

2.3 Innovation Leadership

Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require ...

Innovation Leadership in the DDP segment is exemplified by how products facilitate the creation and maintenance of traps and lures, coverage for devic ...

Login Get full Access

2.4 Market Leadership

Lastly, we analyze Market Leadership. This is an amalgamation of the number of customers, the geographic distribution of customers, the size of dep ...

Attivo Networks, Fidelis Cybersecurity, Zscaler, and Acalvio Technologies have the largest market share and overall best performance in the DDP market ...

Login Get full Access

3 Correlated View

While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader, but for a vendor ...

Login Get full Access

3.1 The Market/Product Matrix

Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are sort of "overperfor ...

Login Get full Access

3.2 The Product/Innovation Matrix

This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between ...

Vendors below the line are more innovative, vendors above the line are, compared to the current Product Leadership positioning, less innovative.

In ...

Login Get full Access

3.3 The Innovation/Market Matrix

The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innova ...

Vendors above the line are performing well in the market as well as showing Innovation Leadership; while vendors below the line show an ability to inn ...

Login Get full Access

4 Products and Vendors at a Glance

This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on Distributed Deception Platf ...

Login Get full Access

Table 1: Comparative overview of the ratings for the product capabilities

In addition, we provide in Table 2 an overview which also contains four ad ...

Login Get full Access

Table 2: Comparative overview of the ratings for vendors

Login Get full Access

5 Product/Vendor evaluation

This section contains a quick rating for every product/service we've included in this KuppingerCole Leadership Compass document. For many of the produ ...

Login Get full Access

5.1 Acalvio Technologies

Acalvio Technologies was founded in 2015 and is headquartered in the Bay Area. They are a mid-stage cybersecurity startup specializing in DDP. Acalvio ...

Login Get full Access

5.2 Attivo Networks

Attivo Networks, founded in 2011, is a late-stage cybersecurity startup specializing in DDP technology. They are headquartered in the Bay Area and hav ...

Login Get full Access

5.3 CounterCraft

CounterCraft is a cybersecurity startup, founded in 2015 and based in Spain. CounterCraft's history derives from cyber threat intelligence. DDP is the ...

Login Get full Access

5.4 Fidelis Cybersecurity

Fidelis Cybersecurity was founded in 2002 and is headquartered in Bethesda, MD, outside Washington, DC. They are a privately held company. Fidelis De ...

Login Get full Access

5.5 Zscaler

Smokescreen was founded in 2015 in Mumbai as a DDP focused cybersecurity company. Beyond DDP, Smokescreen offers managed threat hunting, incident resp ...

Login Get full Access

6 Vendors to Watch

Login Get full Access

6.1 CyberTrap Enterprise

CyberTrap is a deception specialist cybersecurity startup headquartered in Austria. CyberTrap was founded in 2015 as a spinout from a cybersecurity co ...

Login Get full Access

6.2 Fortinet FortiDeceptor

Fortinet is a major network and cybersecurity vendor with a large array of products and services. Fortinet was founded in 2000 and is headquartered in ...

Login Get full Access

6.3 Illusive Active Deception

Illusive was founded in 2014 and is headquartered in New York and Tel Aviv. They specialize in DDP technology and serve a variety of industries includ ...

Login Get full Access

6.4 Xello

Xello is an early-stage DDP specialist startup founded in 2018 in Moscow. They are self-funded and looking to gain traction in the finance sector in t ...

Login Get full Access



©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksÔ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.