7. Asset
Inventory
To The
Rescue
◦ Didn’t have an asset inventory
◦ Outdated spreadsheet at best
◦ Amazed at what passive
monitoring could tell them
◦ Easy win for customers and
vendors
7
22. Same
- Switch span port
or tap, passive
traffic collection
- Lots of signatures
- Same data
overwhelm issues
Network IDS
with ICS
Protocol
Smarts
Different
- Able to parse ICS
protocols
- Alert on legit,
high risk cmds
- Some anomaly
detection
- ICS Playbooks
22
24. Incident
Response
◦ What good is detecting if you
can’t respond?
◦ Detection products provide
data for after incident
investigation
◦ Knowing ICS and the product is
key for effective response
25
26. What Will
You Do
With The
Data?
ENTERPRISE SOC
Forward the ICS
detection system data
to Enterprise SOC.
Add ICS talent to the
SOC and response
team.
STAND ALONE
SYSTEM
Analysts use product
as primary ICS
detection system.
OT SOC
ICS detection system
used as one detection
source in an OT SOC.
27
29. Lots of
Change
◦ Asset Inventory will not be part
of detection product
◦ ICS Detection GUI won’t matter
◦ Integration with SOC systems
◦ Sensors will be in your switches
◦ Competitors will almost all
change
30
30. Slow Down / Pilot
Position As Interim / Learning
31
31. What
Would I
Do?
(in order)
◦ Start with an asset
management solution
◦ Get detection solution
◦ Integrates with asset mgmt
◦ Retains forensics records
◦ Get incident response retainer
◦ Focus on SOC integration
32
34. What Is
Top
Tier?
BAKE OFFS
& PILOTS
We saw the
same four
repeatedly in
asset owner
competition
and pilots.
COMPANY
GROWTH
Top Tier now
are 100+
employees
and growing.
Accelerating
& leaving the
rest behind.
RAPID
PRODUCT
DEV
Huge
investment
in R&D
showing in
new features
and product
maturity.
35
39. Thanks!
Any
Questions?
Dale Peterson, CEO of Digital Bond
peterson@digitalbond.com
https://dale-peterson.com
Founder of S4, every Jan in Miami SoBe
https://s4xevents.com
Twitter: @digitalbond
Unsolicited Response Podcast
YouTube: www.youtube.com/s4events
40
Hinweis der Redaktion
Like most things OT, Ops said it was impossible. Ethernet, Windows, anti-virus, application whitelisting, virtualization, we were even told passive IDS would break ICS in 2006. So predicting years ago that active would be used was easy.
What cards are in the PLC, what firmware, when was the logic last updated
Physical location, criticality, who is in charge
You really need asset management which includes other items
Will some pivot to this
Move away from spreadsheets, manual asset inventory. Automate
Drawing showing Vuln Mgmt, Passive Detection, Asset Management, SOC, all talking through Rest API
Increasingly popular feature in this new class of ICS detection products … but they don’t apply the patches so you need another vulnerability management solution.
Decision tree – exposure, criticality, safety, CVSS, and exploit in the wild (Never, next, now)
Rebekah Mohr, Ben Goerz Kimberly Clark tomorrow on the S4 Events YouTube Channel
Cisco’s acquisition of Sentryo and their Cyber Vision products is just the start.
Said this 18 months ago and still true. At least position that you could rip and replace this detection solution. Perhaps subscribe rather than buy, although a lot of times the break even is between 2 and 3 years.