ICS Security Monitoring

Similar documents
INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

CyberArk Privileged Threat Analytics

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

CIS Controls Measures and Metrics for Version 7

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

CIS Controls Measures and Metrics for Version 7

Industrial Defender ASM. for Automation Systems Management

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Compare Security Analytics Solutions

Evolution Of Cyber Threats & Defense Approaches

RSA INCIDENT RESPONSE SERVICES

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

RSA INCIDENT RESPONSE SERVICES

Imperva Incapsula Website Security

align security instill confidence

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Un SOC avanzato per una efficace risposta al cybercrime

Reinvent Your 2013 Security Management Strategy

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

SANS SCADA and Process Control Europe Rome 2011

Novetta Cyber Analytics

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Data Sheet. Claroty Platform: Continuous Threat Detection

THE CYBERX PLATFORM: PROTECT YOUR PEOPLE, PRODUCTION, AND PROFITS HIGHLIGHTS SOLUTION BRIEF

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Be effective in protecting against the cybercrime

Building a Threat-Based Cyber Team

RSA IT Security Risk Management

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Unlocking the Power of the Cloud

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Critical Hygiene for Preventing Major Breaches

BUILDING AND MAINTAINING SOC

Safdar Akhtar, Cyber Director Sema Tutucu, Ops Leader 27 September CYBER SECURITY PROGRAM: Policies to Controls

Ransomware A case study of the impact, recovery and remediation events

RSA NetWitness Suite Respond in Minutes, Not Months

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

Protecting productivity with Industrial Security Services

About NitroSecurity. Application Data Monitor. Log Mgmt Database Monitor SIEM IDS / IPS. NitroEDB

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Think Like an Attacker

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

PrecisionAccess Trusted Access Control

Detection and Analysis of Threats to the Energy Sector (DATES)

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

RiskSense Attack Surface Validation for IoT Systems

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Fidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases

SIEM Solutions from McAfee

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Visibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed

Continuous protection to reduce risk and maintain production availability

HP0-Y16. ProCurve Network Immunity Solutions. Download Full Version :

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

T22 - Industrial Control System Security

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Stopping Advanced Persistent Threats In Cloud and DataCenters

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Threat Hunting in Modern Networks. David Biser

Training for the cyber professionals of tomorrow

The Rise of the Purple Team

AAD - ASSET AND ANOMALY DETECTION DATASHEET

Securing Industrial Control Systems

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

CONTENTS. Technology Overview. Workflow Integration. Sample Customers. How It Works

SIEMLESS THREAT MANAGEMENT

MD-100: Modern Desktop Administrator Part 1

SentinelOne Technical Brief

How AlienVault ICS SIEM Supports Compliance with CFATS

How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

Comprehensive datacenter protection

A Risk Management Platform

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Integrated, Intelligence driven Cyber Threat Hunting

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

SentinelOne Technical Brief

Pieter Wigleven Windows Technical Specialist

Transcription:

ICS Security Monitoring INFRASTRUCTURE MINING & METALS NUCLEAR, SECURITY & ENVIRONMENTAL OIL, GAS & CHEMICALS Moses Schwartz Security Engineer Computer Incident Response Team Bechtel Corporation

State of the Field Enterprise IT Security Emphasis on active defense, defense-in-depth, iterative improvement. Continuous monitoring by dedicated teams. Vulnerability management program and regular patching. Centralized logging and alerting. Proactive hunting informed by threat intelligence. Attacks are identified early and remediated quickly. Industrial Control Systems (ICS) Security Emphasis on passive protection (firewalls, antivirus). No patches, few updates. Attacks are identified by impact on process. Remediation may require plant shutdown, extensive re-engineering.

Motivation All systems are vulnerable. ICS are particularly weak. Attackers have an initial asymmetric advantage. Post-exploitation, defenders have the upper hand. The initial foothold is almost never the final target. Attackers are operating in enemy territory. Lateral movement and privilege escalation can be detected. 3

Bringing Modern Tools to ICS Security Focus on monitoring and detection. Emphasis on passive and low-impact techniques. Leverage in-house experience with security monitoring. Require human-in-the-loop and encourage active defense. Network Security Monitoring (NSM). Deep packet analysis of raw network traffic. Security Information and Even Manager (SIEM). Centralized log database. Searching, correlation, alerting. 4

ICS Network Security Monitoring Operator Workstations Engineering Workstations Security Enclave Taps Switches Aggregator Experion Servers Experion PLC Servers ControlNet Network Traffic Analysis Log Aggregation, Analysis, Correlation Honeywell controllers ControlLogix PLCs Workstation

ICS Network Security Monitoring + Security Information Event Manager Operator Workstations Engineering Workstations Security Enclave Taps Switches Aggregator Experion Servers Experion PLC Servers ControlNet Network Traffic Analysis Log Aggregation, Analysis, Correlation Honeywell controllers ControlLogix PLCs Workstation

NSM / SIEM infrastructure (v1) Network taps Host logs, Firewall logs Network security monitoring Aggregation, analysis, alerting Status monitoring Security dashboard web app

System Interaction: Dashboards Splunk Dashboards. System overview. Auditing. Troubleshooting. General network situational awareness. Security Dashboard. Light-weight ticketing system. Displays alerts. Plays audible alarms. Enforces human-in-the-loop workflow.

Splunk!

Splunk Search!

Alert Examples Audit Network/Host Changes New Account Created New Account Login New DNS Query New Windows service installed New Source/Destination IP New Source/Destination Connection New MAC Address Monitor System Health High Disk Usage Splunk Internal Errors Detect Targeted Events Snort Signature Hit PowerShell Launched Outside-the-Fence Login Login on Many Hosts Many Failed Logins Login Success After Many Failures Auditing and Compliance Use of Elevated Privileges USB Device Connected User Login/Logoff System Restart/Shutdown

System Summary Baseline system. Applies modern IT security tools to ICS networks. Provides basic visibility into ICS network and hosts. Similar to commercial solutions. Enforces a human-in-the-loop and active defense. Gives us a starting point to pursue ICS security research with real, rich data sources.

Red Team Detection and Response Detection. Laptops re-used between assessments. Post-exploitation toolkit detectable by PowerShell executions. Response. Live remote memory analysis. Onsite IT and helpdesk to disable network ports, obtain and image systems, interface with site security. Rootkit-style security agent to maintain control.

Approach Log everything, and actually read those logs. Make analysis easy. Look for low-level system behavior that is common to attacker toolkits. Infection vectors change, but post-exploitation escalation and lateral movement is constant. Never let someone break in the same way twice. Learn from our attackers. Continually develop new alerts. Encourage proactive hunting. Practice being the adversary. Test our defenses. Fully understand a compromise before acting. When ready to remediate, act quickly and decisively.

Future Work Develop better alerts and dashboards. Monitor field devices and other ICS components. Go deeper than Ethernet: serial, coaxial, RF. Explore machine learning techniques for anomaly detection. Apply software testing best practices to alerting. 2015 Bechtel 16

ICS Security Monitoring INFRASTRUCTURE MINING & METALS NUCLEAR, SECURITY & ENVIRONMENTAL OIL, GAS & CHEMICALS Moses Schwartz Security Engineer Computer Incident Response Team Bechtel Corporation

Case study: Compensating for physical security Vulnerability Secondary control room located outside the fence Not manned 24x7 Mitigation Audible alarm for admin logins on outside-the-fence systems 18

Audible alarms 19

Case study: PowerShell activity alert Windows PowerShell. Scripting/automation framework. Very useful for system administration. Frequently used by attackers. We ve had an great success identifying attacks by alerting on PowerShell execution. 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback