How Can SIEM Work with Air-Gapped Networks?

How Can SIEM Work with Air-Gapped Networks?


To keep a critical network safe, a common practice has traditionally been to establish an air gap – in other words, disconnect that network from “untrusted” or less secure networks, the internet, and the outside world. When an air gap is established, the risk of cyberattack drops dramatically and security focus shifts to guns, gates, and guards.

To take a step back, just what kinds of “critical networks” are we talking about here? Usually a confidential government enclave, critical infrastructure operational technology (OT) networks such as nuclear power and oil/gas production, and also core banking networks, economic data enclaves, cryptocurrency custodians, and data storage vaults of all kinds.

These types of networks cannot afford any level of compromise or loss of operational assurance. So, once they implement an air gap, problem solved, right? Not so fast. You’ll notice I said the risk of cyberattack “drops” and not that it completely disappears. Humans are fallible, mistakes can be made, and threats can still be introduced to these networks via removable media, compromised devices, and software updates.

Therefore, these organizations have recognized a need for advanced security information and event management (SIEM) or intrusion detection system (IDS) capabilities to protect the secure network, even with an air-gapped architecture. In implementing these technologies, these organizations have also recognized that it’s important to have the ability to get that SIEM data *out* of the secure network. Why?

  1. Staffing Costs: If they don’t move the data, they need to duplicate the SOC staff inside the secure network, 24×7.
  2. SIEM Effectiveness: They need to move data outside the secure network to achieve “single pane of glass” monitoring and get maximum benefit from a SIEM.
  3. Archiving Requirements: Like other operational data inside the secure network, they can’t rely on a single site to preserve data; they need a backup.

You might be thinking, “I thought the whole point of this story was that we need to disconnect our critical network from everything! It sounds like we are back where we started. Doesn’t connecting SIEM/IDS data defeat the point?” Fortunately, we can safely get data to the outside world. There are (at least) four ways to move SIEM/IDS data out of a secure network to a Security Operations Center (SOC) or other external network for monitoring (on-prem or cloud):

METHOD

Sneaker-net

Walk the data out of the facility

Syslog out

Pass raw syslog data out of the network

Processed/filtered data & alerts out

Utilize SIEM components in the plant to analyze data inside the network

Raw network tap out for IDS

Send a feed of raw network traffic out of the network

PROS
  • Easy to do
  • Easy to configure
  • Helps conceal network & routing info
  • Reduces the amount of traffic passing out of the secure network
  • Allows SIEM/IDS solution to operate outside the secure network
CONS
  • Expensive
  • Prone to error
  • Potential for corruption or hidden malware
  • Delays data getting out
  • Can potentially reveal details about the secure network to the outside world
  • Requires updating SIEM components inside the secure network
  • Configuration may require adaptation of SIEM-specific protocols
  • Requires a lot of bandwidth

 

Of these approaches, sneaker-net has many security and efficiency problems but is still in common use (believe it or not). One of the most common ways to mitigate the sneaker-net security issues outlined above is through the use of security scanning kiosks, such as the Tresys XD Air, which scan and filter data from removable media before it is introduced to a secure environment. However, if portable media are not required, the sneaker-net approach could potentially add more time and effort, and the latter three connected approaches are more efficient.

The primary means for securely achieving the connected approaches is to implement data diodes to guarantee one-way flow of data. Firewalls are not acceptable for this purpose because they are both inherently bidirectional (although they can be configured to be one-way), and operate via software that, like the humans who wrote it, is fallible. Firewalls can also be reconfigured with the right credentials, whereas data diodes enforce one-way traffic at the hardware layer — data can never flow in the opposite direction because the hardware to do so does not exist in the device.

Want to learn more about data diode technology? Click here.

In order to turn a two-way protocol (such as those used in all kinds of SIEM and IDS systems, as well as many common industrial protocols) into a one-way connection, proxy servers and specialized software allow data diodes to mimic the source and destination to the networks on each side, while only transferring data from one side of the diode to the other. There are even solutions that orchestrate the use of data diodes to enable two-way communications for IDS functions that simply cannot work without an ability to respond on the same session.

How do you handle security monitoring for your secure networks? We would love to hear your feedback.

SIDEBAR: SOFTWARE UPDATES

How should we handle software updates and upgrades for our air-gapped network? At some point, there will almost inevitably be a need to introduce new software, patches, or other executables into the secure network. The safest way is to enforce a one-way data path, via data diodes with filtering and hash checking before data is permitted to pass across the boundary. This method ensures that the software is authentic and that no malware or unauthorized files can flow into the secure network.

Insights to your Inbox

Stay informed with the latest cybersecurity news and resources.

Daniel Crum Director, Product Marketing

AI’s Role in Defense – Accelerating Decision Dominance in the Next Era of Warfare

"AI is not just another technology. It is a transformative technology that will change the way we fight and defend our nation." Kathleen Hicks, Deputy Secretary of Defense   Techn...
November 26, 2024
Daniel Crum Director, Product Marketing

Hidden Threats in AI Data: Protecting Against Embedded Steganography

As the 2023 Executive Order on Artificial Intelligence (AI) specifically lays out, "Harnessing AI for good and realizing its myriad benefits requires mitigating its substantial risks." On...
November 19, 2024

Owl Cyber Defense Featured on Fed Gov Today Television

Data Mobility: The Edge Advantage in Real-Time Operations Originally Broadcast on Fed Gov Today, November 3, 2024 Dan O’Donohue emphasizes that data’s power is in its mobility. ...
November 13, 2024