Critical Infrastructure Security

 
C-DAC Logo
 

OT Security Operations Center

About Product

SOC operations are divided into four layers -

  • Logs and alerts
  • SIEM
  • Incident Management
  • Visualization

SOC first collects the logs from different IT and OT devices viz. RTU, MTU, HMI, IEDs, IDS/IPS, firewall, router, Windows/Linux Logs, antivirus etc. These logs are normalized using different mechanisms and converted into standard formats for analysis. SIEM layer converts the logs into event, alert and incident. Feed from the Asset Management Tool (Asset and Alert info) which works in passive mode and provides the baseline, behavior and protocol anomalies is also ingested into the SOC. Security events are then identified using a rule based engine from these normalized logs. Atomic IOCs and signature based rules are used to identify the Security events. Next, the sequence of security events is correlated to identify the incidents. The correlation engine is developed with varied capabilities powered by Threat Intelligence feed from open source forums, MITRE's Tactical Threat Intelligence for ICS and OT specific device's custom correlation rules matrix developed indigenously. The Incident Management provides a comprehensive alerting and triage management which helps in real time anomaly detection using Machine Learning in the backend. The Visualization in-turn complements the Incident Management by providing the complete tracking of any incident right from origination of the incident. The visualization also provides provision for creation of a case by a Security Analyst 1 and further escalation to Security Analyst 2 and 3 for confirmation of the identified incident. Any practical remedial action needs to be performed after 3 levels of escalations and confirmation of an incident.

Image
Top