Open in app

Sign in

Write

Sign in

IoT and SIEM Integration. — Pt.1

Dan Tembe
7 min readSep 6, 2017

--

Introduction

SIEM (Security Information and Event Management) is a key component of corporate infrastructure. Some corporations invest in a SIEM solution because of regulatory requirements while others are required to develop and maintain a SIEM solution to maintain privacy and integrity of the solution. Largest growth from 2016 to 2020 is expected to be in small to mid-sized businesses. (Morgan, n.d.)

IoT (Internet of Things) is also another upcoming technology that is poised for maturity and major corporate adoption in the near future. In 2016 Gartner predicts that IoT services will support spending to the tune of $235 billion 22% higher than in 2015, whereas IDC term the investment slightly differently and over a different time period, — up to 2018, predicting 200,000 new IoT applications and spending of one and a half times that current spending (as of November 2015), earlier in the year IDC predicted a 19% growth in the IoT market, this seems this has been revised upwards since then. (Johnson, n.d.)

There is a great deal of value that can be realized by integrating an IoT solution into an existing SIEM architecture. These solutions can easily be integrated with some proper planning during design phase of the IoT applications.

Most cloud vendors who provide IoT solutions (MS Azure, Amazon Web Services, IBM Watson IoT, etc.) also provide a robust set of API’s and external data repositories that can be easily integrated into best of breed SIEM solutions.

Quite a bit has been written about monitoring IoT devices to ensure their security, integrity and accountability (CIA Triad) as BYOD gains acceptance in corporations. MDM (mobile device management) with policy based rules are being rolled out at most large corporations and making inroads into SMB’s.

The focus of this document is actually around optimizing IoT applications to integrate into SIEM solutions with some forethought and proper planning. This will ultimately enhance and provide additional value to the SIEM solution.

IoT Solution Architecture

As IoT devices become common place and gain popularity, they become cheaper to procure and implement. There are evolving standards around security and communication being implemented in either these physical devices, applications that communicate with IoT devices, field gateways or probes that communicate with these devices.

In a typical architecture of IoT application, the IoT device will use a common IoT device protocol, for example, MQTT (MQ Telemetry Transport), AMQP (Advanced Message Queuing Protocol), HTTPS (SSL) to communicate with a probe, gateway to directly to a IoT device hub. There are many other message delivery protocols that can be implemented depending on the device type and functions. If the IoT device communicates with in a proprietary method with its probe or gateway, then that particular aggregation device can be used to communicate back to the central IoT hub using common IoT messaging protocols mentioned earlier.

Sequentially, once Device connectivity is modeled, the device is then on-boarded into the IoT central hub. Next bi-directional communication with the IoT hub can be established from the IoT device. This allows for the device to perform its function and it also allows for it to send requested information back to the central hub. IoT devices vary in their size and functionality. Some IoT devices are sensors that are not capable of holding complex code that can allow it to initiate communications. In this case, IoT devices are authenticated to their field gateways, which periodically check into the devices to gather latest data and then forward it to the central hub.

In the central hub all the data from diverse devices is normalized. Because of the volume of data that needs to be analyzed and stored when on-boarding thousands of devices, a big data store is utilized (e.g. Hadoop, Cloudera, etc.) for storing IoT device messages. This allows for analytics to be added on the front end of the IoT applications. Meaningful messages created using analytics can provide quick returns to any company deploying an IoT solution. Proper planning for scalability, redundancy, connectivity and analytics is key.

SIEM Architecture

SIEM, Security Information and Event Management, is a mature field when compared to IoT solutions. There are a large number of vendors who provide state of the art solutions in SIEM. SIEM solutions are typically built in a hierarchical fashion with the presentation layer containing dashboards for different group and events display layer customized for Security Operations Center (SOC) Operators.

SIEM solutions aggregate data from various systems, devices and applications into a single common format. Typically, the data relates to various security related issues that cover the confidentiality, integrity or accountability of the managed item. All this data, once normalized is then run through a policy engine where defined policies then enrich the events, de-duplicate them, and in some cases create a new event to promote it into the SOC operator console.

SIEM & IoT Integration

As adoption of IoT devices becomes common place in the corporate landscape, alarms and logs from IoT devices are being integrated into SIEM solutions. This type of integration can start taxing the scalability of SIEM solutions as the amount of resources needed to handle the data and then run analytics from SIEM tools grows exponentially.

A way to achieve this, is to utilize the existing big data store from IoT solutions and develop a feed into their SIEM environment after analytics are performed on the centralized data. This will ensure meaningful information is captured from the IoT messages.

The information pushed into SIEM solutions using this method not only can avoid duplicate logging of IoT messages. This will stop the analysis having to be done on the IoT application big data side and then on the SIEM side. The requirement to build a gateway from the IoT managed devices into the SIEM solution is not needed in this architecture.

In the above diagram, the IoT Solution (on left) is built with bi-directional communications into the central IoT big data storage (e.g. Hadoop, etc.). The IoT big data storage engine then allows for sophisticated analytics to be run on the captured data. The data collected from the IoT end devices is normalized in the big data storage, then after analytics, key security related messages are created. These messages can be then pushed into SIEM Solution using standard probes that are deployed in most, if not all SIEM solutions, using SNMP, SYSLOG or APP LOG. Typically, this is a unidirectional communication into the SIEM solution.

If bi-directional communication needs to be implemented, JSON (JavaScript Object Notation) based bi-directional communication is most likely at the top of the list. This is a lightweight data-interchange format which is being widely implemented in most SIEM solutions and at the same time, in big data solutions. Some leading SIEM solutions provide either SDK or pre-developed JSON connectors to be connected for data exchange between element managers or devices, into SIEM data store. (HPE) (Wuest)

In the above diagram, the SIEM solution maintains its traditional role and architecture. The IoT devices are integrated into SIEM for security events generated after the data from the IoT endpoints has been analyzed in the big data store of the IoT Application.

Key Considerations

  • No need to build a SIEM gateway or integration from the diverse IoT device landscape.
  • No need to duplicate data in the SIEM database and also in the IoT application big data storage.
  • Security team and IoT application development works hand in hand through the entire life cycle of the IoT solution, design to production and then into Day 2 operations.
  • Reduced costs in licensing on the SIEM side, by pushing IoT device related security events via a standard pre-deployed gateway (SNMP, Syslog, App Log).
  • Information Security team in involved from the very beginning and is aware of all potential issues that could come up during IoT application development, which allows for proactive remediation and proper checks built into the new solution.
  • Evaluation needs to be performed by the Information Security team to see if the proposed architecture is susceptible to a “man in the middle” type threat or if the IoT device to central data store communication has vulnerability that could impact the integrity of the solution.
  • Redundancy, events de-duplication, correlation rules, data normalization process all need to be looked at as the IoT solution is designed.

References

HPE. (n.d.). http://www8.hp.com/us/en/software-solutions/siem-data-collection-log-management-platform/index.html.

Johnson, E. (n.d.). http://intland.com/blog/agile/internet-of-things-iot-growth-forecast-for-2016/.

Morgan, S. (n.d.). http://www.infosecbuddy.com/news/siem-report-q1-2016/.

Wuest, B. (n.d.). https://www.ibm.com/.../Integrating_QRadar_with_Hadoop.pdf.

Disclaimer

The opinions expressed here are my own & not those of my employer.

As I research and learn different technologies my thoughts and opinions will change. As technology changes, so will my opinions.Thanks for taking the time to read.

Dan

Internet Of Things
Siem
Information Security
Snmp
Syslog

--

--

Dan Tembe

Written by Dan Tembe

50 Followers

Experienced Technology Leader focused on Managed Services, Enterprise Solutions, InfoSec & Emerging tech.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams