SlideShare a Scribd company logo

Industrial Control Systems Cybersecurity Technology Selection

Dragos, Inc.
Dragos, Inc.

Selection criteria for today’s ICS cybersecurity technology presented at S4 2019. Includes: - Recommendations for best practices before evaluating an industrial cybersecurity solution in OT environments - Outline of different ICS cybersecurity technologies such as the differences between active and passive scanning, anomaly detection, threat behavior analytics - What’s important in an industrial control systems cybersecurity platform - Practical guide to pilots and bake-offs To learn more read the whitepaper Key Considerations For Selecting An Industrial Cybersecurity Solution for Asset Identification, Threat Detection, and Response https://dragos.com/resource/key-considerations-for-selecting-an-industrial-cybersecurity-solution-for-asset-identification-threat-detection-and-response/ For more about Dragos and the 2019 S4 Detection challenge, read the blog and watch the video here: https://dragos.com/blog/industry-news/dragos-results-of-s4-industrial-cybersecurity-detection-challenge-contest/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/dragos-inc./ Follow us on Twitter: https://twitter.com/dragosinc

Technology
1 of 24
Download to read offline
ICS Cybersecurity Technology Selection Selection criteria and considerations for today’s ICS cybersecurity technology MATT COWELL mcowell@dragos.com 1/15/19
Monitoring software that utilizes threat analytics to identify threats as they occur and playbooks for guided investigations Integrated Solution that has three components: Threat Hunting, Incident Response and Training Threat Operations Threat Operations Value: Services work informs the creation of playbooks to make analysts efficient THE DRAGOS OFFERING Technology, Intelligence, Expertise Expertise and knowledge in ICS threat identification and understanding in the form of intelligence reports WorldView Value: Insights create threat analytics to drive effective detection with context WorldView
AGENDA 01 02 03 04 Capabilities & Objectives Technology Overview Criteria considerations Summary and recommendations
WHY DID WE DO THIS? Increasing awareness to secure ICS (Executives, IT, OT) ICS Technology confusion Absence of independent testing & reports. ? Increase in Pilots and proof of concepts (POC’s) Receiving many new RFP’s from potential customers
BEFORE EVALUATING TECHNOLOGY Assess Capabilities Define Objectives o Asset discovery o Vulnerability assessment o Threat hunting o SOC & IR o In-house resources/departments o Out-sourced resources o Current technology usage
ASSESS CURRENT CAPABILITIES https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240 https://dragos.com/media/ARCViewDragos-01.pdf
“There is no silver bullet. There are always options and the options have consequences.” - Mark Horowitz TECHNOLOGY ALONE IS NOT ENOUGH
DEFINE PRIMARY OBJECTIVES 01 TRAINING & AWARENESS Classes, accreditation, exercises, testing 02 KNOW YOUR NETWORK Asset discovery, network protocols, internal & external connections, crown jewel analysis 03 NETWORK SEGMENTATION Creating zones & conduits, 0 trust networks, firewalling 04 PATCH MANAGEMENT Device vulnerabilities, vulnerable services, available patches 05 THREAT DETECTION Network compromises, C2, untargeted malware, targeted malware, malicious behavior, insider 06 INCIDENT RESPONSE 07 THREAT INTELLIGENCE Collection of threat tradecraft, analysis of tradecraft, IOC’s 08 RETALIATION/OFFENSE Pursuing adversaries, “hacking back” Planning, Logs & forensics, imaging, containment, analysis, recovery/backup
ICS CYBERSECURITY TECHNOLOGIES 1. Anti-virus 2. Endpoint security/whitelisting 3. Switches/Firewalls/SDN 4. Data Diodes 5. Deception/Honeypot/Honeynet 6. Asset Discovery & Management 7. Patch Management 8. Anomaly Detection 9. Threat Detection 10. SIEM 11. Removable media scanning 12. Backup/Recovery
INDEPENDENT TECHNLOGY EVALUATION Source: ForresterSource: Gartner
DIGITAL BOND – DETECTION CHALLENGE 2018 • 4 x vendors • Offline analysis - pcap • 2 phases – Asset Discovery, Threat Detection • Unclear scoring system 2019 • 2 vendors (1 open source team) • Offline analysis – pcap • Improved criteria and scoring • More challenging & realistic objectives (10x larger pcap) https://s4xevents.com/challenge/ “To identify the capabilities and limitations of the passive monitoring solutions to create an asset inventory and detect cyber incidents. To identify the market leaders in these two areas of this highly competitive technology.”
NIST NCCOE USE CASES https://www.nccoe.nist.gov/projects/use-cases Energy Sector 1. Asset Management 2. Identity and Access Management (IAM) 3. Situational Awareness Manufacturing Sector 1. Behavioral Anomaly detection
PILOTS & BAKE OFF’S • Evaluate with existing systems • Recommend controlled environment (non-production ideal) • Smaller but realistic data set – easier to evaluate • Define evaluation scope & time period • Live or PCAP offline analysis (lower cost alternative) • Evaluation include: • Technology deployment process • Product support • Documentation • Capabilities based on YOUR data • Requires defined criteria to evaluate
ICS CYBERSECURITY TECHNOLOGIES 1. Anti-virus 2. Endpoint security/whitelisting 3. Switches/Firewalls/SDN 4. Data Diodes 5. Deception/Honeypot/Honeynet 6. Asset Discovery & Management 7. Patch Management 8. Anomaly Detection 9. Threat Detection 10. SIEM 11. Removable media scanning 12. Backup/Recovery
PRE-REQUISITES • Network Architecture - IP networks, segments, throughput, serial networks • Network Infrastructure – Available SPAN ports, TAP’s, switch capacity, firewall rules • Physical Access – restricted locations, change processes • Environmental – power, mounting, temperature etc. • Stakeholders - Relevant IT & OT contacts
RECOMMENDED CRITERIA CATEGORIES 1. Architecture and Deployment 2. Collection/Ingestion 3. Asset Inventory 4. Detection 5. Response 6. User interface/Ease of use 7. Management 8. Reporting 9. 3rd party integrations 10. Commercial 11. Support 12. Advanced user
EXAMPLE CRITERIA 1 1. Architecture and Deployment • On prem, Cloud • Hardened, Enterprise • Agent, Network sensor 2. Collection • Passive/Active monitoring • SPAN, PCAP, Log’s • Max. throughput (scale) 3. Asset Inventory • IP, MAC, Name • Device type characterization • OS Fingerprint 4. Detection • Anomaly/Change detection • Known malicious behaviors • IOC & YARA detection
ACTIVE VS. PASSIVE DISCOVERY ACTIVE PASSIVE PROS Specific queries on demand No risk of disruption to operations Quicker results Observe peer to peer comms More product details Thorough threat detection CONS Potential service disruption Results take time Unsupported by vendors Requires SPAN ports/TAP’s Limited threat detection Visibility dependent upon location
EXAMPLE CRITERIA 2 5. Response • Case management • Dataset querying • Playbooks/guidance 6. User Interface • Map visualization • Dashboards • Command line 7. Management • Role based access • Status monitoring • Patching 8. Reporting • Report format type • Asset inventory • User activity
EXAMPLE CRITERIA 3 9. Integrations • Asset enrichment • Events/notifications (SIEM) • Network level actions 10. Commercial • Hardware costs • Licensing • Maintenance 11. Support • User guides • Application support • Online training 12. Advanced/Power user • Custom data filtering • Scripting data (i.e. python) • Custom analytics
RESOURCES Whitepaper: Key Considerations for Selecting an Industrial Cybersecurity Solution for Asset Identification, Threat Detection, and Response https://dragos.com/resource/key-considerations-for- selecting-an-industrial-cybersecurity-solution-for-asset- identification-threat-detection-and-response/
RESOURCES RFP template: Suggested evaluation criteria for selecting an industrial cybersecurity platform. Available soon
CONCLUSION 1. Obviously bias in the suggested criteria but useful data points when combined with other sources to find what's right for YOU. 2. Align technology requirements to existing capabilities and end goals 3. Establishing evaluation criteria against YOUR objectives is essential before you begin evaluating technology. 4. Importance of testing technology alongside YOUR existing systems & data is a true test of the value of the solution but understand how it scales. 5. Testing criteria is also useful in defining an effective RFP
Thank you Questions? mcowell@dragos.com @m_p_cowell

Recommended

Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security Dragos, Inc.
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility InfrastructureDragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions Dragos, Inc.
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 

Recommended

Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security Dragos, Inc.
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
 
Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility InfrastructureDragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions Dragos, Inc.
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Dragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos, Inc.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019Dragos, Inc.
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in PerspectiveDragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityDragos, Inc.
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos, Inc.
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security Kofax
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the CloudNetStandard
 
What is Platform Observability? An Overview
What is Platform Observability? An OverviewWhat is Platform Observability? An Overview
What is Platform Observability? An OverviewKumar Kolaganti
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 

More Related Content

What's hot

Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Dragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos, Inc.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019Dragos, Inc.
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in PerspectiveDragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityDragos, Inc.
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos, Inc.
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security Kofax
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the CloudNetStandard
 

What's hot (20)

Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
 

Similar to Industrial Control Systems Cybersecurity Technology Selection

What is Platform Observability? An Overview
What is Platform Observability? An OverviewWhat is Platform Observability? An Overview
What is Platform Observability? An OverviewKumar Kolaganti
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Splunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudySplunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudyAndrew Gerber
 
Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Sri Ambati
 
Threat intelligence solution
Threat intelligence solutionThreat intelligence solution
Threat intelligence solutionARUN REDDY M
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
The differing ways to monitor and instrument
The differing ways to monitor and instrumentThe differing ways to monitor and instrument
The differing ways to monitor and instrumentJonah Kowall
 
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Finding the needle in the haystack: how Nestle is leveraging big data to defe...Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Finding the needle in the haystack: how Nestle is leveraging big data to defe...Big Data Spain
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security BrokersRobin Vermeirsch
 
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016cdmaxime
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentAlexey Pyshkin
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDenim Group
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security processUlf Mattsson
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Ryan Hodgin
 
On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...Jorge Cardoso
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Rana Khalil
 
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk App for Stream for Enhanced Operational Intelligence from Wire DataSplunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk App for Stream for Enhanced Operational Intelligence from Wire DataSplunk
 

Similar to Industrial Control Systems Cybersecurity Technology Selection (20)

What is Platform Observability? An Overview
What is Platform Observability? An OverviewWhat is Platform Observability? An Overview
What is Platform Observability? An Overview
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Splunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudySplunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case Study
 
Analytics&IoT
Analytics&IoTAnalytics&IoT
Analytics&IoT
 
Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...Building a Real-Time Security Application Using Log Data and Machine Learning...
Building a Real-Time Security Application Using Log Data and Machine Learning...
 
Threat intelligence solution
Threat intelligence solutionThreat intelligence solution
Threat intelligence solution
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
The differing ways to monitor and instrument
The differing ways to monitor and instrumentThe differing ways to monitor and instrument
The differing ways to monitor and instrument
 
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Finding the needle in the haystack: how Nestle is leveraging big data to defe...Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
 
20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers20160000 Cloud Discovery Event - Cloud Access Security Brokers
20160000 Cloud Discovery Event - Cloud Access Security Brokers
 
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
Rocana Deep Dive OC Big Data Meetup #19 Sept 21st 2016
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Decision Matrix for IoT Product Development
Decision Matrix for IoT Product DevelopmentDecision Matrix for IoT Product Development
Decision Matrix for IoT Product Development
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
 
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk App for Stream for Enhanced Operational Intelligence from Wire DataSplunk App for Stream for Enhanced Operational Intelligence from Wire Data
Splunk App for Stream for Enhanced Operational Intelligence from Wire Data
 

More from Dragos, Inc.

Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos, Inc.
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS NetworksDragos, Inc.
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Dragos, Inc.
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Dragos, Inc.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Dragos, Inc.
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat LandscapeDragos, Inc.
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDragos, Inc.
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICSDragos, Inc.
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 

More from Dragos, Inc. (13)

Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS Networks
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICS
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 

Recently uploaded

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaWSO2
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 

Recently uploaded (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 

Industrial Control Systems Cybersecurity Technology Selection

  • 1. ICS Cybersecurity Technology Selection Selection criteria and considerations for today’s ICS cybersecurity technology MATT COWELL mcowell@dragos.com 1/15/19
  • 2. Monitoring software that utilizes threat analytics to identify threats as they occur and playbooks for guided investigations Integrated Solution that has three components: Threat Hunting, Incident Response and Training Threat Operations Threat Operations Value: Services work informs the creation of playbooks to make analysts efficient THE DRAGOS OFFERING Technology, Intelligence, Expertise Expertise and knowledge in ICS threat identification and understanding in the form of intelligence reports WorldView Value: Insights create threat analytics to drive effective detection with context WorldView
  • 3. AGENDA 01 02 03 04 Capabilities & Objectives Technology Overview Criteria considerations Summary and recommendations
  • 4. WHY DID WE DO THIS? Increasing awareness to secure ICS (Executives, IT, OT) ICS Technology confusion Absence of independent testing & reports. ? Increase in Pilots and proof of concepts (POC’s) Receiving many new RFP’s from potential customers
  • 5. BEFORE EVALUATING TECHNOLOGY Assess Capabilities Define Objectives o Asset discovery o Vulnerability assessment o Threat hunting o SOC & IR o In-house resources/departments o Out-sourced resources o Current technology usage
  • 7. “There is no silver bullet. There are always options and the options have consequences.” - Mark Horowitz TECHNOLOGY ALONE IS NOT ENOUGH
  • 8. DEFINE PRIMARY OBJECTIVES 01 TRAINING & AWARENESS Classes, accreditation, exercises, testing 02 KNOW YOUR NETWORK Asset discovery, network protocols, internal & external connections, crown jewel analysis 03 NETWORK SEGMENTATION Creating zones & conduits, 0 trust networks, firewalling 04 PATCH MANAGEMENT Device vulnerabilities, vulnerable services, available patches 05 THREAT DETECTION Network compromises, C2, untargeted malware, targeted malware, malicious behavior, insider 06 INCIDENT RESPONSE 07 THREAT INTELLIGENCE Collection of threat tradecraft, analysis of tradecraft, IOC’s 08 RETALIATION/OFFENSE Pursuing adversaries, “hacking back” Planning, Logs & forensics, imaging, containment, analysis, recovery/backup
  • 9. ICS CYBERSECURITY TECHNOLOGIES 1. Anti-virus 2. Endpoint security/whitelisting 3. Switches/Firewalls/SDN 4. Data Diodes 5. Deception/Honeypot/Honeynet 6. Asset Discovery & Management 7. Patch Management 8. Anomaly Detection 9. Threat Detection 10. SIEM 11. Removable media scanning 12. Backup/Recovery
  • 10. INDEPENDENT TECHNLOGY EVALUATION Source: ForresterSource: Gartner
  • 11. DIGITAL BOND – DETECTION CHALLENGE 2018 • 4 x vendors • Offline analysis - pcap • 2 phases – Asset Discovery, Threat Detection • Unclear scoring system 2019 • 2 vendors (1 open source team) • Offline analysis – pcap • Improved criteria and scoring • More challenging & realistic objectives (10x larger pcap) https://s4xevents.com/challenge/ “To identify the capabilities and limitations of the passive monitoring solutions to create an asset inventory and detect cyber incidents. To identify the market leaders in these two areas of this highly competitive technology.”
  • 12. NIST NCCOE USE CASES https://www.nccoe.nist.gov/projects/use-cases Energy Sector 1. Asset Management 2. Identity and Access Management (IAM) 3. Situational Awareness Manufacturing Sector 1. Behavioral Anomaly detection
  • 13. PILOTS & BAKE OFF’S • Evaluate with existing systems • Recommend controlled environment (non-production ideal) • Smaller but realistic data set – easier to evaluate • Define evaluation scope & time period • Live or PCAP offline analysis (lower cost alternative) • Evaluation include: • Technology deployment process • Product support • Documentation • Capabilities based on YOUR data • Requires defined criteria to evaluate
  • 14. ICS CYBERSECURITY TECHNOLOGIES 1. Anti-virus 2. Endpoint security/whitelisting 3. Switches/Firewalls/SDN 4. Data Diodes 5. Deception/Honeypot/Honeynet 6. Asset Discovery & Management 7. Patch Management 8. Anomaly Detection 9. Threat Detection 10. SIEM 11. Removable media scanning 12. Backup/Recovery
  • 15. PRE-REQUISITES • Network Architecture - IP networks, segments, throughput, serial networks • Network Infrastructure – Available SPAN ports, TAP’s, switch capacity, firewall rules • Physical Access – restricted locations, change processes • Environmental – power, mounting, temperature etc. • Stakeholders - Relevant IT & OT contacts
  • 16. RECOMMENDED CRITERIA CATEGORIES 1. Architecture and Deployment 2. Collection/Ingestion 3. Asset Inventory 4. Detection 5. Response 6. User interface/Ease of use 7. Management 8. Reporting 9. 3rd party integrations 10. Commercial 11. Support 12. Advanced user
  • 17. EXAMPLE CRITERIA 1 1. Architecture and Deployment • On prem, Cloud • Hardened, Enterprise • Agent, Network sensor 2. Collection • Passive/Active monitoring • SPAN, PCAP, Log’s • Max. throughput (scale) 3. Asset Inventory • IP, MAC, Name • Device type characterization • OS Fingerprint 4. Detection • Anomaly/Change detection • Known malicious behaviors • IOC & YARA detection
  • 18. ACTIVE VS. PASSIVE DISCOVERY ACTIVE PASSIVE PROS Specific queries on demand No risk of disruption to operations Quicker results Observe peer to peer comms More product details Thorough threat detection CONS Potential service disruption Results take time Unsupported by vendors Requires SPAN ports/TAP’s Limited threat detection Visibility dependent upon location
  • 19. EXAMPLE CRITERIA 2 5. Response • Case management • Dataset querying • Playbooks/guidance 6. User Interface • Map visualization • Dashboards • Command line 7. Management • Role based access • Status monitoring • Patching 8. Reporting • Report format type • Asset inventory • User activity
  • 20. EXAMPLE CRITERIA 3 9. Integrations • Asset enrichment • Events/notifications (SIEM) • Network level actions 10. Commercial • Hardware costs • Licensing • Maintenance 11. Support • User guides • Application support • Online training 12. Advanced/Power user • Custom data filtering • Scripting data (i.e. python) • Custom analytics
  • 21. RESOURCES Whitepaper: Key Considerations for Selecting an Industrial Cybersecurity Solution for Asset Identification, Threat Detection, and Response https://dragos.com/resource/key-considerations-for- selecting-an-industrial-cybersecurity-solution-for-asset- identification-threat-detection-and-response/
  • 22. RESOURCES RFP template: Suggested evaluation criteria for selecting an industrial cybersecurity platform. Available soon
  • 23. CONCLUSION 1. Obviously bias in the suggested criteria but useful data points when combined with other sources to find what's right for YOU. 2. Align technology requirements to existing capabilities and end goals 3. Establishing evaluation criteria against YOUR objectives is essential before you begin evaluating technology. 4. Importance of testing technology alongside YOUR existing systems & data is a true test of the value of the solution but understand how it scales. 5. Testing criteria is also useful in defining an effective RFP