undefined | Better HN

0 pointsnotepad0x901y ago0 comments

the first rule of deception imho is that it needs to deceive the threat actor, and you should assume that the threat actor has done enough recon to know what makes sense and what stands out in an environment. If you have a canary in a file about a project that doesn't exist or use an external "canarytokens.com" domain the document, that might be a low quality decoy. Tools to automate deployment, maintenance and alerting/integration (SIEMS,etc..) are much more useful.

If your company is making deception software, then you already know that Microsoft, Google and similar companies are your competition if your strategy is to do what they do, but I'm sure you've already strategized around all this.

0 comments

3 comments · 1 top-level

waihtis1y ago· 2 in thread

> Tools to automate deployment, maintenance and alerting/integration (SIEMS,etc..) are much more useful

Bingo - between this and not confining yourself into the restrictions of a single platform (what the platform feature vendors have to do - Microsoft deception offers solutions only specific to certain Microsoft infrastructure, etc. ), you can create some terrific outcomes in this domain.

notepad0x90OP1y ago

I said "don't get me started" earlier because unfortunately vendor lock in is now a prized feature. I could be wrong but it kind of boils down to CISO's and decision makers looking at how we do things today in security and saying "this too complex, me no get it, me want one thing instead of many, me get that!" (this is why I said don't get me started! lol).

I totally support your approach, and I hope your startup succeeds. Although you should really name-drop it here.

waihtis1y ago

Thank you friend! -> defusedcyber.com

Hit me up if you'll be at Vegas hacker summer camp next week and want to get a friendly coffee in, the founders email on the website lands into my mailbox.

j / k navigate · click thread line to collapse