Architecture

 

CENTRAL CORE WITH MODULAR AND SCALABILIZING INTERFACES

We chose Elastic back in 2017 through continuous observation of roadmaps and roadshows over the years, where we saw that planning and implementation of new goals with Elastic were pursued and implemented much more closely in new releases than with all other SOC manufacturers . This continuous development and innovation at Elastic Search has convinced us that it is the best platform for OSCAR ©. We were already using Elastic in the open source version, and at that time we created a SOC for DB Netz AG for the OT area for the new digital interlockings – ESTWs as part of the NeuPro and EULYNX projects. This SOC installed the railway on the test track in Annaberg-Buchholz. OSCAR © uses Elastic Search as a SIEM and data store. This big data platform scales almost linearly, unlike other SIEM systems. Due to its open source development, Elastic Search offers numerous advantages over competing products. This includes:

  • Scaling: Elastic Search scales almost linearly, which makes it possible to efficiently process and store large amounts of data without severely affecting performance. This is a decisive advantage compared to many other SIEM systems. Most other carrier platforms experience massive drops in performance, which is why SIEM manufacturers are now also getting rid of their own platform and using Elastic instead.
  • Architectural flexibility: Elastic offers architectural diversity that allows the SIEM and the data stores or lakes it contains to be used for various processing purposes. This includes integration with other databases and applications, significantly improving overall functionality and usability. Supported by the Elastic Language Model, OSCAR GUARD – our own AI pipeline, the anomaly, event-based and AI ingestion pipelines, our IT and AI-controlled OT sensors, Kibana, as well as our selectable additional products, the architecture of OSCAR is complemented through extremely strong basic services.
  • Full-text search: Elastic Search enables powerful full-text search across all content. This makes it easier to quickly find and analyze data, which is especially important in safety-critical environments.
  • Cost: Another major advantage of Elastic Search is its price. Elastic Search offers significant cost advantages over competing products without sacrificing functionality or performance.

OSCAR © reads a variety of data and log sources that arise from the various IT and OT sensors for data generation. These network, host and application streams flow into our persistent queue in real-time processing, are normalized, harmonized and enriched for their purpose. After preprocessing, the data is available for further processing in the SIEM. There you generate alerts, serve the queries via GUI or run further self-learning training models through an AI pipeline, use automation tools such as Tines and carry out other automated processes.
OSCAR © offers an anomaly-based, an event-based and an AI pipeline for anomalies in the basic version. In the extended version of OSCAR, we deliver OSCAR with our own AI pipeline, which exclusively uses self-learning training models that could automatically control the entire SOC. It greatly reduces incident management and helps you save personnel costs.

The architecture of OSCAR © is multi-tenant capable and scales immensely.

For our customers who operate infrastructures that they need to decouple from the central SOC infrastructure in the short or medium term, we offer a local SOC in the form of an intelligent local anomaly detector. The local SOC operates autonomously and protects the infrastructure as if it were connected to the central SOC. The data is stored locally. As soon as the local SOC is reconnected to the central SOC infrastructure, the data is synchronized. This solution offers our customers the flexibility and security they need to effectively protect their infrastructures while taking advantage of the benefits of a central SOC infrastructure.

The local SOC carries out a special authentication before disconnecting from the central SOC. For this purpose, we use Silentel, a NATO standard in communication. The key distribution takes place via Silentel before disconnection. This ensures the integrity of the software. This process serves to ensure the integrity and security of the software and data during disconnection and reconnection to the central SOC.

The results are presented in the form of AI-driven interactive dashboards that provide the fastest and most intuitive analysis of the security situation. These dashboards provide graphical representations and filtering options for detailed insights into events and trends. Automatically generated alerts are triggered immediately and can be distributed in real time via various channels such as alerts, email, SMS or ticket systems. Analyzing security incidents and responding to them can be 100% decided and automated by AI. This enables much faster response to security incidents than traditional SOCs.