Combining Splunk with Industrial Defender Will Provide You with the Most Comprehensive View into Your NIST CSF Risk Exposure

nist-csf-thumb
Blog

Combining Splunk with Industrial Defender Will Provide You with the Most Comprehensive View into Your NIST CSF Risk Exposure

Risk has been the name of the game in cybersecurity for a while now. Being able to accurately measure your risk posture against a well-known standard has meaningful appeal to companies. NIST originally published the Cybersecurity Framework (CSF) back in 2014. The intent behind the NIST CSF was to provide a standard process to assess the various risks that organizations face.

NIST CSF Background

Version 1.0 was targeted for operators of the ‘critical infrastructure’ of the country. According to CISA (Cybersecurity & Infrastructure Security Agency), there are 16 different sectors that makeup the US critical infrastructure. I’m not going to list them all here, but they include verticals such as Chemical, Manufacturing, Energy, Agriculture, Healthcare, Transportation and Water/Wastewater. The single thread binding these sectors is OT or Operational Technology.

Version 1.1 was released on April 16, 2018. This version is still compatible with version 1.0. This version became much more appealing to the Enterprise, or IT side of organizations as it allowed for important aspects such as self-assessments, and how to measure risk for the supply chain.

This blog is not meant to be a breakdown of what NIST CSF is all about (you can find that post here), however I feel that it is important that we are all on the same page concerning this widely used framework. If you are already well versed in what the CSF is all about, feel free to skim down to where I talk about how adding your OT inventory and security events to your Splunk SIEM will give your company a significantly more meaningful view into your actual, true risk posture.

Instead, I’m going to focus on the ‘Core’ aspects of NIST CSF. There are other areas included in the framework (‘Profiles’ and ‘Tiers’) however, these topics as well as others will be covered in another blog on another day.

NIST CSF Five Functions

There are five functions in the CSF ‘Core’. Each function has several ‘Categories’ to help define your security controls. In total, there are 108 subcategories (you will be happy to know that I will not be getting into that level of detail).

The functions include:

  • Identify – “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
    • Asset Management (ID.AM)
    • Business Environment (ID.BE)
    • Governance (ID.GV)
    • Risk Assessment (ID.RA)
    • Risk Management (ID.RM)
    • Supply Chain Risk Management (ID.SC)
  • Protect – “Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”
    • Access Control (PR.AC)
    • Awareness & Training (PR.AT)
    • Data Security (PR.DS)
    • Information Protection Processes and Procedures (PR.IP)
    • Maintenance (PR.MA)
    • Protective Technology (PR.PT)
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”
    • Anomalies & Events (DE.AE)
    • Security Continuous Monitoring (DE.CM)
    • Detection Processes (DE.DP)
  • Respond – “Develop and implement the appropriate activities to take action regarding a detected cybersecurity incident.”
    • Response Planning (RS.RP)
    • Communications (RS.CO)
    • Analysis (RS.AN)
    • Mitigations (RS.MI)
    • Improvements (RS.IM)
  • Recover – “Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”
    • Recovery Planning (RC.RP)
    • Improvements (RC.IM)
    • Communications (RC.CO)

Splunk was on top of the move to monitor and measure an organizations risk by leveraging the NIST CSF. If you have Splunk (especially if you have Splunk ES) in your company SOC (or elsewhere), you are most likely already taking advantage of Splunks’ analysis of the near real-time data feeds from your various security platforms.

Here are some ways that Splunk helps you meet the NIST CSF guidance:

  • Automatically collects asset inventory
  • Deploys role-based dashboards and visualizations to show/demonstrate your risk posture
  • Monitoring user behaviors to detect unusual/unauthorized activities
  • Monitoring network and data flows to detect possible security events
  • Detecting anomalies and evets to add meaningful context to your overall security posture. This is critical for prioritizations, and response/remediation
  • Actual Monitoring of your security controls against the NIST CSF standard
  • Collecting audit data for reporting purposes
  • Collecting and correlating security events from vastly different sources with the intent of bringing security visibility across a very complex landscape

These features are critical for monitoring an organizations’ risk profile and posture. Traditional sources for this data include firewalls, switches, EDR, Cloud apps (private and public), security applications (WAF, AV, IDS/IPS, MFA, etc. etc.).

How Industrial Defender and Splunk Help You Achieve NIST Compliance

If your organization includes an OT element, such as any of the core national infrastructure verticals mentioned above, then you may be only monitoring/measuring half of your actual risk posture. Your enterprise is fundamental and critical to monitor. I would even go so far as to say that it is more important than the OT side of the company mostly because most successful OT attacks were initiated on the IT (enterprise) side. This does not mean however that you should not be measuring your OT facilities, cybersecurity risk posture. The more complete your view is, the better your ability will be to detect an issue before a real incident occurs.

Splunk integrates directly with the Industrial Defender solution. Industrial Defender brings the OT data sources to Splunk that Splunk is used to receiving (from the Enterprise side). Industrial Defender specializes in automatically collecting security events, as well as asset configuration data. This collection is performed automatically on an ongoing basis so that you know that your security analysts have the most current data in their dashboards for analysis/monitoring.

Splunk is the ideal central management facility to store your cybersecurity events. Splunk excels in advanced correlation as well as data analytics. There are many OT cybersecurity vendors in the market today that attempt to perform the same basic services as an advanced SIEM such as Splunk. Industrial Defender believes (strongly) that the analytics should be performed on the platform that most importantly has all of the relevant data (IT & OT). This intense processing should be performed on the system that has the actual horsepower as well as the data scientists behind the scenes to bring the most visibility to the client. Splunk’s data scientists have even developed the ability to detect and predict ransomware attacks prior to the destructive encryption executing! To be able to detect a ransomware attack before it executes would be the goal of all organizations. Splunk already has the data for that on the IT side. Industrial Defender provides Splunk with the OT data that it needs to be able to detect ransomware behaviors before they execute.

Sending all your cybersecurity data to a single facility (Splunk) will provide you with the most complete view across your company. Should an incident occur on the IT (Enterprise) side of the company, you can detect it, remediate it, and learn from it before it finds its way to your OT environment. If you are blind to your OT environment, you may have little warning before a successful attack occurs.

Check out this solution brief to see how Industrial Defender and Splunk can help you achieve NIST compliance. Our integration solves complex OT security data challenges by delivering security data events with deep asset context to analysts, so they can quickly identify and mitigate potential cybersecurity issues. The Industrial Defender for Splunk App is the most comprehensive Splunk integration available in the OT security space, exposing deep OT asset insights down to Level 0-3.

Video Demo: Industrial Defender & Splunk Integration

See how the Industrial Defender for Splunk app increases the effectiveness of using Splunk in OT environments by helping analysts to quickly identify and mitigate potential cybersecurity issues. Using Splunk’s Common Information Model (CIM) and OT Security Add-on, we’ll show you how you can quickly access critical contextual data coming from Industrial Defender, including:

  • Asset data like criticality, vulnerabilities, location and owner
  • How an asset is categorized
  • How asset behavior has changed over time
  • Detailed subnet data
  • Information about security events, firewall status, NetFlow and removeable media events

Watch Demo Video

Stay Informed.

Sign up for our newsletter and receive the latest on ICS cybersecurity, product updates and more.

We welcome contributions to our blog from the ICS security community. View our submission criteria here.