By Ling Cheng (Senior Product Marketing Manager)
In the dynamic realm of cybersecurity and amid growing pressure from regulations, we often find the automotive industry embracing the conventional approach of setting up a cloud-based vehicle security operations center (VSOC). This approach is favored for its perceived advantages of quick installation and non-invasiveness, meeting the demands of the fast-paced industry. However, as the automotive cybersecurity landscape expands beyond the confines of the cloud to include in-vehicle components and infrastructure, reliance solely on today’s cloud-based VSOC platforms might prove inadequate for ensuring robust protection.
Let’s dive into a real-world scenario to shed light on why it’s time to rethink VSOCs and VSOC platforms, and embrace the level of protection that we truly need.
Real-world example: Today’s VSOC platforms can’t ensure robust protection
Let’s examine a real-world experimental case from 2020 as a vivid illustration. In this scenario, researchers successfully injected malicious code that made the compromised in-vehicle infotainment (IVI) system automatically connect to a rogue Wi-Fi hotspot, enabling them to inject malicious CAN messages and make a car perform diagnosis without authentication.
The attack unfolds as follows (see Figure 1):
- Take advantage of Bluetooth to deploy malicious code.
- Connect to a rogue Wi-Fi access point to install a backdoor.
- Manipulate firmware through a flash.
- Take control of the IVI system.
- Inject malicious CAN messages.
Figure 1. The attack chain in a real-world experimental case from 2020
Today’s VSOC platforms face limitations in detecting steps 1 to 5 (see Figure 2). Simply put, one of these VSOC platforms only issues alerts when the vehicle engages in suspicious actions, like initiating self-diagnosis in this scenario. Consequently, when an anomaly is detected, the attack path is nearly complete, signifying that the attacker has advanced to the final step, limiting the response time. This scenario emphasizes the constraints associated with depending solely on a cloud-based VSOC platform.
Figure 2. The view from today’s VSOC platforms: no visibility from steps 1 to 5
Limitations of today’s VSOC platforms
Depending solely on today’s VSOC platforms feels like having blind spots. They have three significant limitations in detecting cyberattacks:
- Too noisy to work. Today’s VSOC platforms relying on AI-powered detection often lead to alert fatigue by triggering alerts for all suspicious anomalies, overwhelming teams with late and often irrelevant notifications. We can draw insights from the IT industry, where 55% of IT and SOC teams admit that they lack full confidence in prioritizing and responding to these alerts. Similar scenarios might unfold in the automotive industry.
- Too late to act. Today’s VSOC platforms use a generic log collector, producing unusable security logs that lack actionable intelligence. This leads to delays in risk remediation, as the lack of attack origin details requires manual investigation. In the case of our real-world example, the lack of visibility over steps 1 through 5 renders the VSOC team unable to proactively address threats, making timely prevention challenging.
- Too vague to trace. If the threat vector is relatively new, then all the obvious signs of threat activity won’t come up as obvious and will stay as “suspicious anomalies” until it’s recognized as a new threat vector. Today’s VSOC platforms struggle to break down incidents into specific tactics and techniques. This leads to an unclear understanding of attackers’ goals and methods, making it challenging to implement necessary remediation plans.
The attack path unfolds: End to end, all within sight
How can we address the above challenges? The key lies in contextualized attack paths. An attack path is the sequence of steps or methods that a malicious actor (such as a hacker) might use to gain unauthorized access to a vehicle system, vehicle network, or sensitive information. Understanding and analyzing attack paths is essential for VSOC teams to identify vulnerabilities and implement effective security measures (see Figure 3).
Figure 3. Seeing better with a contextualized attack path
A next-gen VSOC platform with contextualized attack paths
VicOne’s xNexus next-gen VSOC platform integrates with our in-vehicle VSOC sensor to proactively identify emerging threat vectors before they become widely known, akin to hunting for patient zero. An in-vehicle VSOC sensor enables the next-gen VSOC platform to hunt for these newer threat vectors and provide contextualized insights into the attack path. This approach enables VSOC teams to confidently trace the origin of an attack, identify affected areas, and discern the ultimate target. This clear vision allows VSOC teams to confidently implement proactive measures, significantly expanding opportunities for risk remediation.
Our next-gen VSOC platform does more than today’s VSOC platforms that heavily rely on AI-powered detection to match patterns only (see Figure 4). Combining large language modeling (LLM) with our contextualized automotive threat intelligence empowers xNexus to detect clearly malicious attacks rather than suspicious anomalies. This synergy effectively reduces the burden of chasing inexplicable false alarms and empowers VSOC analysts to take that threat intelligence and marry it with their existing business processes to act accordingly.
Figure 4. How the xNexus next-gen VSOC platform works
Request an xNexus next-gen VSOC platform demo today to see better and experience more insights with less anxiety.