Feature Focus: Asset Risk Scoring Methodology & Netflow Application

October 15, 2020

Preview the new asset risk scoring and Netflow features in Industrial Defender 7.3. Each OT endpoint automatically receives an overall asset risk score calculated using threat vectors including security events, compliance status, vulnerabilities and health. The methodology we use is completely transparent and allows users to choose the threat vectors that matter most to them. Our Netflow app lets you drill into asset status and communications at a glance to better understand your passive network monitoring data.

Video Transcript & Slides

Hi, this is Peter Lund, Director of Product Management at Industrial Defender. What we’d like to do today is take a few minutes to talk through some of the new features of our version 7.3 release, specifically the areas we’ve made investments around, including asset risk scoring and asset analytics dashboards, as well as our Netflow application.
With that, let’s jump right into a demo. We’re looking at one of the new Industrial Defender risk dashboards. As you can see at a glance, you’ve got 8 locations and 162 assets that are being monitored by this Industrial Defender environment. That data is all being fed by our Industrial Defender classic agents that we have out there, as well as things like assisted passive monitoring. We’re actually looking at the traffic coming across the network and determining what assets are out there, what firmware versions they’re running at, their make, their model, all the way down to your typical agentless data collection via SSH or web scraping or some of the proprietary Schweitzer connected relays. It could be a combination of all those things. What we do is we look at all that data, and we give it a very transparent risk score. We’ve seen a lot of the market’s risk assessments and one thing that we’d like to see more of, and what we’ve built into our product, is transparency. We’ve got a number of different locations here, and I’ll go through them least risk to most risk.
Our New York plant is doing very well. You can see we’re green, and as we scroll over the sunburst, you’ll see that New York’s got 6 assets, with 1 operating system type of Linux. As we scroll out further, we’ll see that they’ve got a number of different test assets here and a number of different risk vectors. In this specific location, we’ve got health as a risk vector, compliance as a risk vector, vulnerabilities as a risk vector, as well as security. We’ll dig more into what that means in a moment.
If we go over to our plant that’s in New Jersey, you can see we’ve highlighted some risk in a few areas. I can quickly hover over and see that its coming from some of my Windows, some of my embedded assets, and as I scroll out further I can see, OK well this one is coming in from health because that asset may not be reachable right now.
Now if we move over into our Florida location, we have a lot more assets running here. A couple of different OS types, and we can quickly see that there’s a very narrow band of risk coming out of just our Windows endpoints. We’ve got this one endpoint that’s only got risk at a narrow band which is related to compliance. It looks like it’s got some configuration exceptions or baseline deviations that haven’t been dealt with and also has a number of security events that have gone unseen by the security team.
Let’s drill into that asset and start to show what some of these analytics are that we’re talking about. So as we drill through, we can quickly see that we’ve got this asset as compared to its group, basically doing a quick measurement and grouping it in with all other like assets. You can see that it has less software than its peers, less patches than its peers, less ports and services, and many more firewall rules in place. This may be expected or unexpected, but it’s giving you the ability to drill in and start to look at those data trends, so you can see that it was tracking very similarly from an installed software standpoint. No data was collected over the weekend, so it’s something that was likely shut down, and then when it came back online, had much less software. You can see that the group received several patches a few days ago, but this endpoint potentially missed those patches, so that’s something that we want to take a look at. Same for ports, firewalls, user interfaces. With all the pieces of data Industrial Defender is able to collect, we can start to pull trends on that.
As we roll forward, we pull up that same kind of trend information for software exceptions, patch exceptions. These are all the anomalies that we are able to detect with our change detection engine. As we scroll further, we start to go into things like security event per day trends, so you can see that this asset has a lot less going on as compared to its peers, as well as when you start to look at the baseline. You can see that this asset differs from a baseline standpoint compared to the other baselines in the group. Maybe that’s expected, but I would expect this endpoint, since it’s an HMI in the environment, to be very similar to all of the other HMIs and engineering workstations.
Lastly, we bring you into the risk scores. You can see that in this specific instance, we’ve got a few 10s that are being derived from the configuration deviations or anomalies that we’ve detected. It’s normal to have 10 a day on this endpoint, and we’re calculating more than that. Same with security events. After 30 unreviewed security events, we want to flag this item as a risk. It looks like its baseline review status is in good shape. It’s healthy from a data collection standpoint. It’s healthy from a security event standpoint, not exceeding the normal volume that we expect to see. And it’s pretty healthy from a vulnerability standpoint, although it does have a few outstanding vulnerabilities. It has a fairly low risk score here, but you can see that we are actually calculating some risk. So that’s a deep dive all the way from that home dashboard to drilling in to see where that risk is coming from.
Now, if we dig deeper, a major differentiator here is the transparency in risk calculation. So now I’ve drilled through and can actually show you the scores and let you modify them. As an example, here we’ve got those configuration anomalies, event reviews, scores. You can edit them and say 50 unreviewed events makes more sense for your specific organization. Or, vulnerabilities don’t matter, but things like ICS-CERT matter, so I’m going to turn off generic vulnerabilities. Now I just want to know about things from ICS-CERT, and if I have outstanding ICS-CERT bulletins against an asset, I want it to have a higher risk score. That’s a quick summary of our new risk dashboard and asset analytics.
Now let’s switch gears into our new Netflow application. Netflow is specifically built on data that flows up from our network intrusion detection sensor. This is the sensor that’s not only doing IDS, but is also responsible for doing passive monitoring and assisted passive monitoring where we go out and can actively and safely discover assets on the network. We go out there and do a safe WHOIS based on the protocol that we’re using, whether it be the new BACnet for building management systems, or potentially things like any NIPCIP broadcasts to determine what’s out there. You can quickly get a visualization of the top services in the environment, whether that be bytes or connection counts, the top 5 source IPs, the top destinations.
The other neat thing about these new widgets is you can drill through and say, OK for the top source ports, let’s drill through and see who’s communicating with who. We can even flip to a grid of connection counts. You can drill through and see that that end point is talking to two other ones. This one is a bit busier. This one is talking to a few more endpoints. You can drill through these and give yourself a quick consolidation summary with nice sorting and filtering built in. We’ve got the statistics further down here on conversations. It’s just general assets, who’s talking to who, sorted by bytes, by connection counts. When you click through on an individual conversation, you’ll get the details of that conversation in the chart.
The next two charts go hand in hand. This is top inbound and external communications, so inbound and outbound. In this specific case, we’ve got a firewall rule blocking any inbound connections, which is good. I’m expecting to see nothing here, so if something were appearing, I would be pretty worried about this specific environment. Now if we go down further and look at those external communications, we can see that we have a spike here for this specific endpoint. That might be something to monitor. This is all part ofIndustrial Defender 7.3, built into the application stack. If we had additional sensors, they would appear here. We’re just really providing a nice visualization for that ICS and IDS data that we’ve been collecting for quite some time. Those are the two key features in the 7.3 release I wanted to take you guys through today. We have lots more to talk about, but these are two of the key features of Industrial Defender 7.3. If you’d like to see more, you can schedule a demo with one of our ICS experts, and we’ll be happy to talk with you in detail about your security and compliance goals.