How Can SIEM Work with Air-Gapped Networks?

How Can SIEM Work with Air-Gapped Networks?


To keep a critical network safe, a common practice has traditionally been to establish an air gap – in other words, disconnect that network from “untrusted” or less secure networks, the internet, and the outside world. When an air gap is established, the risk of cyberattack drops dramatically and security focus shifts to guns, gates, and guards.

To take a step back, just what kinds of “critical networks” are we talking about here? Usually a confidential government enclave, critical infrastructure operational technology (OT) networks such as nuclear power and oil/gas production, and also core banking networks, economic data enclaves, cryptocurrency custodians, and data storage vaults of all kinds.

These types of networks cannot afford any level of compromise or loss of operational assurance. So, once they implement an air gap, problem solved, right? Not so fast. You’ll notice I said the risk of cyberattack “drops” and not that it completely disappears. Humans are fallible, mistakes can be made, and threats can still be introduced to these networks via removable media, compromised devices, and software updates.

Therefore, these organizations have recognized a need for advanced security information and event management (SIEM) or intrusion detection system (IDS) capabilities to protect the secure network, even with an air-gapped architecture. In implementing these technologies, these organizations have also recognized that it’s important to have the ability to get that SIEM data *out* of the secure network. Why?

  1. Staffing Costs: If they don’t move the data, they need to duplicate the SOC staff inside the secure network, 24×7.
  2. SIEM Effectiveness: They need to move data outside the secure network to achieve “single pane of glass” monitoring and get maximum benefit from a SIEM.
  3. Archiving Requirements: Like other operational data inside the secure network, they can’t rely on a single site to preserve data; they need a backup.

You might be thinking, “I thought the whole point of this story was that we need to disconnect our critical network from everything! It sounds like we are back where we started. Doesn’t connecting SIEM/IDS data defeat the point?” Fortunately, we can safely get data to the outside world. There are (at least) four ways to move SIEM/IDS data out of a secure network to a Security Operations Center (SOC) or other external network for monitoring (on-prem or cloud):

METHOD

Sneaker-net

Walk the data out of the facility

Syslog out

Pass raw syslog data out of the network

Processed/filtered data & alerts out

Utilize SIEM components in the plant to analyze data inside the network

Raw network tap out for IDS

Send a feed of raw network traffic out of the network

PROS
  • Easy to do
  • Easy to configure
  • Helps conceal network & routing info
  • Reduces the amount of traffic passing out of the secure network
  • Allows SIEM/IDS solution to operate outside the secure network
CONS
  • Expensive
  • Prone to error
  • Potential for corruption or hidden malware
  • Delays data getting out
  • Can potentially reveal details about the secure network to the outside world
  • Requires updating SIEM components inside the secure network
  • Configuration may require adaptation of SIEM-specific protocols
  • Requires a lot of bandwidth

 

Of these approaches, sneaker-net has many security and efficiency problems but is still in common use (believe it or not). One of the most common ways to mitigate the sneaker-net security issues outlined above is through the use of security scanning kiosks, such as the Tresys XD Air, which scan and filter data from removable media before it is introduced to a secure environment. However, this only adds even more time and effort, and the latter three connected approaches are far more efficient.

The primary means for securely achieving the connected approaches is to implement data diodes to guarantee one-way flow of data. Firewalls are not acceptable for this purpose because they are both inherently bidirectional (although they can be configured to be one-way), and operate via software that, like the humans who wrote it, is fallible. Firewalls can also be reconfigured with the right credentials, whereas data diodes enforce one-way traffic at the hardware layer — data can never flow in the opposite direction because the hardware to do so does not exist in the device.

Want to learn more about data diode technology? Click here.

In order to turn a two-way protocol (such as those used in all kinds of SIEM and IDS systems, as well as many common industrial protocols) into a one-way connection, proxy servers and specialized software allow data diodes to mimic the source and destination to the networks on each side, while only transferring data from one side of the diode to the other. There are even solutions that orchestrate the use of data diodes to enable two-way communications for IDS functions that simply cannot work without an ability to respond on the same session.

How do you handle security monitoring for your secure networks? We would love to hear your feedback.

SIDEBAR: SOFTWARE UPDATES

How should we handle software updates and upgrades for our air-gapped network? At some point, there will almost inevitably be a need to introduce new software, patches, or other executables into the secure network. The safest way is to enforce a one-way data path, via data diodes with filtering and hash checking before data is permitted to pass across the boundary. This method ensures that the software is authentic and that no malware or unauthorized files can flow into the secure network.

Charlie Schick Healthcare Consultant

A New Model for Secure IIoT Connectivity

I recently wrote a post about how IIoT devices are upending the Purdue Model as folks jump layers and stream data from the low layers directly up to the higher layers and beyond. Thinkin...
September 23, 2019
Gary McGibbon Business Development Manager - Financial Services

Integrating Digital Transformation and Cybersecurity Transformation in Financial Services

Financial services institutions are now wading through the latest wave of operational changes that focus on customer centricity and streamlined core operations – digital transformation ...
September 20, 2019
Shawn Campbell Product Manager - Government Solutions

A Brief Note on Raise the Bar and One-Way Transfer

This past year’s publication of the National Cross Domain Strategy and Management Office (NCDSMO) “Raise the Bar” (RTB) mandate is causing a positive transformation of the cross dom...
September 18, 2019