The first step that Yokogawa Electric took in the development of its SOC infrastructure using Elastic Cloud was to hire engineers familiar with Elastic. Specifically, the company sought Elastic engineers through its engineering center in Bangalore, India, and made some hires that took the lead in setting up the SOC infrastructure.
In order to brush up its engineers’ skills in this process, Yokogawa Electric utilized Elastic’s training and consulting services pertaining to Elastic Common Scheme (ECS) definitions and Logstash server log filtering configurations.
“In our case, we were collecting logs from a wide variety of different security products, so if these common schemes were not defined in advance, we wouldn’t be able to improve search speeds. For that reason, it was very important to have our engineers learn ECS, and it seems this strategy was very effective,” said Mr. Shiozaki.
Yokogawa Electric proceeded with building SOC infrastructure and data analysis systems, launching security monitoring at major plants and offices (Japan, Europe, North America, Singapore, the Middle East, and India) in FY2019. Alongside this, it also focused on improving its monitoring and detection applications. These initiatives linked Elastic Cloud with threat intelligence and IOCs (indicators of compromise: indicators and evidence of security violations caused by cyberattacks) to increase the precision of threat monitoring and detection capabilities.
Additionally, in 2020, Yokogawa Electric expanded its monitoring efforts to China, Russia, South America, Taiwan, the Philippines, Indonesia, and other sites.
This resulted in the monitoring coverage of PCs (antivirus software and EDR), key servers (AD servers, DHCP/DNS servers, etc.), IDS, and Microsoft Azure/AWS Web Application Firewalls (WAF) across 15 sites throughout the world. The logs and event data collected from those devices and systems were also stored in an Elastic Cloud managed service environment. As that data is analyzed in real time, this security monitoring framework predicts cyberattacks and detects security violations on a daily basis (Fig. 2).