PBOSECURE Integration Services Offering
Reducing Cost of SIEM Integration by Carefully and Efficiently selection IT and OT logs: There are many logs which will be generated by the following IT and OT components. Right selection of logs plays a vital role in simplifying SEIM integration Solutions where both IT and OT knowledge and experiences should be used effectively. PBOSecure experienced instrumentation control and IT professionals can provide necessary advice by recommending the right logs to be identified through Workshop and discussion with the client
Sources of logs:
- Servers-Application servers, Repository servers and cyber security infrastructure
- Workstations- Management, Operator Workstation and Engineering Workstations
- Network Devices-Network Switches, Routers and Firewall and Data Diode
- Controllers-we cannot get logs of controllers, directly to SIEM but we can Retrieve write commands given to the
- controllers from Engineering and Operator workstations.
IT-Things to be audited such as Account Login, Account management, Directory service access, Logon/logoff, Policy changes, System, Detailed tracking, Removeable disk
OT-Things to be audited such as PLC turn on/off, Firmware upgrade, Controller modes changes, forcing a value to register or coil, Reconnaissance in the Plant network, Download/upload of configuration and logic, Access to controller
IT components: The servers, workstations, Network devices like switch, firewall and routers, Controllers and Applications.
OT Components: Engineering Workstation, Operator Workstation and Control Systems Applications. Here are list of main OT logs to be captured:
Control system /Safety system Cabinets Door access logs using CMC system
- Successful and Failed access to the door
- Access date and Time
Windows Logs
Authentication
Account Management
- User Account creation
- User account deletion
- User Account Enabled/Disabled
Connection Details
- Allow inbound/Outbound Connection
- Denied inbound/denied Connection
Process Creation
- Process creation for running applications
- Process creation denied.
Group policy configurations monitoring
- Account Lockouts
- Password age expiration
Compliance and Auditing
- Approved user’s creation
- Password change as per defined frequency
- Any changes in registry.
- Account lockouts
- Unauthorized access to the resources
- Etc.
Antivirus/ Cyber Security Scanner Logs
- Full scan running as per schedule
- Malware detection if any
- Definition’s update
- Server tasks
- Rouge server detection
- Host Intrusion Detection logs
- Application installation or running batch file denied by solid core
- Unauthorized access of removable disks like USB/CD/DVD
- Removable devices connected to systems.
Firewall Logs
- User successful and failures logins
- Device Interface is up and down
- Power supply failed/rebooted
- Authentication login/failure
- Configuration Changed
- Traffic Allowed and Deny
- Interface status changed
- High Availability Lost
- Buffer overflow logs
- Port scanning Alarms
- Connection request denials
- Resource’s utilization alarms.
- Network bandwidth utilization alarms
WSUS logs
- Computers didn’t contact WSUS server from 30 days.
- Synchronization is unsuccessful
- Self-update is not working
- Update services started/stopped.
NPS logs
- Network Policy server discarded the request for a user.
- Domain Controller not responsive.
- NPS denied access to a user
- Message with invalid authenticator.
- Unable to forward request to remote server
- No available domain controllers
- Could not resolve the name of RADIUS client
- Server communication problems
OT security logs
- OT application user login/logoff.
- Server/workstation are Online/offline
- Server/workstation resources utilization alarms
- Write commands to controllers
- PLC/RTU/IED turn on/off
- Firmware upgrade
- Controller modes changes
- Forcing a value to register or coil
- Reconnaissance in the Plant network
- Download/upload of configuration and logic.
- Access to controller