Recent incidents like the Ukrainian power outage and disruption of Norsk Hydro aluminum production demonstrate the importance of sustaining cyber defenses. They also show that conventional cyber defenses can be overcome by sophisticated cyber-attacks. Prudent companies anticipate system compromises and empower security teams for rapid detection and response.
Concern about sustaining conventional defenses has driven increased interest in continuous asset and network monitoring solutions that facilitate maintenance of up-to-date asset inventories and risk profiles. While it is important to address these needs, solution selection should also consider how the product can help defenders protect the facility against sophisticated attacks. This includes capabilities that support rapid detection of compromises, identification of attackers, and implementation of appropriate responses to limit impact on system operation and safety.
ARC Advisory Group recently discussed the requirements for continuous asset and network monitoring with executives from Dragos, an industrial cybersecurity company with a large staff of experts in industrial/OT cyber defense and threat intelligence. The company’s product blends continuous asset and network monitoring with defender support tools that help companies deal with sophisticated attacks.
ARC Industrial/OT Cybersecurity Maturity Model
ARC’s Industrial/OT Cybersecurity Maturity Model provides a basis for understanding the role of continuous asset and network monitoring. The model’s “secure,” “defend,” and “contain” maturity levels describe the people, processes, and technologies needed to minimize the likelihood of cyber-attacks penetrating critical control systems. The “monitor” and “manage” levels describe the additional capabilities required to manage the impact of sophisticated attacks. A key goal of the model is to encourage alignment of investments in security technology with the company’s cybersecurity maturity (people, processes, and security management technology) to ensure that defenses provide expected risk reduction benefits.
While not shown explicitly, continuous monitoring of industrial/OT assets and networks underlies every step in ARC’s model. It provides the up-to-date, accurate asset inventories, data flows, and risk information that security teams need to design and sustain defenses. Data collected through continuous monitoring also provides the basic information for anomaly and breach detection analytics, SIEMs, and OT threat management platforms.
Continuous Monitoring Technology Requirements
Effective cybersecurity requires the right mix of people, processes, and technology. Cybersecurity expertise is essential, but hard to find. So, companies need to ensure that security teams are equipped with the supporting technology they need to work efficiently and effectively. This is true whether they are maintaining defenses or dealing with active attacks.
Effective security teams keep systems clean of latent malware. They also block attacks before they impact operations. To achieve this goal, defenders need a continuous asset and network monitoring solution that detects compromises reliably and helps them identify the threat. Solutions that overwhelm defenders with erroneous cyber alerts undermine efficiency and effectiveness.
ARC recommendations follow for key features companies should consider when selecting a continuous asset and network monitoring solution:
- Passive connection of continuous network message monitoring sensors
- Detection of any known vulnerabilities in asset hardware or software
- Continuous message monitoring that detects known cyber threats and unexpected changes in devices or communication patterns
- Continuous asset monitoring that detects changes in configuration or operation, directly or through queries of system records like syslogs, etc.
- Context-rich alerts that filter cyber threats from other system problems and identifies specific cyber-attack behaviors, like network scanning, privilege escalation and lateral movement
- User-friendly dashboard with rapid access to asset information, network activity, alerts, etc.
- Incident management support, directly and/or through proven integration with other security management tools like security information and event management (SIEMs), security orchestration, automation and response (SOARs), etc.
- Remote access for support from external security operations centers (SOCs), vendors, and third-party service provider
Dragos Addresses Key ARC Requirements
Dragos has a keen understanding of what makes industrial cybersecurity teams efficient and effective. The Dragos Industrial Cybersecurity Platform integrates continuous passive monitoring of assets, applications, and communications with a full-featured threat management platform that exploits the company’s deep knowledge of industrial cybersecurity.
Feedback from the company’s service teams continuously enhance the value of the Dragos Platform. Knowledge gained by Dragos Threat Intelligence team, which is responsible for the Dragos Worldview service, is used to enrich the behavioral analytics that power the platform’s threat detection and analysis. Lessons learned by the Dragos Threat Operations Center team are also used to drive continuous improvement of the platform’s detection and response capabilities.
The data pipeline from continuous asset and network monitoring provides the foundation of the Dragos Platform. This includes passive network monitoring with deep packet inspection that understands industrial network traffic and information gleaned from various system repositories, such as controller logs and alarms. The asset identification and anomaly detection module uses this information to maintain up-to-date asset maps and network connectivity patterns. Threat detection monitors the data for changes (configuration changes, updates, etc.) and distills anomalies with contextual evidence to create a focused set of threat detection alerts.
Unlike conventional anomaly detection solutions, threat detection in the Dragos Platform is driven by behavioral analytics run across the collected data. While other anomalies are detected, this intelligence-driven approach filters events with specific threat context. This reduces false positives and reduces the total cost of investigation for a company’s security team. Dragos Platform also includes an analytic manager that enables users to monitor and modify important threat behavior analytics.
The Dragos Platform includes various features that facilitate rapid response. These include knowledge-based incident response playbooks and workflows that provide guidance based on the lessons learned by the company’s threat intelligence and operations team. Playbooks guide defenders through the investigation of different kinds of threats. These steps are linked to various data sets to help them get the info they need quickly. Playbooks make experienced defenders more efficient and help companies address the shortage of experienced OT security personnel by enabling incident investigation and management by less-skilled people. The platform also includes fully-integrated case management, journaling, audit log, and integration capabilities to sup-port collaboration across defenders and with third-party service providers.
The company demonstrated the capabilities of the Dragos Platform to several ARC analysts. This made it clear that the product’s workbench provides user-friendly access to all platform capabilities.
Operators in critical industries need to sustain cyber defenses to minimize the likelihood of a cyber compromise. Recognizing that sophisticated attackers can overcome even the best cyber defenses, companies must also ensure that security teams have the tools for rapid detection and response. If selected properly, a continuous asset and network monitoring solution can serve both goals.
Organizations should recognize the importance of including rapid detection and response needs in the criteria used when selecting a continuous asset and network monitoring solution. Restricting evaluations to asset inventory and data flow capabilities can increase overall costs and limit the company’s ability to manage sophisticated cyber-attacks effectively.
ARC recommends that companies follow the guidance in this report to ensure that all necessary capabilities are available and implemented. As the review of Dragos illustrates, technology and support are available to help organizations manage these serious risks.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Industrial/OT Cybersecurity, Continuous System Monitoring, Anomaly Detection, Rapid Response, ARC Advisory Group.
 See ARC’s Industrial Cybersecurity Maturity Model Evolves Insight report dated May 9, 2019 for a description of this model.