Securing Operational Technology With SIEM & XDR For Manufacturing
The expansive nature of the manufacturing industry and its critical role in supply chain and infrastructure support makes it a key target of ransomware and other cybersecurity attacks.
- Manufacturing was the most targeted industry in 2021, with 23% reporting ransomware attacks (IBM X-Force Threat Intelligence Index)
- Slowdowns and operational downtime pressure downstream supply chains into ransom payments
- Popular attack methods include phishing and vulnerability exploitation
- Sixty-one percent of incidents at OT-connected organizations last year were in the manufacturing industry
Manufacturing companies often rely on highly interconnected, automated and complex systems to run machinery and computers for their operations. Any type of cybersecurity attack that spreads throughout their network, such as ransomware, can potentially bring operations to a halt and result in costly breaches and downtime.
Ransomware attacks not only disrupt and stop operations, they can also result in the leakage of intellectual property, as modern ransomware attacks often involve both extortion and the stealing of data.
Who is included?
Manufacturing spans many different industries, including metals, machinery, electrical equipment, transportation equipment and more to help support critical infrastructure.
Blumira SIEM & XDR For Manufacturing
Blumira’s easy, effective XDR platform can help manufacturing companies secure their operational technology with:
- Cloud SIEM – Log monitoring and review of data across your entire environment. Detect and respond to threats early to prevent ransomware and a breach.
- Endpoint Visibility – Monitor the security of remote endpoints. Contain endpoints when a threat is detected immediately.
- Automated Response – Block traffic from known malicious sources and immediately isolate endpoints to stop the spread of malware or an attack to limit the damage to your organization.
Case Study: Atlantic Constructors, Inc. (ACI)
- Challenge – The IT Director of Atlantic Constructors, Inc. (ACI) needed a simplified SIEM that his small IT team could use to keep their organization safe from ransomware and account takeovers.
- Solution – ACI turned to Blumira’s cloud SIEM to help them detect previously unknown threats, following response playbooks written for IT teams to help them remediate threats quickly and easily.
“Our IT help desk employee is in charge of monitoring Blumira. Without requiring a ton of experience, Blumira’s platform provides very simplified language and built-in workflows that help him also learn about security as he uses the product – it’s not overloading him with alerts and he doesn’t need to sift through hundreds of thousands of logs.” – Jim Paolicelli, IT Director, ACI
Blumira can help manufacturers and service providers protect against operational disruptions and business downtime, as well as support many ISO 27001 controls – learn more below.
ISO 27001: Manufacturing Compliance
The International Organization for Standardization (ISO) 27001 defines requirements that companies of any size can use to establish, implement, maintain and continually improve an information security management system. Complying with ISO 27001 verifies an organization has a system in place to handle risks related to the security of data owners or handled by the company.
A.9 Access Controls
A.9.2 User access management – Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
A.9.2.1 User registration and de-registration – A formal user registration and de-registration process shall be implemented to enable assignment of access rights.
A.9.3.1 Use of secret authentication information – Users shall be required to follow the organization’s practices in the use of secret authentication information.
A.9.4 System and application access control – Objective: To prevent unauthorized access to systems and applications.
A.9.4.1 Information access restriction – Access to information and application system functions shall be restricted in accordance with the access control policy.
A.9.4.2 Secure log-on procedures – Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.
A.9.4.4 Use of privileged utility programs – The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
A.9.4.5 Access control to program source code – Access to program source code shall be restricted.
How Blumira Helps:
Blumira’s platform monitors all remote access attempts (through VPNs, two-factor authentication, etc.) and any anomalous user activity, such as failed login attempts or account lockouts, that may be indicative of compromised accounts. This helps organizations detect and respond to unauthorized access attempts, ensuring only authorized user access to systems and services.
Blumira’s managed detection rules can identify when passwords are being stored incorrectly (such as in a plaintext password file or document), and will notify organizations to investigate and take action to ensure the use of secret authentication information.
Blumira monitors all system and application access activity, allowing organizations to review reports of user access to enforce information access restriction in accordance with their access control policy. Blumira also detects brute-force attacks (like password spraying) to help organizations quickly respond to attacker activity.
Blumira monitors administrator (or privileged user) access activity to systems that may contain critical data. For example, Blumira can detect when an administrator-level account is added to a Windows security group, which could be legitimate activity, but should be validated and monitored closely to prevent attackers from gaining access.
A.12.2 & A12.4 Protection From Malware; Logging and Monitoring
A.12.2.1 Controls against malware – Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.
A.12.4.1 Event logging – Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
A.12.4.2 Protection of log information – Logging facilities and log information shall be protected against tampering and unauthorized access.
A.12.4.3 Administrator and operator logs – System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.
A.12.4.4 Clock synchronization – The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source.
How Blumira Helps:
Blumira’s platform detects malware and other malicious activity. Blumira Agent monitors the security of remote endpoints, and can be used to isolate hosts in the event of detecting a critical priority issue associated with those endpoints. This helps prevent the spread of malware including ransomware until an organization can further investigate and remediate.
Blumira’s platform integrates with systems and services to collect, centralize and analyze event logs, including those that record user activities and information security events. These logs are retained for up to one year, with additional options available for longer periods, to help with forensic investigation and historical log analysis.
Blumira protects log data both in transit and at rest to ensure attackers cannot gain access to log archives to read data without the appropriate keys. The Blumira log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation.
Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared. Blumira can also provide alerting for FIM (file integrity monitoring) technologies when changes are determined.
Blumira also provides an authoritative time source by attaching our own time of parse to every log entry. This allows us to know the correct UTC time provided by Google Cloud Platform NTP (network time protocol) servers. Blumira moves times to UTC, validates times found in log files against known current UTC time and converts time from local to UTC. If this is not possible, we mark the log as an outlier, helping analysts and organizations query for any logs that don’t meet expected times.
A.13 Communications Security
A.13.1.1 Network controls – Networks shall be managed and controlled to protect information in systems and applications.
A.13.2.1 Information transfer policies and procedures – Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.
A.13.2.3 Electronic messaging – Information involved in electronic messaging shall be appropriately protected.
How Blumira Helps:
Blumira monitors access to networks and data where relevant and possible, based on incoming data from integrations with other security solutions such as firewalls, identity and access management, endpoint protection, servers and cloud infrastructure.
Blumira also monitors traffic coming in and out of networks; detecting, alerting and helping organizations respond to suspicious events like anonymous network traffic on a corporate network that could indicate data exfiltration or malicious activity.
Blumira also detects patterns of attacker behavior and techniques used in brute-force and advanced ransomware attacks, alerting and helping organizations respond in a timely manner. Blumira alerts organizations to any insecure protocols being used to transfer information like File Transfer Protocol (FTP) and Telnet.
A.16 Information Security Incident Management
A.16.1 Management of information security incidents and improvements – Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses
A.16.1.1 Responsibilities and Procedures – Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.
A.16.1.2 Reporting information security events – Information security events shall be reported through appropriate management channels as quickly as possible.
A.16.1.5 Response to information security incidents — Information security incidents shall be responded to in accordance with the documented procedures.
A.16.1.6 Learning from information security incidents – Knowledge gained from analyzing and resolving information security incidents shall be responded to in accordance with the documented procedures.
A.16.1.7 Collection of evidence – The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.
How Blumira Helps:
Blumira’s platform analyzes, detects and sends alerts to IT teams on information security events, incidents and potential weaknesses, providing all of the relevant data needed to help them investigate, manage and improve information security for their organization. These alerts or findings are prioritized by criticality to ensure IT teams know what to focus on first.
To enable quick, effective and orderly responses to information security incidents, Blumira’s findings include pre-written response playbooks that instruct IT teams on next steps toward remediation. Blumira Agent (a lightweight endpoint agent) facilitates the immediate containment of endpoint-related threats by isolating the endpoint from communicating with the network.
Blumia’s platform also provides pre-built reports of security events that can be scheduled to send to responders/managers periodically to report on security trends. Blumira’s notifications can be configured to alert IT teams by email, voice and/or text. Blumira’s detection rules send alerts under a minute of initial detection of a security event to help IT teams respond to incidents faster and help prevent a breach.
Blumira’s reporting and log data retention keeps a history of security events for an organization to help them learn from information security incidents, as well as provide a way for them to collect and preserve information that can be used as evidence to help with the incident response and recovery process.
A.18.1 Compliance with legal and contractual requirements – Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
A.18.1.3 Protection of records – Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.
How Blumira Helps:
Blumira’s platform protects log data records from tampering to ensure they cannot be altered and to preserve their integrity and confidentiality.
All Blumira data is encrypted and accessible only through role-based access controls. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation.
Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared to help protect them from modification by attackers or insiders that may want to hide their activity.