Modernize your Utility’s SOC and build better security with Splunk Cloud Platform on AWS
Utilities are responding to increasing threats and vulnerabilities targeting both familiar enterprise information technology (IT) channels and others outside of traditional systems, such as ransomware attacks on business processes, and operational technology (OT)/Internet of Things (IoT) vulnerabilities that straddle the cyber-physical world. Chief Information Security Officers (CISO) are seeing the security landscape change and are expanding their roles to include responsibility for OT in addition to IT.
Utility Security Operations Centers (SOCs) need ways to manage ever larger volumes of data collected from complex IT and OT systems to identify, detect, and respond to cyber security threats and trends. Current on-premises security information and event management systems (SIEMs) require security personnel to manually update their systems to address evolving threats and their efforts are often slowed by maintenance cycles, constraints on data schemas, and hard-coded threat and log event formats or attack signatures.
Cloud-based SIEM solutions offer utilities the ability to evolve with the threat environment through big data architectures that leverage machine learning capabilities. They also offer automatic software updates, simplified configuration, scalable infrastructure, strong security controls, and high availability.
In this blog, we explore how utilities can modernize their SOC and build better security with Splunk Cloud Platform on AWS. AWS customers and partners benefit from AWS data centers and a network architected to protect information, identities, applications, and devices. Splunk Cloud Platform on AWS is a scalable solution that increases visibility across IT and OT environments transforming how they see and respond to security events. Utilities can realize the benefits of improving monitoring efficiency, applying security best practices, and supporting compliance demands.
What is a modernized SOC?
Today, many utilities leverage disparate tools and platforms to perform their roles requiring personnel to be multi-tool experts and use multiple sources to identify, understand, and respond to cyber events. This is especially true for utilities whose SOCs are monitoring both IT and OT environments.
As data volumes and threats increase, the typical response is to hire additional staff to monitor, analyze and respond. While this tactic keeps operations functioning, it does little to increase the efficiency of the SOC or improve their ability to identify threats among the volumes of data. Even with increased staff, it is likely that some threat information will go unused, potentially increasing cyber risk.
Utilities can mature their program by modernizing their SOC through automation, single-platform security tools, and cloud technology. Technologies like machine learning, federated search and analytics, data streaming and scalable indexing allow utilities to scale their monitoring abilities as their data volumes increase. While these tools are not a replacement for SOC personnel, they improve their abilities to perform their roles. Investments in these areas reduce noise, improve time to respond, and allow personnel to focus on valuable functions like threat hunting and vulnerability management.
Why move SIEM to the Cloud?
Cloud-based SIEM solutions deploy elastic, agile computing resources to analyze volumes of data well beyond on-premises compute capacity. Cloud based infrastructure also improves SIEM system resiliency by deploying resources in multiple, geographically dispersed, cloud data centers. Utility SIEM tools are no longer limited to their on-premises back up resources.
To illustrate the gains realized by SOCs that move from their on-premises SIEM to a cloud-based SIEM, Splunk conducted more than 1,000 assessments worldwide and observed that, on average, customers reduced their time spent on platform administration by 35% and reduced the number of customer-performed platform management tasks from 12 to 4, which means that customers can use that time to refocus their staff on higher value work like discovering and implementing new use cases.
Utilities already using Splunk on-premises who want to understand the feasibility and level of effort required to migrate to Splunk Cloud Platform can leverage the Splunk Cloud Migration Assessment (SCMA) App. The app analyzes your current on-premises Splunk Enterprise deployment or bring your own license (BYOL) installation and helps you understand the tasks that need to be carried out to migrate to Splunk Cloud Platform. This assessment can better illustrate the journey to Splunk Cloud Platform, including the benefits for your specific implementation.
How does Splunk Cloud Platform on AWS help utilities improve their security posture?
AWS offers the most flexible and secure cloud computing environment available today. AWS customers and partners benefit from AWS data centers and a network architected to protect information, identities, applications, and devices. With AWS, you can improve your ability to meet core security and compliance requirements, such as data locality, protection, and confidentiality with our comprehensive services and features.
Splunk Cloud Platform on AWS allows utilities to centralize their IT and OT monitoring and accept logs from virtually any data source, enabling utilities to have real-time, contextual visibility. Splunk’s data-to-everything approach to security means that utilities are able to:
- Leverage purpose-built frameworks and workflows to speed up detection, investigation, and incident response;
- Gain immediate value from pre-built dashboards, reports and investigation categories;
- Leverage machine-learning capabilities to identify unknown threats and anomalous behavior across users, endpoints and applications; and
- Through the deployment of Splunk SOAR (Security Orchestration, Automation and Response) integrate their SOC’s processes and tools together.
You may be asking, but what about OT? The OT Security Add-on for Splunk improves visibility into OT environments. It is able to ingest and monitor OT assets, improve OT vulnerability management including defined applications of MITRE ATT&CK for ICS, and includes interfaces and reports to support customer compliance.
With complete data insight, utilities can enhance their security posture. With Splunk Cloud Platform on AWS, utilities can avoid hardware investments to host and maintain large volumes of security logs and gain the advantage of the flexibility and cost savings of the AWS cloud.
Splunk Cloud Platform on AWS Architecture
Splunk Cloud Platform on AWS is a software as a service (SaaS) solution for software applications where Splunk hosts and operates the application. Splunk experts manage the IT backend including patching, feature upgrades, and other administrative tasks, so utilities can focus on acting on their data. Splunk Cloud Platform is designed to deliver customer value through expansive data access, frequent updates, access to ever-growing capabilities and workload-based pricing.
This value is delivered through strategic partnerships with cloud service providers, including Amazon Web Services (AWS). AWS is designed to help you build secure, high-performing, resilient, and efficient infrastructure for your applications. To extend the benefits of AWS, AWS also offers an AWS Security Competency Partner Program for partners who have deep technical expertise and proven customer success securing every stage of cloud adoption. Splunk has achieved 8 AWS Competencies, including the Security ISV Competency.
Every Splunk Cloud Platform on AWS customer has their own environment within their own Amazon Virtual Private Cloud (AWS VPC) where encryption controls can be applied for data in transit and at rest. AWS offers security guidance that utilities can use when configuring their AWS VPC. The architecture diagram below depicts Splunk Cloud Platform on AWS.
Figure 1. Splunk Cloud Platform Architecture – AWS
Organizations of all sizes leverage Splunk visibility with AWS agility to rapidly troubleshoot applications, ensure security and compliance, and monitor business-critical services in real-time. Through the use of multiple Availability Zones, AWS APIs, and services such as AWS CloudTrail, Splunk can deliver robust infrastructure monitoring, security and compliance, and business analytics solutions for its customers.
Security and Compliance
With Splunk Cloud Platform, customers can reduce time spent on audit and compliance activities as a result of out of the box reporting features, with new features deployed frequently.
As regulatory compliance for the Energy sector continues to evolve, utilities will need to identify ways to efficiently generate compliance evidence to share with regulators. In many cases, the security objectives that underlie cyber security regulations within each segment of the Industry are the same, but the controls and supporting evidence are different. Achieving and maintaining adherence to various compliance regulations can be complex and expensive.
Splunk Cloud Platform offers out of the box regulatory compliance alignment and reporting for frameworks including NIST, MITRE ATT&CK, Kill Chain, and CIS 20. Splunk also offers dashboards and associated reports reviewed by third-party assessors to help clients with compliance monitoring and audit support. Customers can take advantage of these pre-configured dashboards and reports to help support compliance with regulatory frameworks.
Deploying Splunk Cloud Platform on AWS for your Utility
Splunk Cloud Platform is available on AWS Marketplace. AWS Marketplace is a curated digital catalog that customers can use to find, buy, deploy, and manage third-party software, data, and services to build solutions and run their businesses. You can quickly launch Splunk Cloud Platform on AWS, and start your journey toward modernizing your SOC.
For more information, visit AWS Power and Utilities.