How do I deploy Deception and who will use it in my Org ?
Zscaler Deception is a SaaS based offering just like all other Zscaler solutions. Customers are provided with their own tenant portal in which they can configure the policies and decoys that they want to provision and deploy. All compute needed to run the network and application decoys is allocated in Zscaler cloud. Below illustration shows the overall deployment architecture for Zscaler Deception solution.
There are two components that need to be configured on the customer side.
Endpoint Deception : This component is responsible for setting up browser lures, breadcrumbs, fake passwords / cookies, and decoy files on endpoints. Zscaler customers who have already deployed Client Connector can leverage it to deploy Endpoint deception components. Alternatively customers can leverage a “dissolvable script” which can be pushed periodically through GPO etc to setup lures on the endpoints.
Decoy Connector : This component is responsible for projecting the network and application decoys into a customers on-prem or Cloud environments. It’s a light weight VM which facilitates connectivity between Zscaler decoy cloud and the customers network. This connector works very similar to what an App Connector does for ZPA and facilitates traffic routing to the appropriate decoys while maintaining the isolation of the customer network from the decoy environment. These decoy connectors can also serve the dual-purpose of facilitating access to customer Active-Dir or SIEM servers if additional integration is needed with the Zscaler Deception platform.
Below is a more detailed architectural diagram of how these components can be deployed both for On-prem and cloud environments.
Who will use Deception in my organization?
Zscaler Deception is primarily used by the SOC and Threat Intel teams in an organization. Since Deception has extremely high-fidelity alerts, often times SOC team will leverage these alerts as their early warning radar to detect the presence of an adversary in the network. They can then start their investigations given that the threat has been contained by automatic actions.
The Threat Intel team uses the Deception platform to gather intelligence on the adversaries by having them engage with the “high-interaction” decoys. These decoys can allow them to discover the tools and sites that the adversary is leveraging which allows them to be identified.