SIEM - DETECTING SECURITY INCIDENTS

We offer comprehensive implementation of SIEM (Security Information and Event Management) solutions, such as IBM Security® QRadar® SIEM and Splunk Enterprise Security. Thanks to our knowledge, experience and integrations we have created, these tools, although designed with IT in mind, will also work perfectly in an OT environment containing systems such as SCADA, DCS or PLC.

Implementing a SIEM solution is just the beginning. We create and implement rules individually tailored to your environment, allowing you to identify potential attacks and irregularities in the functioning of the environment. Thanks to well-thought-out and correctly implemented rules, your business can detect failures and cyberattacks faster and respond to them more efficiently.

Find out more or contact us. We will create a solution tailored to your needs and the environment in which you work.

THE BENEFITS OF SIEM SOLUTIONS

Identification of advanced attacks

Detection
failure

Support for both
IT and OT environments

VISUALIZATION AND ANALYSIS OF EVENTS IN IT ENVIRONMENTS

The vast majority of modern IT environments have distributed infrastructure. They cover not only various rooms or buildings, but also geographical locations, reaching a complexity of tens of thousands of resources. These resources, which perform various functions and take the form of network devices, computers and applications installed on them, often - despite performing a similar function - come from different manufacturers. Some of these resources, such as company email, collaboration space or office suite, have already been moved to the cloud or will be there soon.

The development of enterprises and the attempt to provide an optimized workplace mean that IT environments reach a level of complexity that makes the use of separate, unconnected resource management tools impossible to conduct an in-depth analysis of events occurring in these environments. Detecting security incidents becomes particularly difficult - advanced attacks do not focus on individual systems, but try to expand the attack surface to various types and locations. Meeting legal and regulatory requirements is also problematic because it requires providing reports covering the functioning of the entire IT infrastructure, and the data required to create them is scattered in many places. Therefore, there is a need to implement a solution that will allow monitoring events from the entire IT environment.

These solutions - called SIEM solutions (Security Information and Event Management) are equipped with mechanisms that allow for the collection and processing of events - and these may be from several to several hundred thousand per second - coming from various resources. located in various locations, including the cloud. From these events, one coherent image is created, used by specialized rules - including behavioral ones, analyzing the behavior of users and systems - to detect and report potential security incidents. These incidents, categorized and prioritized, are presented by SIEM class solutions in a form that allows IT security analysts to quickly determine the resources affected by the attack and take appropriate actions to eliminate its effects. SIEM solutions also allow you to generate reports for legal and regulatory purposes - a set of templates is usually provided with the solution.

IMPLEMENTING SIEM SOLUTIONS

The most popular SIEM solutions, developed for many years, such as IBM Security® QRadar® SIEM or Splunk Enterprise Security, were created with the purpose of monitoring IT environments. Despite the extensive knowledge base and support for products of almost all leading manufacturers of network solutions, operating systems and applications, the implementation of these solutions - depending on the complexity of the target environment - takes a specialized team from several weeks to several months.

There are also industries in which the "office" IT environment is not the only IT environment, or even this environment only plays a supporting role for the industrial OT environment. This environment, like the IT environment, must be properly secured in accordance with legal and regulatory requirements. An additional challenge arises here - the SIEM class solutions mentioned do not support OT environments by default. There are no appropriate modules capable of collecting and processing events from solutions such as distributed control systems (DCS), systems supervising the technological or production process (SCADA), or programmable logic controllers (PLC). There are also no appropriate rules to detect attacks on industrial automation environments - and those, officially initiated by Stuxnet (link: https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/) constitute an increasingly numerous group.

This does not mean, however, that SIEM solutions cannot be used to monitor OT environments - on the contrary. OT environments – similarly to IT environments – are IT environments. They consist of networked resources, such as SCADA, DCS or PLC systems, which, like resources operating in IT environments, can report events related to their functioning, which are valuable from the point of view of security, and save them in the form of logs, which are then can be analyzed by a SIEM class solution. In addition to events coming from the OT resources themselves, it is also possible to analyze data sent in OT networks using specialized protocols such as Modbus TCP or PROFIBUS. However, this requires implementing solutions such as Nozomi Networks Guardian or Radiflow iSID and integrating them with a SIEM solution.

Configuring data collection and processing by a SIEM solution is the first stage of implementation. The next stage is to create a set of rules that will allow the SIEM system to recognize signs of incorrect functioning of OT environment solutions, caused by intentional action (attack) or failure. Creating appropriate rules requires excellent knowledge not only of SIEM class solutions, but also of the specificity of the OT environment for the area in which it is located.

Regardless of whether you are just creating a security infrastructure or want to expand it with a SIEM solution - for IT infrastructure, OT or both - Transition Technologies - Systems offers implementation, expansion and optimization services for IBM Security® QRadar solutions ® SIEM and Splunk Enterprise Security.

We believe that our experience in integrating SIEM solutions and knowledge of industrial automation environments - in particular the energy sector - make us an excellent partner in creating an integrated security system for your company.