SIEM 3.0

SIEM 3.0

Technology is evolving and evolving fast, the processor and computation speed are enhancing cloud and mobile devices which has made data anywhere possible. IaaS, PaaS, SaaS has brought integration of data to different application and platform along with new security challenges. IIOT, OT, IOT further bring high velocity, varsity, and volume of data which when converted to information with analysis brings in high value to companies and takes them toward digitalization and Industrial revolution 4.0. Cyber Security too has to evolve and so has the Security Operation Center.

We can no longer rely on Descriptive analytics but need predictive and prescriptive analytics of Security landscape.

As per Gartner, 30% of global enterprises would have been directly been compromised by cybercrimes by 2020.

There has been a serious information security breach in recent years and hacking- as-a-service has further lead to the organization in need of more effective tools. These platform service providers to hackers have sophisticated tools already, leave lone the state-sponsored attacks. So even if your mission is to put a sign that hacker a not welcome as against a sophisticated infrastructure to protect your business the door and lock should be visibly giving the message to the hacker that you are prepared and they are not welcome. The hacker is constantly coming with a higher ladder and you need to have higher walls.

A typical organisation would have logs coming from the firewall, IPS/IDS, Antivirus, Email Gateway, Web Gateway, DLP, IDAM, PAM etc. These would be real-time log in a different format about internal and external threats. The incident source needs to be identified, along with type, weigh the consequences, target system, the priority of handling and countermeasures and mitigation solution with the impact. The 13 years since SIEM is been rated by Gartner has seen two evolutions of SIEM – SIEM 1 and SIEM 2.

SIEM system is ruled based or policy based. Rule-based are time-consuming as hundreds of rules need to be kept updated with too many false positive/negatives due to innovative techniques used by hackers. The Policy based on the other hand everything is based on timelines and correctness of writing policy alternatively they have statistical correlation engine to establish the relationship between event logs entries.  A typical architecture is mentioned below:

Credit: Designing blockchain -Natalia Miloslavskaya

There are two opposing approaches for SIEM, Agentless where logs are directly transmitted to SIEM or agent-based with software agent installed on each host that generates a log.

SIEM 1.0 was log-centric and detected IS events through preset rules and correlation implemented for IP address and less often for ports, protocols, and users. Log file lack details to understand what truly was happening. Another drawback of SIEM 1.0 is the usage of a relational database with a limitation like a very simple structure, little semantic richness, no support for recursion and inheritance, lack of processing/triggers. These had led to the need of second-generation SIEM system – SIEM 2.0.

SIEM 2.0 includes integration of Security Intelligence Center – SIC with Security Operation Center – SOC allowing organization to get tailored predictive network security management. This help companies to align IS risk management with business needs, constant monitoring of users and application. Real-time detection a collection of data on event form all sources, tracking the complete lifecycle of IS incidents, automation in the generation of reports and recommendation. Usage of big data and analytics. SIC and SOC now work together were SIC is the brain and SOC is the management Eyes. We further integrate the OT and IIOT data now to SIEM for Security Monitoring.

SIEM 3.0

Digitization, Cloud, Platform and Industry 4.0 has meant data is distributed and event taking place are distributed and scattered. Those lead to 4 silos data locked in disparate security devices, application and DB, Data from endpoints products, application – email, phone records, web-based content, digitized audio and video, GPS location etc., data in streams like network traffic, website clickstreams and data segregation by organization business units and working groups. Apart from this the configuration of Network devices, confirmation etc. The correlation between various Silos needs to be established and there has to be an extract that leads to discovering knowledge. We already know that most of the OT or plant attack originated from Spear Phishing enter the plant, hackers took control of plant HMI and SCADA system and remediation was further blocked by DDoS Attacks. There are similar case studies when it comes to confidentiality for data for banks or availability for Telecom companies when considering CIA triangle of cyber security - Confidentiality,  Integrity and Availably. Hence historic data of the company along with deep dark web and social engineering too has to be monitored for insider threat and with threat intel for external attacks and threat hunting with the use of machine learning and Artificial intelligence. The most important component would be block chain the distributed ledger that can record various events and correlate to formulate an incident, these would include IOT, OT, IIOT devices like CCTV cameras, access control cards, PLC, sensors, Wi-Fi, IDAM, DLP, IPS/IDS etc logs.'

SIEM 3.0 is need of the hour and companies need to plan their roadmaps from SIEM 1.0 or SIEM 2.0 toward SIEM 3.0 and ride the benefits of Digitalization and Industrial 4.0 while securing their organization. 

Sanjay Vaid

Industrial 4.0 and IT & OT Security.

Pierre Nanterme - CEO of Accenture has rightly said during World Economic Forum in Davos in 2016 on the Forth Industrial revolution that Digital is the main reason just over half of the companies on the Fortune 500 have disappeared since the year 2000.

Business today may it be Government, Mining, Energy, Oil & Gas or Public Utility, Manufacturing, Telecom, Retail, Banking, Healthcare, Insurance, Hitech, Pharma or travel are affected by security threats. Digital in opening the new markets, platform and better efficiency but the cyber threat looms large on business. How do we protect? Well to start with Cyber Security is constantly moving target and we need adapt. Primarily the threat can be segregated into IT threats and OT threats. With Industry 4.0 the fine line between IT and OT is further diminishing.

IT or Information Technology threat is primarily to do with the threats to Personal computer, Laptops, Server, Network Device, Data Centre, Mobile, Communication, Cloud security, Enterprise Resource Planning, (ERP) Application Security and Governance Risk and Compliance.

OT or Operation Technology threats are to do with the Internet of Things, Communication like Bluetooth, WIFI, Near Field communication, Machines, Pigs, Secure Industrial Control System (ICS), Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control System (DCS) Programmable Logic Controllers (PLC), Industrial Automation and Control Systems (IACS), Printers, Sensors, Electronic Control Unit (ECU) etc.

Some high-level steps that can be taken are to have an IT and OT Security Policy and make sure there are awareness and training about them and the awareness group should not just include employees but also the supplier, partner, distributor etc in the ecosystem. Have right tools like End Point protection, Email and Web protection, IPS & IDS, NAC along with Firewall in place, for insider threat and access control an Identity and Access management tool, Privilege assess management along with multifactor authentication and a password generation tool and for cloud CASB. In case of Critical Infrastructure, Banks, Government, Public sector and Energy Oil and Gas sector it is advisable to have an Advance threat protection and an endpoint detection and response as these are sectors prone to targeted state-level attacks.

For Operational Technology it is advised that a monitoring tool is deployed at the PLC – Programmable logical controller layer to monitor the threats to OT assets or any change in the configuration that can lead to accident, monitoring of compliance along with any device that is connected to the OT network which is not meant to be connected. Hence the Network discovery and assets management play a crucial role, it is critical to identify if all patches are up to date and there are trusted software and hardware in the network. The security threat needs to be monitored with Intrusion detection and prevention from HMI – Human Machine interface to OT or from OT to the IT network. Man in the middle attack and DDOS attack etc.

Behavior analytics and anomaly is an essential element for both IT and OT security.
Once the IT and OT network are appropriately secured one should target to set up a security operating centre and collect the IT logs in form of Event Per Sec – EPS and OT logs as Packet per Sec – PPS and monitor the threat and monitor them through the SIEM tool while integrating it to their call ticketing system and possibly with Artificial intelligence and SOC Orchestration.

Conclusion:
I have mentioned the high-level summary of steps that can be taken to secure your network and uphold the CIA – Confidentially, Availability and Integrity of your network. Other things that can be done as a Hygiene factor are to do a secure transaction with updated digital certificates both for IT & OT. The communication, especially via wireless LAN, needs to be secured and any communication which is critical, confidential, to the cloud or outside the network needs to be encrypted including email, messages, and documents. It's very vital that a standard operating procedure is put in place for any software installation or patch updates.

My message for companies that think they haven’t been attacked is: “You’re not looking hard enough”.

Cyber Security and Privacy in the Digital Age - 10 Threats and 10 Solutions.

Charles Darwin the famous English Naturalist and Geologist has said that

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change”

The digital age had uplifted human efficiency to a new level which has not been at any point in history. The digital age has provided real-time data which helps individuals and business, this data is at high velocity, varsity, and volume. At the same time data is getting originated by the internet of things, Mobile, tablets, Personal computer, laptops, servers. Along with the great benefits that come with digital there is also need for caution to protect personal data.

I am going to highlight 10 every day threat we face to our security and privacy and 10 Solutions.

Our Security and Privacy is threatened in the following Ten ways:

1.      Virus, Malware, and Ransomware in PC and computers.

2.      Outbound Spam emails.

3.      Mobile devices

3.1.   Mobile devices used in public unsecured network.

3.2.   Connecting Mobile device for power in public places using a data cable.

4.      Man, in middle attack like:

4.1.   Session Hijacking.

4.2.   SQL Injection.

5.      Sharing sensitive data over the phone.

6.     Sharing password, brute force attacks or being uncareful with a password like writing the password at the place where everyone can see or using a weak password.

7.   Social Engineering: Social media contacts with fake accounts or compromised social media accounts or bots.

8.      Identity Theft: Email or social media identity theft.

9.      Insider threat: the threat from disgruntled employees.

10.  Trusted software: We use many software and hardware, we need to be careful with corrupted or software with bugs in them which can affect data privacy.

The Ten Solutions are as follows:

1.      Use an appropriate antivirus software.

2.      Never use auto selected public network on your smart phone but instead manually choose a public network.

3.      Try to connect to a  public network on a WAP2 network protocol.

4.      Never transfer critical or confidential data in public network, especially banking information

5.      Always opt for an https rather than HTTP, this means is encrypted to help mitigate session hijacking to an extent. Hypertext Transfer Protocol (HTTP) for secure communication over a computer network and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL).

6.      Never share confidential information on Social media.

7.      Always use trusted software or hardware provided by the trusted source.

8.      Always download and use the trusted application on mobile phones.

9.      Configure you WIFI device on WAP2 protocol and have a strong password.

10.   Use a strong password for your social media or email accounts and be careful with your password, do not share or do not write your password on sticker note. If possible use anti-glare screen.

Baton Gellman the American Journalist and best-selling author has said 

‘Privacy and encryption work, but it's too easy to make a mistake that exposes you.’