SlideShare a Scribd company logo

Industrial Control Systems Cybersecurity Technology Selection

Dragos, Inc.
Dragos, Inc.

Selection criteria for today’s ICS cybersecurity technology presented at S4 2019. Includes: - Recommendations for best practices before evaluating an industrial cybersecurity solution in OT environments - Outline of different ICS cybersecurity technologies such as the differences between active and passive scanning, anomaly detection, threat behavior analytics - What’s important in an industrial control systems cybersecurity platform - Practical guide to pilots and bake-offs To learn more read the whitepaper Key Considerations For Selecting An Industrial Cybersecurity Solution for Asset Identification, Threat Detection, and Response https://dragos.com/resource/key-considerations-for-selecting-an-industrial-cybersecurity-solution-for-asset-identification-threat-detection-and-response/ For more about Dragos and the 2019 S4 Detection challenge, read the blog and watch the video here: https://dragos.com/blog/industry-news/dragos-results-of-s4-industrial-cybersecurity-detection-challenge-contest/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/dragos-inc./ Follow us on Twitter: https://twitter.com/dragosinc

Technology
1 of 24
Download to read offline
ICS Cybersecurity Technology Selection Selection criteria and considerations for today’s ICS cybersecurity technology MATT COWELL mcowell@dragos.com 1/15/19
Monitoring software that utilizes threat analytics to identify threats as they occur and playbooks for guided investigations Integrated Solution that has three components: Threat Hunting, Incident Response and Training Threat Operations Threat Operations Value: Services work informs the creation of playbooks to make analysts efficient THE DRAGOS OFFERING Technology, Intelligence, Expertise Expertise and knowledge in ICS threat identification and understanding in the form of intelligence reports WorldView Value: Insights create threat analytics to drive effective detection with context WorldView
AGENDA 01 02 03 04 Capabilities & Objectives Technology Overview Criteria considerations Summary and recommendations
WHY DID WE DO THIS? Increasing awareness to secure ICS (Executives, IT, OT) ICS Technology confusion Absence of independent testing & reports. ? Increase in Pilots and proof of concepts (POC’s) Receiving many new RFP’s from potential customers
BEFORE EVALUATING TECHNOLOGY Assess Capabilities Define Objectives o Asset discovery o Vulnerability assessment o Threat hunting o SOC & IR o In-house resources/departments o Out-sourced resources o Current technology usage
ASSESS CURRENT CAPABILITIES https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240 https://dragos.com/media/ARCViewDragos-01.pdf
“There is no silver bullet. There are always options and the options have consequences.” - Mark Horowitz TECHNOLOGY ALONE IS NOT ENOUGH
DEFINE PRIMARY OBJECTIVES 01 TRAINING & AWARENESS Classes, accreditation, exercises, testing 02 KNOW YOUR NETWORK Asset discovery, network protocols, internal & external connections, crown jewel analysis 03 NETWORK SEGMENTATION Creating zones & conduits, 0 trust networks, firewalling 04 PATCH MANAGEMENT Device vulnerabilities, vulnerable services, available patches 05 THREAT DETECTION Network compromises, C2, untargeted malware, targeted malware, malicious behavior, insider 06 INCIDENT RESPONSE 07 THREAT INTELLIGENCE Collection of threat tradecraft, analysis of tradecraft, IOC’s 08 RETALIATION/OFFENSE Pursuing adversaries, “hacking back” Planning, Logs & forensics, imaging, containment, analysis, recovery/backup
ICS CYBERSECURITY TECHNOLOGIES 1. Anti-virus 2. Endpoint security/whitelisting 3. Switches/Firewalls/SDN 4. Data Diodes 5. Deception/Honeypot/Honeynet 6. Asset Discovery & Management 7. Patch Management 8. Anomaly Detection 9. Threat Detection 10. SIEM 11. Removable media scanning 12. Backup/Recovery
INDEPENDENT TECHNLOGY EVALUATION Source: ForresterSource: Gartner
DIGITAL BOND – DETECTION CHALLENGE 2018 • 4 x vendors • Offline analysis - pcap • 2 phases – Asset Discovery, Threat Detection • Unclear scoring system 2019 • 2 vendors (1 open source team) • Offline analysis – pcap • Improved criteria and scoring • More challenging & realistic objectives (10x larger pcap) https://s4xevents.com/challenge/ “To identify the capabilities and limitations of the passive monitoring solutions to create an asset inventory and detect cyber incidents. To identify the market leaders in these two areas of this highly competitive technology.”
NIST NCCOE USE CASES https://www.nccoe.nist.gov/projects/use-cases Energy Sector 1. Asset Management 2. Identity and Access Management (IAM) 3. Situational Awareness Manufacturing Sector 1. Behavioral Anomaly detection
PILOTS & BAKE OFF’S • Evaluate with existing systems • Recommend controlled environment (non-production ideal) • Smaller but realistic data set – easier to evaluate • Define evaluation scope & time period • Live or PCAP offline analysis (lower cost alternative) • Evaluation include: • Technology deployment process • Product support • Documentation • Capabilities based on YOUR data • Requires defined criteria to evaluate
ICS CYBERSECURITY TECHNOLOGIES 1. Anti-virus 2. Endpoint security/whitelisting 3. Switches/Firewalls/SDN 4. Data Diodes 5. Deception/Honeypot/Honeynet 6. Asset Discovery & Management 7. Patch Management 8. Anomaly Detection 9. Threat Detection 10. SIEM 11. Removable media scanning 12. Backup/Recovery
PRE-REQUISITES • Network Architecture - IP networks, segments, throughput, serial networks • Network Infrastructure – Available SPAN ports, TAP’s, switch capacity, firewall rules • Physical Access – restricted locations, change processes • Environmental – power, mounting, temperature etc. • Stakeholders - Relevant IT & OT contacts
RECOMMENDED CRITERIA CATEGORIES 1. Architecture and Deployment 2. Collection/Ingestion 3. Asset Inventory 4. Detection 5. Response 6. User interface/Ease of use 7. Management 8. Reporting 9. 3rd party integrations 10. Commercial 11. Support 12. Advanced user
EXAMPLE CRITERIA 1 1. Architecture and Deployment • On prem, Cloud • Hardened, Enterprise • Agent, Network sensor 2. Collection • Passive/Active monitoring • SPAN, PCAP, Log’s • Max. throughput (scale) 3. Asset Inventory • IP, MAC, Name • Device type characterization • OS Fingerprint 4. Detection • Anomaly/Change detection • Known malicious behaviors • IOC & YARA detection
ACTIVE VS. PASSIVE DISCOVERY ACTIVE PASSIVE PROS Specific queries on demand No risk of disruption to operations Quicker results Observe peer to peer comms More product details Thorough threat detection CONS Potential service disruption Results take time Unsupported by vendors Requires SPAN ports/TAP’s Limited threat detection Visibility dependent upon location
EXAMPLE CRITERIA 2 5. Response • Case management • Dataset querying • Playbooks/guidance 6. User Interface • Map visualization • Dashboards • Command line 7. Management • Role based access • Status monitoring • Patching 8. Reporting • Report format type • Asset inventory • User activity
EXAMPLE CRITERIA 3 9. Integrations • Asset enrichment • Events/notifications (SIEM) • Network level actions 10. Commercial • Hardware costs • Licensing • Maintenance 11. Support • User guides • Application support • Online training 12. Advanced/Power user • Custom data filtering • Scripting data (i.e. python) • Custom analytics
RESOURCES Whitepaper: Key Considerations for Selecting an Industrial Cybersecurity Solution for Asset Identification, Threat Detection, and Response https://dragos.com/resource/key-considerations-for- selecting-an-industrial-cybersecurity-solution-for-asset- identification-threat-detection-and-response/
RESOURCES RFP template: Suggested evaluation criteria for selecting an industrial cybersecurity platform. Available soon
CONCLUSION 1. Obviously bias in the suggested criteria but useful data points when combined with other sources to find what's right for YOU. 2. Align technology requirements to existing capabilities and end goals 3. Establishing evaluation criteria against YOUR objectives is essential before you begin evaluating technology. 4. Importance of testing technology alongside YOUR existing systems & data is a true test of the value of the solution but understand how it scales. 5. Testing criteria is also useful in defining an effective RFP
Thank you Questions? mcowell@dragos.com @m_p_cowell

Recommended

Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
Dragos, Inc.
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
Dragos, Inc.
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
Dragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions
Dragos, Inc.
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 

Recommended

Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
Dragos, Inc.
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
Dragos, Inc.
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
Dragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions
Dragos, Inc.
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
Dragos, Inc.
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
Dragos, Inc.
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
Dragos, Inc.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
Dragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Dragos, Inc.
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
AlienVault
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos, Inc.
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security
Kofax
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
NetStandard
 
What is Platform Observability? An Overview
What is Platform Observability? An OverviewWhat is Platform Observability? An Overview
What is Platform Observability? An Overview
Kumar Kolaganti
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 

More Related Content

What's hot

Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
Dragos, Inc.
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
Dragos, Inc.
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
Dragos, Inc.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
Dragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Dragos, Inc.
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
AlienVault
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos, Inc.
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security
Kofax
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
NetStandard
 

What's hot (20)

Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
 

Similar to Industrial Control Systems Cybersecurity Technology Selection

What is Platform Observability? An Overview
What is Platform Observability? An OverviewWhat is Platform Observability? An Overview
What is Platform Observability? An Overview
Kumar Kolaganti
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Splunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudySplunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case Study
Andrew Gerber
 
Analytics&IoT
Analytics&IoTAnalytics&IoT
Analytics&IoT
Selvaraj Kesavan
 
Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...
Sri Ambati
 
Threat intelligence solution
Threat intelligence solutionThreat intelligence solution
Threat intelligence solution
ARUN REDDY M
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
ShivamSharma909
 
The differing ways to monitor and instrument
The differing ways to monitor and instrumentThe differing ways to monitor and instrument
The differing ways to monitor and instrument
Jonah Kowall
 
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Finding the needle in the haystack: how Nestle is leveraging big data to defe...Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Big Data Spain
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers
Robin Vermeirsch
 
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
cdmaxime
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product Development
Alexey Pyshkin
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
Ulf Mattsson
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Ryan Hodgin
 
On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...
Jorge Cardoso
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Rana Khalil
 
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk App for Stream for Enhanced Operational Intelligence from Wire DataSplunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk
 

Similar to Industrial Control Systems Cybersecurity Technology Selection (20)

What is Platform Observability? An Overview
What is Platform Observability? An OverviewWhat is Platform Observability? An Overview
What is Platform Observability? An Overview
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Splunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudySplunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case Study
 
Analytics&IoT
Analytics&IoTAnalytics&IoT
Analytics&IoT
 
Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...
 
Threat intelligence solution
Threat intelligence solutionThreat intelligence solution
Threat intelligence solution
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
The differing ways to monitor and instrument
The differing ways to monitor and instrumentThe differing ways to monitor and instrument
The differing ways to monitor and instrument
 
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Finding the needle in the haystack: how Nestle is leveraging big data to defe...Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers
 
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product Development
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
 
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk App for Stream for Enhanced Operational Intelligence from Wire DataSplunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
 

More from Dragos, Inc.

Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
Dragos, Inc.
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos, Inc.
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS Networks
Dragos, Inc.
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Dragos, Inc.
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
Dragos, Inc.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Dragos, Inc.
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
Dragos, Inc.
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
Dragos, Inc.
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICS
Dragos, Inc.
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 

More from Dragos, Inc. (13)

Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS Networks
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICS
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 

Recently uploaded

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 

Recently uploaded (20)

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 

Industrial Control Systems Cybersecurity Technology Selection

  • 1. ICS Cybersecurity Technology Selection Selection criteria and considerations for today’s ICS cybersecurity technology MATT COWELL mcowell@dragos.com 1/15/19
  • 2. Monitoring software that utilizes threat analytics to identify threats as they occur and playbooks for guided investigations Integrated Solution that has three components: Threat Hunting, Incident Response and Training Threat Operations Threat Operations Value: Services work informs the creation of playbooks to make analysts efficient THE DRAGOS OFFERING Technology, Intelligence, Expertise Expertise and knowledge in ICS threat identification and understanding in the form of intelligence reports WorldView Value: Insights create threat analytics to drive effective detection with context WorldView
  • 3. AGENDA 01 02 03 04 Capabilities & Objectives Technology Overview Criteria considerations Summary and recommendations
  • 4. WHY DID WE DO THIS? Increasing awareness to secure ICS (Executives, IT, OT) ICS Technology confusion Absence of independent testing & reports. ? Increase in Pilots and proof of concepts (POC’s) Receiving many new RFP’s from potential customers
  • 5. BEFORE EVALUATING TECHNOLOGY Assess Capabilities Define Objectives o Asset discovery o Vulnerability assessment o Threat hunting o SOC & IR o In-house resources/departments o Out-sourced resources o Current technology usage
  • 7. “There is no silver bullet. There are always options and the options have consequences.” - Mark Horowitz TECHNOLOGY ALONE IS NOT ENOUGH
  • 8. DEFINE PRIMARY OBJECTIVES 01 TRAINING & AWARENESS Classes, accreditation, exercises, testing 02 KNOW YOUR NETWORK Asset discovery, network protocols, internal & external connections, crown jewel analysis 03 NETWORK SEGMENTATION Creating zones & conduits, 0 trust networks, firewalling 04 PATCH MANAGEMENT Device vulnerabilities, vulnerable services, available patches 05 THREAT DETECTION Network compromises, C2, untargeted malware, targeted malware, malicious behavior, insider 06 INCIDENT RESPONSE 07 THREAT INTELLIGENCE Collection of threat tradecraft, analysis of tradecraft, IOC’s 08 RETALIATION/OFFENSE Pursuing adversaries, “hacking back” Planning, Logs & forensics, imaging, containment, analysis, recovery/backup
  • 9. ICS CYBERSECURITY TECHNOLOGIES 1. Anti-virus 2. Endpoint security/whitelisting 3. Switches/Firewalls/SDN 4. Data Diodes 5. Deception/Honeypot/Honeynet 6. Asset Discovery & Management 7. Patch Management 8. Anomaly Detection 9. Threat Detection 10. SIEM 11. Removable media scanning 12. Backup/Recovery
  • 10. INDEPENDENT TECHNLOGY EVALUATION Source: ForresterSource: Gartner
  • 11. DIGITAL BOND – DETECTION CHALLENGE 2018 • 4 x vendors • Offline analysis - pcap • 2 phases – Asset Discovery, Threat Detection • Unclear scoring system 2019 • 2 vendors (1 open source team) • Offline analysis – pcap • Improved criteria and scoring • More challenging & realistic objectives (10x larger pcap) https://s4xevents.com/challenge/ “To identify the capabilities and limitations of the passive monitoring solutions to create an asset inventory and detect cyber incidents. To identify the market leaders in these two areas of this highly competitive technology.”
  • 12. NIST NCCOE USE CASES https://www.nccoe.nist.gov/projects/use-cases Energy Sector 1. Asset Management 2. Identity and Access Management (IAM) 3. Situational Awareness Manufacturing Sector 1. Behavioral Anomaly detection
  • 13. PILOTS & BAKE OFF’S • Evaluate with existing systems • Recommend controlled environment (non-production ideal) • Smaller but realistic data set – easier to evaluate • Define evaluation scope & time period • Live or PCAP offline analysis (lower cost alternative) • Evaluation include: • Technology deployment process • Product support • Documentation • Capabilities based on YOUR data • Requires defined criteria to evaluate
  • 14. ICS CYBERSECURITY TECHNOLOGIES 1. Anti-virus 2. Endpoint security/whitelisting 3. Switches/Firewalls/SDN 4. Data Diodes 5. Deception/Honeypot/Honeynet 6. Asset Discovery & Management 7. Patch Management 8. Anomaly Detection 9. Threat Detection 10. SIEM 11. Removable media scanning 12. Backup/Recovery
  • 15. PRE-REQUISITES • Network Architecture - IP networks, segments, throughput, serial networks • Network Infrastructure – Available SPAN ports, TAP’s, switch capacity, firewall rules • Physical Access – restricted locations, change processes • Environmental – power, mounting, temperature etc. • Stakeholders - Relevant IT & OT contacts
  • 16. RECOMMENDED CRITERIA CATEGORIES 1. Architecture and Deployment 2. Collection/Ingestion 3. Asset Inventory 4. Detection 5. Response 6. User interface/Ease of use 7. Management 8. Reporting 9. 3rd party integrations 10. Commercial 11. Support 12. Advanced user
  • 17. EXAMPLE CRITERIA 1 1. Architecture and Deployment • On prem, Cloud • Hardened, Enterprise • Agent, Network sensor 2. Collection • Passive/Active monitoring • SPAN, PCAP, Log’s • Max. throughput (scale) 3. Asset Inventory • IP, MAC, Name • Device type characterization • OS Fingerprint 4. Detection • Anomaly/Change detection • Known malicious behaviors • IOC & YARA detection
  • 18. ACTIVE VS. PASSIVE DISCOVERY ACTIVE PASSIVE PROS Specific queries on demand No risk of disruption to operations Quicker results Observe peer to peer comms More product details Thorough threat detection CONS Potential service disruption Results take time Unsupported by vendors Requires SPAN ports/TAP’s Limited threat detection Visibility dependent upon location
  • 19. EXAMPLE CRITERIA 2 5. Response • Case management • Dataset querying • Playbooks/guidance 6. User Interface • Map visualization • Dashboards • Command line 7. Management • Role based access • Status monitoring • Patching 8. Reporting • Report format type • Asset inventory • User activity
  • 20. EXAMPLE CRITERIA 3 9. Integrations • Asset enrichment • Events/notifications (SIEM) • Network level actions 10. Commercial • Hardware costs • Licensing • Maintenance 11. Support • User guides • Application support • Online training 12. Advanced/Power user • Custom data filtering • Scripting data (i.e. python) • Custom analytics
  • 21. RESOURCES Whitepaper: Key Considerations for Selecting an Industrial Cybersecurity Solution for Asset Identification, Threat Detection, and Response https://dragos.com/resource/key-considerations-for- selecting-an-industrial-cybersecurity-solution-for-asset- identification-threat-detection-and-response/
  • 22. RESOURCES RFP template: Suggested evaluation criteria for selecting an industrial cybersecurity platform. Available soon
  • 23. CONCLUSION 1. Obviously bias in the suggested criteria but useful data points when combined with other sources to find what's right for YOU. 2. Align technology requirements to existing capabilities and end goals 3. Establishing evaluation criteria against YOUR objectives is essential before you begin evaluating technology. 4. Importance of testing technology alongside YOUR existing systems & data is a true test of the value of the solution but understand how it scales. 5. Testing criteria is also useful in defining an effective RFP