SOCFortress Integrations — Nozomi Networks (OT)

SOCFortress
3 min readOct 7, 2023

--

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of Nozomi’s OT sensors events using a single pane of glass.

About Nozomi Networks

Nozomi Networks specializes in industrial and operational technology (OT) security. The company offers solutions designed to protect critical infrastructure and industrial control systems (ICS) from cyber threats and vulnerabilities.

Nozomi Networks:

  • Industrial Cybersecurity: Nozomi Networks provides industrial cybersecurity solutions that focus on identifying and mitigating cyber threats within operational technology environments. This includes industries such as energy, manufacturing, utilities, transportation, and more.
  • Real-time Threat Detection: The company’s platform offers real-time monitoring and detection of anomalies and threats in industrial networks. It uses machine learning and behavioral analytics to identify suspicious activities that could indicate a cyberattack or a potential security breach.
  • Asset Discovery and Inventory: Build a comprehensive inventory of industrial assets, including devices, controllers, and network components. This visibility is crucial for understanding the attack surface and vulnerabilities within an industrial network.
  • Network Visualization: The platform provides visual representations of industrial networks, which can help security teams gain insights into network topology, communication patterns, and potential areas of risk.
  • Incident Response: Capabilities to help organizations respond quickly and effectively to cybersecurity incidents. This includes threat containment and remediation.
  • Integration with Other Security Solutions: Nozomi Networks can integrate with existing security infrastructure and tools, such as SIEM (Security Information and Event Management) systems, to provide a more comprehensive security posture.
  • Compliance and Reporting: Assists organizations in meeting regulatory compliance requirements, such as NERC CIP, IEC 62443, and others, by providing reporting and auditing capabilities.
  • Threat Intelligence: Nozomi Networks incorporates threat intelligence feeds to stay updated on emerging threats and vulnerabilities specific to industrial environments.
  • Global Reach: The company serves organizations around the world and has a global presence to support its customers in various regions.

Nozomi Networks plays a critical role in helping organizations secure their industrial control systems and critical infrastructure, which are increasingly targeted by cyberattacks. The company’s solutions aim to provide visibility, threat detection, and response capabilities tailored to the unique challenges and requirements of industrial environments.

Ingesting Nozomi’s Security Events

Nozimi’s Vantage API reference: https://nozomi-sales-engineering-wr0fy5q7.customers.us1.vantage.nozominetworks.io/api-docs/index.html

Required:

  • Key name
  • Key Token
  • Sign in URL
  • Vantage’s URL

Ingest API results using Wazuh’s socket

import json
import time
import requests
import urllib3
import logging
import sys
from base64 import b64encode
from socket import socket, AF_UNIX, SOCK_DGRAM
# Wazuh manager analisysd socket address
socketAddr = '/var/ossec/queue/sockets/queue'
def send_event(msg):
logging.debug('Sending {} to {} socket.'.format(msg, socketAddr))
string = '1:nozomi:{}'.format(msg)
sock = socket(AF_UNIX, SOCK_DGRAM)
sock.connect(socketAddr)
sock.send(string.encode())
sock.close()

Basic rule structure:

<group name="nozomi,">
<rule id="xxxx" level="3">
<location>nozomi</location>
<description>Nozomi Integration.</description>
<options>no_full_log</options>
</rule>
</group>

Visualizations

Nozomi Networks — Summary

Alerts by severity and risk levels:

Vulnerabilities: CVSS and Likelihood:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).