Using Deception Systems to Augment SIEM

By Derek Arnold ·

Many times, it can take large enterprises hundreds of days to detect security breaches. Worse yet, with in several recent instances, organizations have been notified of a breach by government agencies, or other third parties. Where does SIEM fit in as a detective control?

A deception system is designed to confuse, misdirect, and delay an attacker by incorporating ambiguity and misinformation. Very few organizations that I have consulted over the last year are using a deception system in their defense in depth model. As I have written before, Splunk is an excellent security tool to collect, correlate and make sense of diverse machine data sources.

Optiv Decept System, written by myself and Joshua Adam, is a Splunk App that monitors for unauthorized and/or malicious activity on your organization’s network. By placing several honeypots that listen on many ports at strategic locations, we can detect early stage attacks. The app can provide increased visibility to potentially malicious activity going on in the organization.


Figure 1: Optiv Decept System Main Page

Once we are collecting data from honeypots, we have the ability to search and correlate data.


Figure 2: Optiv Decept System Search Interface

Equally as vital as correlation is the ability to visualize. In an effort to paint a picture we have used the SanKey visualization. On the left we can see attacker IP addresses. In the middle are our organizational honeypots. On the right side we can see active tcp connection ports. The larger the lane, the more active connections there are.


Figure 3: Optiv Decept System SanKey visualization

The goal of SIEM, in addition to compliance and hunting activities, ought to be to lower the time to detect a potential security incident. At Optiv we are innovating and rethinking SIEM to improve the efficacy of the tools we implement.

We invite you to download and evaluate Optiv Decept System for free today: https://splunkbase.splunk.com/app/3293/


Figure 4: Optiv apps available for free on Splunkbase

Derek Arnold

Principal Consultant

Derek Arnold has spent the last 12 years securing large retail, medical device, and insurance companies. He has worked on large, diverse enterprises in the Fortune 500. His key specialties include security operations, threat intelligence, physical security and SIEM. As a principal consultant for Optiv, he helps organizations solve their unique security challenges using Splunk Enterprise.