How Can SIEM Work with Air-Gapped Networks?

How Can SIEM Work with Air-Gapped Networks?

To keep a critical network safe, a common practice has traditionally been to establish an air gap – in other words, disconnect that network from “untrusted” or less secure networks, the internet, and the outside world. When an air gap is established, the risk of cyberattack drops dramatically and security focus shifts to guns, gates, and guards.

To take a step back, just what kinds of “critical networks” are we talking about here? Usually a confidential government enclave, critical infrastructure operational technology (OT) networks such as nuclear power and oil/gas production, and also core banking networks, economic data enclaves, cryptocurrency custodians, and data storage vaults of all kinds.

These types of networks cannot afford any level of compromise or loss of operational assurance. So, once they implement an air gap, problem solved, right? Not so fast. You’ll notice I said the risk of cyberattack “drops” and not that it completely disappears. Humans are fallible, mistakes can be made, and threats can still be introduced to these networks via removable media, compromised devices, and software updates.

Therefore, these organizations have recognized a need for advanced security information and event management (SIEM) or intrusion detection system (IDS) capabilities to protect the secure network, even with an air-gapped architecture. In implementing these technologies, these organizations have also recognized that it’s important to have the ability to get that SIEM data *out* of the secure network. Why?

  1. Staffing Costs: If they don’t move the data, they need to duplicate the SOC staff inside the secure network, 24×7.
  2. SIEM Effectiveness: They need to move data outside the secure network to achieve “single pane of glass” monitoring and get maximum benefit from a SIEM.
  3. Archiving Requirements: Like other operational data inside the secure network, they can’t rely on a single site to preserve data; they need a backup.

You might be thinking, “I thought the whole point of this story was that we need to disconnect our critical network from everything! It sounds like we are back where we started. Doesn’t connecting SIEM/IDS data defeat the point?” Fortunately, we can safely get data to the outside world. There are (at least) four ways to move SIEM/IDS data out of a secure network to a Security Operations Center (SOC) or other external network for monitoring (on-prem or cloud):



Walk the data out of the facility

Syslog out

Pass raw syslog data out of the network

Processed/filtered data & alerts out

Utilize SIEM components in the plant to analyze data inside the network

Raw network tap out for IDS

Send a feed of raw network traffic out of the network

  • Easy to do
  • Easy to configure
  • Helps conceal network & routing info
  • Reduces the amount of traffic passing out of the secure network
  • Allows SIEM/IDS solution to operate outside the secure network
  • Expensive
  • Prone to error
  • Potential for corruption or hidden malware
  • Delays data getting out
  • Can potentially reveal details about the secure network to the outside world
  • Requires updating SIEM components inside the secure network
  • Configuration may require adaptation of SIEM-specific protocols
  • Requires a lot of bandwidth


Of these approaches, sneaker-net has many security and efficiency problems but is still in common use (believe it or not). One of the most common ways to mitigate the sneaker-net security issues outlined above is through the use of security scanning kiosks, such as the Tresys XD Air, which scan and filter data from removable media before it is introduced to a secure environment. However, if portable media are not required, the sneaker-net approach could potentially add more time and effort, and the latter three connected approaches are more efficient.

The primary means for securely achieving the connected approaches is to implement data diodes to guarantee one-way flow of data. Firewalls are not acceptable for this purpose because they are both inherently bidirectional (although they can be configured to be one-way), and operate via software that, like the humans who wrote it, is fallible. Firewalls can also be reconfigured with the right credentials, whereas data diodes enforce one-way traffic at the hardware layer — data can never flow in the opposite direction because the hardware to do so does not exist in the device.

Want to learn more about data diode technology? Click here.

In order to turn a two-way protocol (such as those used in all kinds of SIEM and IDS systems, as well as many common industrial protocols) into a one-way connection, proxy servers and specialized software allow data diodes to mimic the source and destination to the networks on each side, while only transferring data from one side of the diode to the other. There are even solutions that orchestrate the use of data diodes to enable two-way communications for IDS functions that simply cannot work without an ability to respond on the same session.

How do you handle security monitoring for your secure networks? We would love to hear your feedback.


How should we handle software updates and upgrades for our air-gapped network? At some point, there will almost inevitably be a need to introduce new software, patches, or other executables into the secure network. The safest way is to enforce a one-way data path, via data diodes with filtering and hash checking before data is permitted to pass across the boundary. This method ensures that the software is authentic and that no malware or unauthorized files can flow into the secure network.

Insights to your Inbox

Stay informed with the latest cybersecurity news and resources.

Paul Nguyen DoD Account Director

Proven Solutions for Navy “Data Maneuverability” @ AFCEA WEST

Hi, I’m Paul Nguyen, one of the new leaders of Owl’s DoD Mission Support team. I joined Owl Cyber Defense (Owl) earlier this month, just in time to be a part of our annual corporate o...
January 31, 2024

Owl SEER Lab MiniBlog 1: CVE-2023-21093

Hello and welcome to the launch of the Owl Cyber Defense System Evaluation, Exploitation, and Research (SEER) Laboratory miniblog! This is the very first in a line of forthcoming posts. ...
September 26, 2023

Reduce Cyber Stress (at least at work) by Implementing Data Diode Enforced Segmentation

In today's digital age, cybersecurity professionals play a crucial role in ensuring the safety and security of an organization's sensitive information. With the rise of cyberattacks, it's...
April 20, 2023