• Stop being a LURKER - join our dealer community and get involved. Sign up and start a conversation.

General Motors and SIEM

Jun 10, 2013
1
0
First Name
Neal
So, my IT guy gives me a call on vacation and asks me if GM had contacted me at all about getting an SIEM (Security Information and Event Management) solution in place. The quick and dirty is it aggregates data on events that trigger security concern, administers alerts, looks for patterns, etc - Wikipedia has a short but fair write up on it.

Has anybody else been getting questioned on this one? GM seems to be insistent we get a solution and wants to suggest someone for us and I wanted to know if anyone here had any recommendations they had come across or wanted to share.
 
Yeah, they are trying to tell us "Its the Law!". If it was the law our other OEM's would be after us to implement it as well. Talking to our local Reynolds rep, hes seen it at other GM dealers and causes nothing but headaches.
 
Here is GM's info on SIEM, see last paragraph. This is taken from a PDF I just got today. I am happy to forward to anyone if you want to email me at reduke at dukeauto dot com

The Gramm-Leach-Bliley Act Brief Overview
It is essential for Dealers to recognize that the application of the Act’s provisions extends well beyond depository institutions. Under the
Act, a financial institution is any business that engages in financial activities ranging from insurance brokerage to data processing to
automobile financing/leasing.
The Act specifically references automobile dealers that provide financing to their customers are subject to the Act’s Privacy and
Safeguard Rules. The Privacy Rule is intended to raise customer awareness of the different ways their non-public, personal information
may be used, and requires dealers to present certain paperwork on their information sharing policies, or information notices to the
customer during the information-gathering process.
The Safeguards Rule is intended to protect the financial institution’s customers from identity theft and other harm by requiring financial
institutions to assess their data and information from misappropriation, alteration, tampering, etc.
GM Dealer Computer Network Security & GLBA Compliance
Summary of GLBA Financial Privacy Rule Section 6801 – (b) Financial institutions safeguard


• To ensure the security and confidentiality of customer records and information
• To protect against any anticipated threats or hazards to the security or integrity of such records
• To protect against unauthorized access to or use of such records or information which could result in
substantial harm or inconvenience to any customer.


By implementing proper network security measures, dealerships can protect and properly respond to threats that can compromise their
network and customers’ information. Many dealerships utilize standard firewalls and antivirus for their desktops but the current threat of
network breaches demands a higher level of protection.
Compliant Security Measures as Outlined in the GM IT Guidelines
Network Security Device Features
Fully-managed security device that continually monitors threats through Intrusion Detection System “IDS” and Intrusion Prevention
System “IPS” and other mechanisms. A firewall should include the functionality listed below.


• Filter packets and protocols
• Antivirus Scanning
• Perform stateful inspection of connections
• Perform proxy operations on selected applications
• Report traffic allowed and denied by the firewall on a regular basis (i.e. monthly)
The firewall should be able to filter packets based on the following characteristics:
• Protocol, e.g. IP, ICMP
• Source and destination IP addresses
• Source and destination ports
• The appliance should perform real-time scanning of HTTP, SMTP,
and FTP traffic for malware, spy ware, and other intrusions.


Security Information and Event Management
Proactive, real-time event monitoring that utilizes a SIEM (Security Information and Event Management) tool. The SIEM needs to be
able to collect and collate the log data and security event data from the network in real-time, and be able to notify network administrator
in the case of a security event. The purpose of a SIEM is to aid in identifying or preventing an intrusion into your network. Immediate
response to a breach can greatly reduce or prevent data loss.


Note: Reactive management software is not to be confused with a proactive SIEM
 
GM's PDF on SIEM:

Security Information Event Management (SIEM)
GM Dealerships and SIEM Services - Why the Dealership Network Needs It
The Network Security section of the Guidelines states that the expectation for a dealer’s data network security is to “Comply with
all federal, state, local and industry regulations for financial institutions, such as GLBA, PCI, etc.”
Security devices like UTMs are incapable of fully protecting a network without the assistance of network security experts
utilizing additional security tools to analyze all the data being generated by the device. Security analyst teams often use
a Security Information Event Management (SIEM) tool to investigate the enormous amount of data created by just a single
dealership network.


SIEM is recommended by GM in the IT Guidelines to aid in identifying or preventing an intrusion into a dealership network.
Security analysts use SIEM to help combat threats that are not stopped or identified by conventional security solutions such as
Anti-Virus or UTMs. Immediate response to a breach can greatly reduce or prevent data loss.


Details About SIEM Services
SIEM services combine and sort network data in real-time from security devices into actionable alerts. The security alerts are
then investigated and handled by trained network security analysts. SIEM services require both proper network security tools
and security experts to work properly. Standard IT support professionals should not be confused with network security
analysts; who have certifications and training to properly support specialized security tools. Industry practice is to utilize
teams of security analysts to provide 24x7x365 real-time support of the security tools and network data.
SIEM should be viewed as a service, not a single piece of hardware/software


Example of a How a SIEM Service Works
1. A UTM device is utilized, and “pointed” towards a Network/Security Operations Center (NOC/SOC)
2. Data collected from the UTM (ex. sys log traffic, security alerts) is gathered and analyzed by a SIEM service to find any
anomalies.
○ Anomalies are anything other than normal everyday traffic; they can be good or bad. The SIEM service won’t know until
it is analyzed deeper.
3. Once something is categorized as an anomaly, an incident ticket is created in SIEM service system.
4. A network security analyst will then investigate and determine the threat status.
5. If the event is considered a threat the network security analysts will assist the end-user in removing it from their computer
network.


Not all monitoring solutions are created equal
Reactive Event Monitoring vs. Proactive SIEM Service


Reactive Event Monitoring:
○ Receiving an alert from a network security device that has blocked a possible threat based on attack signatures.
○ Security devices such as UTMs can block threats based on signatures. When a possible threat is blocked based on these
signatures the device can issue an alert message to the administrator. Software designed to manage these alerts are not
considered SIEM (ex. SonicWall GMS, SonicWall Viewpoint, Level Platforms). Event alerts generated by the UTM have
already been blocked by the device and the management software provides no additional security analysis.
Proactive SIEM Service:
○ Real-time analysis of event alerts and network traffic behaviour used to identify possible network threats.
○ SIEM monitoring is a proactive service combining different types of network data to detect threats
that have bypassed primary security measures such as Anti-Virus or UTM devices which are
based on signatures. Networks not utilizing a SIEM service are much more vulnerable to
new and advanced attacks as they are created to defeat existing security signatures.
SIEM services are considered by the network security industry as the most
effective way of identifying and stopping advanced threats.
 
So timely as I got the call today asking the who, what, where, and hows of our system from a person that said they were with GM checking to make sure we were compliant. "You should have received an email..." "I get 200 GM emails a day, if it's important enough they'll make it a pop up or call...so what's up?" I don't think she shares my humor. Blocked number and you wants my IP, firewall info and DMS info? I asked her to send me an email and I would get her the answers.
 
  • Like
Reactions: 2 people
I drove by the Chevrolet dealership, in Oklahoma, that the dealer sold rather than conform to the new building guidelines. I actually thought that the dealership looked very nice. I understand that GM wants dealerships to have someone answering leads 24-7. I'm curious, do any of the GM dealers ever remind the GM reps that they are the ones that filed for bankruptcy?
Seriously, do you really need to take business advice from a company that filed for bankruptcy and still owes billions?
 
Has anyone implemented SIEM yet? We use a pretty locked down Sophos UTM unit and I really don't see the benefit to having another company looking at the same logs I look at making the same determinations. The SIEM providers i've looked into are pretty expensive and appear geared more towards the enterprise environment, not the small business.

Looking for recommendations on a SIEM provider to GM DealerIT gets off my back about it.
 
I was talking with our owner last week and he said he looking into the calls we were getting and it was a company who was GM approved to do work with GM dealers not a requirement. It took him a number of calls to different people to get to the bottom of the calls we were getting. They asked for some information I wouldn't give to anyone that didn't walk into my store with a GM seal and GM corporate AmEx in hand-and I would still do so begrudgingly after a few calls. They weren't ACTUALLY gmIT and they finally stopped calling about 6 weeks ago. I hope it's something you can finally get to go away the same way we did! Hope it doesn't take as long though!
 
Going for a second bout of the Spanish inquisition with GMiDT about compliance with SIEM. The last time back in 2014 when I proposed that I was in contract with my ISP to handle SIEM, they reviewed it, then rejected it telling me that it was not in compliance. When I answered all the issues showing that the solution I had was beyond their guidelines, they refused to accept it. So then I asked what do I need to do. That's when the sales spiel was given to go into a 36 month contract with their approved vendor, Nuspire Networks and all would be good. At that point I told them to stop harassing me and go sell it to some one else. I didn't hear back form them until recently. Now they are asking for who provides that solution, and I told Maria that I will not provide here with any further info. I know she'll call another dozen times, and eventually give up.

They are threatening dealers to be in compliant by purchasing their product that they get a commission on selling. They are not directly GM. They are an authorized vendor to sell you a product. The GLBA is serious and if you are audited due to a breach, it will cost plenty.
 
So, my IT guy gives me a call on vacation and asks me if GM had contacted me at all about getting an SIEM (Security Information and Event Management) solution in place. The quick and dirty is it aggregates data on events that trigger security concern, administers alerts, looks for patterns, etc - Wikipedia has a short but fair write up on it.

Has anybody else been getting questioned on this one? GM seems to be insistent we get a solution and wants to suggest someone for us and I wanted to know if anyone here had any recommendations they had come across or wanted to share.

Few of our dealerships have been asking specifically for SIEM solution. We found a company that gives you SIEM as a service. It's called Vijilan. The engineers at Vijilan installed the SIEM in one hour. our customers were up and running in a flash. They even included a 24/7 security monitoring. Great engineers inside their Security Operations. I think Vijilan and Dell Secureworks are your best bet. you can try Alienvault.