A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Using Deception Systems to Augment SIEM Breadcrumb Home Insights Blog Using Deception Systems to Augment SIEM October 05, 2016 Using Deception Systems to Augment SIEM Many times, it can take large enterprises hundreds of days to detect security breaches. Worse yet, with in several recent instances, organizations have been notified of a breach by government agencies, or other third parties. Where does SIEM fit in as a detective control? A deception system is designed to confuse, misdirect, and delay an attacker by incorporating ambiguity and misinformation. Very few organizations that I have consulted over the last year are using a deception system in their defense in depth model. As I have written before, Splunk is an excellent security tool to collect, correlate and make sense of diverse machine data sources. Optiv Decept System, written by myself and Joshua Adam, is a Splunk App that monitors for unauthorized and/or malicious activity on your organization’s network. By placing several honeypots that listen on many ports at strategic locations, we can detect early stage attacks. The app can provide increased visibility to potentially malicious activity going on in the organization. Figure 1: Optiv Decept System Main Page Once we are collecting data from honeypots, we have the ability to search and correlate data. Figure 2: Optiv Decept System Search Interface Equally as vital as correlation is the ability to visualize. In an effort to paint a picture we have used the SanKey visualization. On the left we can see attacker IP addresses. In the middle are our organizational honeypots. On the right side we can see active tcp connection ports. The larger the lane, the more active connections there are. Figure 3: Optiv Decept System SanKey visualization The goal of SIEM, in addition to compliance and hunting activities, ought to be to lower the time to detect a potential security incident. At Optiv we are innovating and rethinking SIEM to improve the efficacy of the tools we implement. We invite you to download and evaluate Optiv Decept System for free today: https://splunkbase.splunk.com/app/3293/ Figure 4: Optiv apps available for free on Splunkbase By: Derek Arnold Principal Consultant Derek Arnold has spent the last 12 years securing large retail, medical device, and insurance companies. He has worked on large, diverse enterprises in the Fortune 500. His key specialties include security operations, threat intelligence, physical security and SIEM. As a principal consultant for Optiv, he helps organizations solve their unique security challenges using Splunk Enterprise. Share: SIEM Threat Honeypot