Building and deploying a decoy is fairly straightforward. If there is any work involved, it is just tuning the noise in terms of what happens inside your network. Most people probably do not realize how many times they are scanning their own network internally, and that decoy is going to feel like it is getting scanned, but that scan is being done by a dedicated device that you want to scan. You then build your exception rules in to not trigger on that and trigger on other devices when it is scanning. We have built the alerts back into our automation platform, so if we get alerts, our automation platform will do some runbook evaluation that is automated and then hand it off to an analyst if they think it is a real event. They do a good job of building the decoys and deploying them, and then giving you good insights. When something happens, you can look at how the decoy was connected or attached to a scan and figure out if that is a real threat or not. I like the coverage. We have 250 locations across the US, and we deploy decoys across every one of those networks. We saw its benefits immediately. The first time we got it and deployed it into one of our operating plant environments, the plant engineer noticed right away that there was a foreign device on his network that he did not really realize was out there. It was a support vendor coming in, and that vendor was scanning parts of his network that he did not realize. They were not necessarily doing it maliciously, but it gave him great insight, so he was sold on the product right away as we were. Shortly after implementation, we did our regular PAN and Red Team testing. I can say with 100% confidence that every time we do one of those, those teams come in and they tip over one of the decoys, and we see them fairly quickly. The decoy side protects my data because I get early insight into if there is a threat actor in my environment and it is moving laterally because they typically will hit one of these decoys, so it gives me quick access. If a ransomware threat actor was in my environment, they would be moving laterally trying to get to a vulnerable system, so before they ever get to the point of deploying the ransomware payload, they are going to hit a decoy. I am going to get early insight, and hopefully, I can get them out of there. In terms of its effect on the total cost of ownership (TCO), as with almost any security product, we are mitigating risk and protecting revenue. The total cost of ownership is an overhead when it comes to security. You want to spend as much as you think is necessary to mitigate high-risk areas. Otherwise, it is just money out the door. You are protecting revenue, but I would not put a TCO on it. It has helped our organization reduce or avoid downtime a great deal. It has avoided a potential downtime because the decoy typically gets the threat actor. My threat actors are PAN Test and Red Team people. They are identified before they can get too far and cause a scenario where I have downtime because of whatever they are doing in the environment.
