Securing the Unseen

Today’s adversaries are not just creative; they are relentless in exploiting unseen corners of your environment. Attackers are increasingly pivoting from IT systems into unsecured and unaccounted OT and IoT devices, leveraging these blind spots to establish persistent footholds, disrupt critical operations, and enable lateral movement across environments. Such compromises can set back manufacturing lines, critical infrastructure, and supply chains for days, weeks, or in worst-case scenarios, months.

SOC analysts and security teams are only as effective as the data and contextual visibility available across their IT, OT, and IoT landscape. The new frontier in OT security extends beyond protecting known assets – it demands the proactive discovery and continuous monitoring of unseen devices, which often present the largest attack surface in your operational environment.

Traditionally, environments with both IT and OT systems have required teams to switch between multiple tools, vendor platforms, and dashboards to monitor and investigate incidents across these domains. This siloed approach increases mean time to detect (MTTD) and mean time to respond (MTTR), while providing attackers with opportunities to exploit monitoring gaps.

Splunk Asset and Risk Intelligence (ARI) bridges this gap, unifying IT and OT asset visibility into a single operational pane. By aggregating contextual asset data, risk scoring, and historical data, ARI reduces the need to pivot across disparate systems and empowers SOC analysts to investigate incidents holistically, reducing dwell time for attackers in your environment.

IP & MAC Address Visibility: Establishing Baselines for Threat Detection

In the OT world, IP and MAC addresses should remain static. Tracking these identifiers over time enables SOC analysts to establish a baseline of normal behavior, crucial for advanced threat detection and anomaly hunting. For example:

• If an OT device’s IP address begins communicating with the corporate IT network unexpectedly, this could indicate segmentation failure or lateral movement attempts by an adversary.
• Abnormal traffic patterns during off-hours, detected through ARI’s continuous tracking of IP/MAC data, can highlight potential rogue devices, unauthorized changes, or early indicators of compromise.

By integrating this visibility into your SIEM and OT monitoring workflows, you enable real-time correlation and enrichment, empowering analysts to prioritize investigations based on abnormal behaviors rather than chasing every alert blindly.

Vendor, Software, and Location Context: Enabling Targeted Hardening

Visibility into an OT device’s vendor, firmware/software version, and physical location enriches security operations beyond basic IP tracking. This granular context:

• Supports targeted vulnerability and patch management in environments where broad patch deployment is impractical due to operational uptime requirements.
• Enables maintenance and security teams to coordinate planned downtime for updates or compensating control deployment without halting entire production lines.
• Assists in risk scoring and prioritization, allowing teams to understand which assets, based on vendor or location, may introduce unique supply chain or geopolitical risks requiring focused mitigation.

By integrating these details within ARI and your broader security workflows, security teams can transition from reactive to proactive security postures, enforcing security controls with precision while minimizing operational disruption.

Risk-Based Prioritization: Securing High-Impact OT Devices

Risk Scoring for OT devices is critical for prioritizing cybersecurity efforts in environments where uptime and safety are paramount.  Asset Risk Intelligence provides a quantifiable risk value based on several gathered factors such as device criticality, known vulnerabilities, network exposure, and anomalous behavior.  These ratings help organizations focus, and even shift resources, on securing the most vulnerable and even high-impact assets.

Knowing how hard and difficult it is to patch in OT environments, outlined in the previous section, risk scoring provides the necessary intelligence to make actionable and informed decisions without compromising integrity. 

From Visibility to Actionable Security Outcomes

Visibility into OT assets is not just a checkbox – it’s foundational for effective incident response, threat hunting, and continuous risk reduction. By leveraging Asset Risk Intelligence and structured data collection, organizations can:

• Detects lateral movement attempts into OT environments from compromised IT assets.
• Identify shadow OT assets connected to the network without formal onboarding.
• Monitor for unauthorized firmware changes or policy deviations across distributed sites.
• Enable SOC analysts to correlate OT data with threat intelligence and MITRE ATT&CK for ICS, enhancing adversary detection within critical environments.

Asset Risk Intelligence helps your organization take steps to go beyond just checking the box.  Providing those security outcomes assuring that compliances are met whether those are HIPAA related, NIST, ISA/IEC 62243 or NERC, Asset Risk Intelligence helps track those outcomes overtime to give executives and security personnel more peace of mind. 

Conclusion

The unseen devices in your OT landscape are not just a technical challenge; they are a business risk. The evolving threat landscape demands that organizations expand their detection and response capabilities beyond traditional IT perimeters and into the critical, often fragile, operational environments that power their core business functions.

Splunk Asset and Risk Intelligence enables organizations to discover, baseline, monitor, and secure these unseen assets, transforming hidden vulnerabilities into manageable risks while preserving operational resilience.  Securing the unseen isn’t optional – it’s the next critical step in modern cybersecurity and operational technology defense.

For anyone that’s attending .conf25 in Boston next month,  if you would like to learn and see more on how ARI can not only help you secure your IT & OT technology, but also how it can help you streamline your security investigation process and help you better tackle regulatory needs and compliance challenges, be sure to register for these sessions:

Tuesday, September 9th

10:30 AM - 11:15 AM EDT
SEC1737 - Streamlining Security Investigations with Asset and Risk Intelligence
Madhura Kumar, Director, Product management, Splunk, a Cisco Company
Dimitri McKay, Principal Security Strategist, Splunk, a Cisco Company

Tuesday, September 9th

11:30 AM - 11:45 AM EDT
SEC1771 - Improving Compliance with the Magic of Asset Intelligence
Coty Sugg, Product Marketing Manager, Splunk, a Cisco Company

Wednesday, September 10th

3:00 PM - 3:20 PM EDT
SEC1767 - Securing the Unseen: An Asset-Driven Approach to OT Security
Jerald Perry, Senior Technical Marketing Engineer, Splunk, a Cisco Company