Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Future of ICS Security Products

My session from the 9 June 2020 ICSJWG event

  • Be the first to comment

The Future of ICS Security Products

  1. 1. The Future of ICS Security Products
  2. 2. 2
  3. 3. New Product Category Detection
  4. 4. 4
  5. 5. 5
  6. 6. 6
  7. 7. Asset Inventory To The Rescue ◦ Didn’t have an asset inventory ◦ Outdated spreadsheet at best ◦ Amazed at what passive monitoring could tell them ◦ Easy win for customers and vendors 7
  8. 8. 8
  9. 9. More accurate and more detailed information on your cyber assets. Using only legitimate protocol requests. NOT SCANNING! 9
  10. 10. 10
  11. 11. More accurate and more detailed information on your cyber assets. Using only legitimate protocol requests. NOT SCANNING! 11
  12. 12. If you can’t stomach Active then use your EWS or other ICS component to query cyber assets so Passive can see the answers. 12
  13. 13. Asset Management ◦ Asset Inventory ◦ Configuration Mgmt ◦ Vulnerability Mgmt ◦ Change Management ◦ … 13
  14. 14. 14
  15. 15. 15
  16. 16. 16 ICS Detection Asset Mgmt Vuln Mgmt SIEM / SOC
  17. 17. 17
  18. 18. Vulnerability Management ◦ Requires software inventory ◦ Identify vulnerable sw / fw ◦ What to patch? When? What application will apply the patch? 18
  19. 19. Detection
  20. 20. Prioritized List of Detection Sources - Endpoint protection alerts - Blocked firewall egress attempts - New admin users - … 20
  21. 21. 21
  22. 22. Same - Switch span port or tap, passive traffic collection - Lots of signatures - Same data overwhelm issues Network IDS with ICS Protocol Smarts Different - Able to parse ICS protocols - Alert on legit, high risk cmds - Some anomaly detection - ICS Playbooks 22
  23. 23. 23
  24. 24. Incident Response ◦ What good is detecting if you can’t respond? ◦ Detection products provide data for after incident investigation ◦ Knowing ICS and the product is key for effective response 25
  25. 25. 26
  26. 26. What Will You Do With The Data? ENTERPRISE SOC Forward the ICS detection system data to Enterprise SOC. Add ICS talent to the SOC and response team. STAND ALONE SYSTEM Analysts use product as primary ICS detection system. OT SOC ICS detection system used as one detection source in an OT SOC. 27
  27. 27. 28
  28. 28. 29
  29. 29. Lots of Change ◦ Asset Inventory will not be part of detection product ◦ ICS Detection GUI won’t matter ◦ Integration with SOC systems ◦ Sensors will be in your switches ◦ Competitors will almost all change 30
  30. 30. Slow Down / Pilot Position As Interim / Learning 31
  31. 31. What Would I Do? (in order) ◦ Start with an asset management solution ◦ Get detection solution ◦ Integrates with asset mgmt ◦ Retains forensics records ◦ Get incident response retainer ◦ Focus on SOC integration 32
  32. 32. Asset Inventory / Management - PAS - Langner OT-BASE - Asset Guardian - MDT Software - DCS vendors 33
  33. 33. 34
  34. 34. What Is Top Tier? BAKE OFFS & PILOTS We saw the same four repeatedly in asset owner competition and pilots. COMPANY GROWTH Top Tier now are 100+ employees and growing. Accelerating & leaving the rest behind. RAPID PRODUCT DEV Huge investment in R&D showing in new features and product maturity. 35
  35. 35. Detection Tiers (US) July 18 Claroty / Dragos / Nozomi / SecurityMatters 36 CyberX / Indegy / Kaspersky / Sentryo The Rest https://dale-peterson.com/ics-detection-market-analysis/
  36. 36. Detection Tiers (US) Nov ‘19 Claroty / Dragos / Nozomi 37 CyberX / Indegy / Kaspersky / Sentryo* / Radiflow 11 Competitors https://dale-peterson.com/ics-detection-market-analysis/
  37. 37. Acquisitions Forescout buys SecurityMatters ($113M) 38 Cisco buys Sentryo (my guess ~$50M) Tenable buys Indegy ($78M) Also GE, Honeywell, Kaspersky …
  38. 38. Detection Tiers (US) Today Claroty / Dragos / Nozomi 39 CyberX (Microsoft?) / Radiflow SCADAfence + 5 Others https://dale-peterson.com/ics-detection-market-analysis/
  39. 39. Thanks! Any Questions? Dale Peterson, CEO of Digital Bond peterson@digitalbond.com https://dale-peterson.com Founder of S4, every Jan in Miami SoBe https://s4xevents.com Twitter: @digitalbond Unsolicited Response Podcast YouTube: www.youtube.com/s4events 40

×