Streamlining the process for monitoring mobility data.
For years, Block Harbor has received keen interest from our automotive clients who want to integrate their vehicle and mobility data into mainstream Security Incident Event Management (SIEM) platforms. This is a service that Block Harbor has been offering since establishing one of the industry’s first Vehicle Security Operations Centers (VSOC) in 2015.
However, one of the most significant challenges with these projects has been deciphering diverse data sets and laying the groundwork for the VSOC within the selected SIEM platform.
To address these initial challenges, Block Harbor is proud to release the first iteration of its VSOC Demo app for the Splunk SIEM platform.
Our goal is to support teams tasked with developing VSOC capabilities by providing a customizable template and expert guidance along the way. With extensive experience in Splunk – widely used across the automotive industry – Block Harbor has developed this VSOC Demo application to demonstrate the tools and capabilities that are essential for enhancing vehicle security and establishing a robust VSOC. Our app offers an environment where users can explore and understand the key components and functionalities required to monitor and protect connected vehicles.
This post will outline the features and design of the Black Harbor VSOC Demo application, offering a template that will set your organization up for success in its vehicle security monitoring endeavors!
Features and Functionality
The Block Harbor VSOC Demo application aims to deliver a lightweight, pre-packaged version of what an operational VSOC could look like in an enterprise environment, offering a foundation or source of inspiration for your organization. It includes modular dashboards, alert logic, and detailed guides on customizing the configuration to meet your specific requirements.
Alerts
The Alerts heading contains dashboards related to the detections that serve as the foundation of the VSOC Security Information and Event Management (SIEM).
The Queue dashboard simulates the environment where a VSOC analyst would regularly monitor activity, enabling them to quickly identify potential incidents and access all the initial information needed to start the triage process.
We have separated the alert queues into two categories, Vehicle and Connected Services:
- Vehicle: Represents any detections related to onboard vehicle data such as telematics information or DTCs.
- Connected Services: Represents any detections related to offboard vehicle data, such as mobile application or server logs
The Examples dashboard provides additional context and details about the alerts in the Queue. It serves as a showcase, highlighting the type of alerts the app can detect for software-defined vehicles (SDVs) and their supporting infrastructure, providing valuable insights into potential safety and security issues.
The Configuration dashboard offers guidance on creating and setting up alerts to monitor potential security issues within your fleet and ecosystem. The outlined steps will guide you through establishing basic alerting mechanisms to track various data points and anomalies, ensuring you can maintain oversight and address issues as they emerge.
Vehicles
The Vehicles section offers VSOC analysts an overview of fleet activity using data collected from onboard log sources.
The Search dashboard features a simplified alert queue for quick reference, along with metrics on the count, status, criticality, and geolocation of triggered alerts. It also includes a search function for specific VINs, allowing access to both current and historical data related to alerts and data events associated with that particular vehicle.
The Details dashboard offers deeper insights and a more detailed view of the fleet, including information on ECU hardware and software versions, various signals, and a VIN-based search function.
The Configuration dashboard highlights the key data fields that are instrumental for monitoring vehicle conditions, identifying threats, and maintaining compliance with security protocols.
Connected Services
The Connected Services section provides VSOC analysts with insights into the status and security posture of monitored offboard resources, typically including mobile application and API data.
The Search dashboard offers a simplified alert queue for quick reference, along with metrics on the count, status, criticality, geolocation, IP addresses, and users associated with triggered alerts. It also includes a search function for specific users and IP addresses, providing both current and historical data on alerts related to those identifiers, as well as data events.
The Details dashboard provides additional insights into your offboard data, including information on HTTP code volumes, total observed users and source IPs, user agents, and the ability to search by specific users and/or IP addresses.
The Configuration dashboard outlines the setup requirements for monitoring web traffic using standardized fields. These data fields are essential for tracking user activity, identifying potential threats, and maintaining the security of connected services.
Search
The Search dashboard will be familiar to those with Splunk experience, as it offers similar functionality to the Splunk-native Search & Reporting feature. We aimed to provide VSOC personnel with the convenience of performing freeform searches directly within the Block Harbor Demo app, eliminating the need to navigate to Search & Reporting.
VSOC as a Service
This dashboard offers a quick overview of Block Harbor’s VSOC service offerings with an easy way to contact us for more information.
We are incredibly excited to share the first iteration of this app with you, and look forward to releasing additional features in the near future – including an integration with Block Harbor’s Vehicle Engineering Security Cloud platform!