Video: OT SOC Enablement with Splunk

Thank you everyone for joining the Industrial Defender webinar which focuses on how Industrial Defender data sets and integrations can be leveraged to provide deep OT awareness and insight into a centralized SOC, with the goal of achieving the CISOs unreachable panacea of IT/OT convergence. I’m George Kalavantis and I head up the operations group at Industrial Defender.

With me is Peter Lund, our Director of Product Management, and Jeremy Morgan, our Principal Solutions Engineer. The SOC analyst in today’s ICS organization is at the forefront of the security equation, but has not had a say in the equation variables or algorithms.

As organizations are further pressured to centralize operations, the typical challenges of a SOC are further exacerbated by alert overload, lack of OT visibility, lack of OT data enrichment, and generic SOC playbooks that are not curated for OT. Although these challenges require OT focus, they do not require an ICS engineer, especially when the critical event and configuration data is available via Industrial Defender. With that said, I will hand it over to Jeremy and Peter who will show us how what we have learned in our previous webinars, which have focused on data collection, 3rd party integrations and vulnerability monitoring, can assist your organization with the creation of a robust OT SOC operation. Peter, take it away.

Thank you George. So what you see here is a pretty typical ICS-oriented dashboard that is focusing on critical events for an OT system at a particular site. Industrial Defender is feeding Splunk, like we had shown in our last video. It’s really just showing OT events of interest, specifically focused on removable media, authentication and virus or malware alerts. Jeremy our plant manager, has been making some updates to the system. I was aware of those last week, I know we were doing some removable media and he was going to be logging in a bit more than usual. But, Jeremy just made a mistake and it’s about to light up the screen as we’ll show in a minute here. Jeremy actually forgot to scan the last SCADA update package that he deployed, and it’s caused a virus detection event to detected here on our screen. Because we have some of the enriched data coming up to Industrial Defender in addition to these security events, I can now see what has occurred with some deeper insights as we look at the next dashboard.

Hey Peter, before you call our unsuspecting asset owner, I want to review what I believe I just saw. Is it safe to say that the OT SOC analyst was able to pivot off of one alert and identify events of interest, changes to configuration data and vulnerabilities because of the Industrial Defender API and log feeds? That’s exactly right George. I can see that some removable media was plugged in and mounted to the E drive. We’ve got a number of vulnerabilities on this endpoint. We can see where it’s physically located, who to call, the asset’s address, the model number. Quite a bit of enriched data, which is typically hard for a SOC analyst to track down. Now that we know this has happened, I’m going to give a call out to Jeremy out in the field and understand what’s going on and see if we can figure out and get ourselves out of trouble here.

SOC Analyst: Hey Jeremy, it’s Pete from the SOC. I just got an alert that someone plugged in removable media. I knew you were doing maintenance, but now we’re seeing some antivirus alerts and some other unusual events. What’s going on out there? ICS Engineer: Well shoot, what do you want me to do, just shut everything down? SOC Analyst: Actually no, we want to make sure if this is a critical system and we want to preserve it for analysis. We also don’t want to break down the process incase it’s just a false alarm. Could you just unplug the network for now, prevent it from spreading to more endpoints? Is this going to be safe for your operations out there? ICS Engineer: Sure Pete, we’re in outage anyway as you know, so I’ll just go ahead and do that right now. Ok great. SOC Analyst: You did brief me on the shutdown, but are you sure it’s safe to unplug it? ICS Engineer: Sure it’s just the historian for the engineers at headquarters to monitor stuff. I’m unplugging it now. SOC Analyst: Ok perfect. I’m going to go ahead and dispatch the incident response team to site. I saw in the properties of the asset that’s located in Foxborough, and that it’s at 225 Foxborough Blvd. Is that data still correct? Is that where you are? ICS Engineer: Yes, that’s perfect. I’ll let the security guard know and let them know we won’t be back online for a little bit. Anything else I can do?

SOC Analyst: Yeah, maybe you can help me dig into some of the data? I actually saw that there were some new suspicious looking administrator accounts. It’s administrator with a 1 instead of an I. That’s something that I’ve seen as a typical bad pattern with malware. It looks like we installed 7 zip and a number of other executables were dropped onto the endpoint. I’m kind of worried about that stuff, so I want to make sure we understand what it is and if it needs to be removed. ICS Engineer: Yeah, I definitely didn’t do that, so thanks for pointing that out. I really appreciate it. You just saved me a bunch of hours collecting all of this data by hand. Now we’ll have a much better way to address what was impacted. It could have been really bad if you hadn’t called me earlier, and we had gone online in the next few minutes. SOC Analyst: Great, that makes me feel better because I was pretty nervous when I saw antivirus. I know that environment is very very quiet. I knew about the removable media stuff you were doing last week, but I didn’t know it was going to carry into this week. I’m glad I called you.

Pete and Jeremy, that was another informative presentation, and I loved the back and forth. It seems that due to the addition of the Industrial Defender feeds and config data, you were able to provide both the SOC analyst and the asset owner with all of the information necessary to make high quality operational decisions. I would like to once again thank you for taking us through the presentation and for our audience for listening in. In closing, I would like to say that Industrial Defender is well-positioned to assist CISOs with their IT/OT convergence and centralized SOC operational strategies. Thank you everyone, and please stay safe.