Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Managing Risk: Crucial Considerations in Converged IT and OT Security

115 views

Published on

Atelier présenté par Scott Lees, spécialiste chez Forescout, lors de notre événement Cybersécurité 20/20.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Managing Risk: Crucial Considerations in Converged IT and OT Security

  1. 1. OVERCOMING CYBERTHREATS TO CRITICAL INFRASTRUCTURE WITH INTEGRATED IT/OT CYBERSECURITY SECURITY AT FIRST SIGHT™
  2. 2. SANDEEP LOTA Sr Systems Engineer
  3. 3. 4 Always Focus on the BUSINESS Challenges 4 out of 10 69% 44% ICS security practitioners lack sufficient visibility into their ICS networks (SANS Institute*) Consider the current threat to their ICS systems to be high or severe/critical (SANS institute*) Consider that adding devices to the network is the top ICS threat (SANS Institute*) The 6 Challenges and Risks of IT-OT Cybersecurity Revenue Growth Unplanned Operational Downtime Increasing Cyber Threats IT-OT Relationship Puzzle Limited Resources/Increasing Workloads High-Effort Compliance Fulfillment *Source: SANS Institute, IS Reading Room, Securing Industrial Control Systems-2017
  4. 4. 5 The Technical Challenges Only Matter Because of the BUSINESS Challenges No (to limited) visibility in OT networks Inability to discern if systems are vulnerable Complex and clunky integration into SIEM and other enterprise tools Slow and expensive threat detection and response time No network maps No segmentation Inability to monitor and understand packet/traffic flows Lack of device compliance (is my switch configured correctly?) No real-time asset Inventory Inaccurate tracking device firmware and model information Incomplete vendor and contractor activities Costly and time-consuming site visits to field Cybersecurity Networking Operations
  5. 5. It’s All About the Benjamins! This Photo by Unknown Author is licensed under CC BY-SA
  6. 6. 7 Achieving Streamlined IT/OT Visibility: HAZARDS!!! Think Small to Go Big! “Do No Harm” Known Your Projects Business Value! 7 This Photo by Unknown Author is licensed under CC BY-SA This Photo by Unknown Author is licensed under CC BY-NC- ND This Photo by Unknown Author is licensed under CC BY-NC
  7. 7. Streamlined IT/OT Visibility is not a ‘One Trick Pony’ 8 Historian PLC PLC Mail server PC Laptops SCADA Database OT IT SIEMVulnerability scanners Workstation Cloud or DC Limited / No Visibility into OT Network Outdated & unpatched equipmentImproperly Secured Equipment Vendor Contractor Access No Configuration Tracking Outdated Inventory Proprietary Protocols IT Security Solutions Aren’t Designed for Sensitive Operational Scenarios • Lack Passivity and Protocol support OT Centric Solutions Lack Abilities to Fix IT and IoT Security Issues • Legacy Operating Systems and Security Hygiene Security Solutions Must Address Cyber Risk Across All Device Types in OT Environments
  8. 8. 9 It Takes a Village VA ATD SIEM EMM NGFW CMT ITSM/ Security Ops EDR/EPP PAM/PAS HX Cloud / Data Center To learn more, visit: www.forescout.com/partners/technology-partners New ITSM & SecOps Incident Integration in v8.1 Deception Network Services / Next-gen Network Packet Brokers Network Modeling & Risk Scoring OT/ICS (includes SecurityMatters integrations) Future
  9. 9. Continuously Maintained Asset Intelligence 1 Forescout discovers, classifies and assesses all device types as they connect to the network Forescout updates its asset repository with real-time hardware and software information 2 The Forescout eyeExtend then updates or creates a new ServiceNow® CMDB Configuration Item (CI) with device properties and additional network context from the Forescout device repository to true-up the CMDB and establish a real-time as well as historical single-source-of-truth for all assets 3 Windows DeviceBYOD Devices Internet SwitchWireless LAN Controller IoT Devices 31 2 3 Real-time Context Rich CMDB Device Inventory 1 2 Forescout imports device properties from ServiceNow that can be used to refine Forescout enforcement policies and actions 4 4 Device IP: 172.16.130.112 MAC Adrs: 005056822f9f Switch Port Name: G01/1/2 VLAN: 130 OS: Windows 7 64-bit Enterprise SP1 User: CyberSam …+hundreds of other device, user & network properties CI Name: WIN7-SAM1 Class: Computer Location: San Jose Asset Tag: User-AB1234 ….other CMDB properties Real-time Context Rich Device Repository 4 Device IP: 172.16.130.112 MAC Adrs: 005056822f9f Switch Port Name: G01/1/2 VLAN: 130 OS: Windows 7 64-bit Enterprise SP1 User: CyberSam …+hundreds of other device, user & network properties CI Name: WIN7-SAM1 Class: Computer Location: San Jose Asset Tag: User-AB1234 ….other CMDB properties + Forescout App for Asset Management Forescout eyeSight Forescout eyeExtend for ServiceNow
  10. 10. Tracking Your Visibility Project’s Business Value
  11. 11. Overcoming Cyberthreats to Critical Infrastructure (Reducing Costs) Always Ensure Cybersecurity Spend Maps to Asset Value! Reduce Scope! Automate Workflows!
  12. 12. Opportunity: Automate Threat Response Windows DeviceBYOD Devices Internet SwitchWireless LAN Controller IoT Devices 1 2 32 ITSM - CMDB 1 4 Security Incident Data 1 Forescout continually assesses devices and detects a security policy violation or Indicator of Compromise (IOC) Forescout creates and shares base Security Incident and affected device information with ServiceNow Security Operations 2 ServiceNow ingests the Security Incident and device information from Forescout, matches it to CI record in CMDB and prioritizes the incident using business context from CMDB 3 ServiceNow updates Forescout with additional Security Incident information and Forescout associates incident data with relevant device record 4 Security Incident: SIR12345 State: Analysis Business Impact: High Impacted CI: WIN7-SAM1 Security Operations Incident Management Device IP: 172.16.130.112 MAC Adrs: 005056822f9f …+other device properties Description: Security agent missing Category: Policy Violation Priority: Low 4 5 X CI Name: WIN7-SAM1 …other CMDB attributes Device IP: 172.16.130.112 MAC Adrs: 005056822f9f Switch Port Name: G01/1/2 VLAN: 130 …+hundreds of other device, user & network properties Security Incident: SIR12345 State: Analysis Business Impact: High Device IP: 172.16.130.112 MAC Adrs: 005056822f9f …+other device properties Description: Security agent missing Category: Policy Violation Priority: Low Incident count: 1 ServiceNow can also initiate Security Incident response actions using Forescout such as to block or isolate the device on the network (requires Forescout eyeControl) 5 5 5 Forescout eyeSight Forescout eyeExtend for ServiceNow Forescout App for Asset Management Forescout App for SOC Incidents+ +
  13. 13. 14 TR BYOD Devices IoT DevicesOn-premises Corporate Devices Rogue Device Opportunity: Automate Control Internet Switch Forescout agentlessly discovers, assesses, & classifies on-premises & remote connection devices. WildFire confirms Malware threat w/each file, creates new IOC signatures and shares threat intelligence with both Traps & Forescout. 2 6 7 Scenario: Endpoints attempt to download a malicious file that’s a zero-day threat Other Virtual & Physical Servers VPN Remote Corporate Devices GlobalProtectTM Endpoint Security Manager (ESM)* Security Camera Servers TrapsTM (TR) WildFireTM Medical Servers TR Mobile device with GlobalProtect connects remotely and tries to download a malicious file. On-premises device is also trying to download a different malicious file. Malicious file from remote and on-premises device is automatically sent through NGFW to WildFire for analysis. 1 3 4 1 2 3 Per policy, Forescout automatically isolates endpoint or kills VPN session as needed & initiates remediation. Traps automatically remediates & protects managed endpoints against IOCs. 5 TR TR TRTR Wireless access GP GP GP GP Forescout hunts for IOCs from WildFire across all devices on network, immediately isolates compromised devices & initiates remediation process. Once device is remediated, Forescout allows device back on network per policy. Devices that need more investigation stay isolated. 2 4 6 6 6 7 X 5 5 5 Wireless LAN Controller NGFWGP *Forescouts currently works with Traps 4.x on-premises solution
  14. 14. • How to combat malware where untargeted active scanning is not allowed, agents cannot be installed, and unsupported legacy operating systems are prevalent Example: Addressing EternalBlue Risk IDENTIFY Vulnerable Assets All connected assets in Campus, Cloud, Datacenter, and OT are discovered without business impacting network scans. For assets where active inspection is acceptable, highly targeted, agentless, operating system level inspections identify vulnerable and infected assets. For assets where 100% passive methods are required, network traffic is inspected for vulnerable or suspicious Server Messaging Block (SMB) protocol activity. SMB protocol activity provides strong indicators of EternalBlue susceptibility as well as WannaCry & NotPetya propagation activity. REMEDIATE Vendor Supported Assets For assets where an operating system patch is available, ForeScout installs and verifies required updates. Additionally, Forescout implements SMB protocol hardening, strengthening the asset’s defense against future attacks. For assets where remediation is supported, but not immediately possible, mitigation controls can provide interim protection. MITIGATE Vulnerability Risk on Legacy Assets For assets where a remediation is NOT available, risk mitigating network controls are applied at the local network level as well as at the network zone perimeter. QUARANTINE Active Infections The network is continually monitored for future indicators of compromise, for automated alerting and machine speed network quarantine. For self-propagating malware like WannaCry & NotPetya, machine speed quarantine is critical to preventing further outbreaks. IDENTIFY REMEDIATE MITIGATE QUARANTIN E EternalBlue Enterprise Dashboard
  15. 15. 16 CUSTOMER EXAMPLES Customer Experience #1: Petrochemicals Goal: Increase Revenue through Improvements to Process Control Efficiency, Resiliency, and Security Customer Experience #2: Power Generation Goal: Reduce Risk of Regulatory Penalties with Security Enhancements for Power Generation DCS Customer Experience #3: Discrete Manufacturing Goal: Protect Manufacturing Revenue with Measures to Prevent Plant Impacting Incidents
  16. 16. 17 Key Benefits: • Improved ICS visibility and asset management • Accurate Asset Inventory The Goal: Increase Revenue through PCN Modernization The Approach: • Mix of Passive and Selective-Active Visibility Sources • Integration with CMDB for Asset Management and Policy Applicability • Continuous Assessment of Assets Against NIST Controls CUSTOMER EXPERIENCE #1: PETROCHEMICALS
  17. 17. WHY WAS AN ACCURATE INVENTORY SO IMPORTANT? What Made this So Special? What Ultimately Enabled this? What Can the Business Now Do With this? It Hadn’t Been Done Before… Especially Not in PCN! OPTIONS! (100% Device Visibility and Control) Make Smarter Investments! 18
  18. 18. 19 Power Generation AND Distribution The Goal: Prevent Security Related Revenue Impact The Approach: • Passive Solution • Establish Communication Baselines • Automated Incident Response Workflows • Implement NERC-CIP Required Controls Key Benefit: NERC-CIP Reporting Automation
  19. 19. WHY NERC-CIP REPORTING AUTOMATION? What Made this So Special? What Ultimately Enabled this? What Can the Business Now Do With this? Many of the Reporting Items Are Not Things Easily Automated The Flexibility and Extensibility of the Solution Frees Up Significant Labor Hours, Improves Morale
  20. 20. 21 AUTOMOTIVE MANUFACTURER Key Benefits: • Event Monitoring Improvement The Goal: Protect Manufacturing Revenue The Approach: • Zero Network Downtime • Zone Based Segmentation • Combination of Switch, Firewall, AWS Controls • Secure Remote Access Support
  21. 21. WHY EVENT MONITORING IMPROVEMENTS? What Made this So Special? What Ultimately Enabled Success? What Can the Business Now Do With this? It Was Not One of the Original Business Drivers… Segmentation Turned Down the “Noise”! Not Just Threat Detection… 22
  22. 22. THANK YOU! Sandeep.lota@forescout.com 23

×