Skip to main content

Using Deception Systems to Augment SIEM

October 05, 2016

Many times, it can take large enterprises hundreds of days to detect security breaches. Worse yet, with in several recent instances, organizations have been notified of a breach by government agencies, or other third parties. Where does SIEM fit in as a detective control?

A deception system is designed to confuse, misdirect, and delay an attacker by incorporating ambiguity and misinformation. Very few organizations that I have consulted over the last year are using a deception system in their defense in depth model. As I have written before, Splunk is an excellent security tool to collect, correlate and make sense of diverse machine data sources.

Optiv Decept System, written by myself and Joshua Adam, is a Splunk App that monitors for unauthorized and/or malicious activity on your organization’s network. By placing several honeypots that listen on many ports at strategic locations, we can detect early stage attacks. The app can provide increased visibility to potentially malicious activity going on in the organization.

Figure 1: Optiv Decept System Main Page

Once we are collecting data from honeypots, we have the ability to search and correlate data.

Figure 2: Optiv Decept System Search Interface

Equally as vital as correlation is the ability to visualize. In an effort to paint a picture we have used the SanKey visualization. On the left we can see attacker IP addresses. In the middle are our organizational honeypots. On the right side we can see active tcp connection ports. The larger the lane, the more active connections there are.

Figure 3: Optiv Decept System SanKey visualization

The goal of SIEM, in addition to compliance and hunting activities, ought to be to lower the time to detect a potential security incident. At Optiv we are innovating and rethinking SIEM to improve the efficacy of the tools we implement.

We invite you to download and evaluate Optiv Decept System for free today:

Figure 4: Optiv apps available for free on Splunkbase

    Derek Arnold

By: Derek Arnold

Principal Consultant

See More

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

February 07, 2018

Intelligence Bulletin – When Cryptomining Attacks

Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers....

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

April 22, 2016

Co-Managed SIEM

Move beyond alerts to improve risk awareness with co-managed SIEM.

See Details

January 12, 2017

Information vs. Cyber Threat Intelligence

Cyber threat intelligence should always enable decision making and action, but what good is a cyber threat intelligence program if you take no action ...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.