Splunk for OT Security V2: SOAR and More

Security Splunk
In the last 90 days, the news of cyberattacks on critical infrastructure has been stunning. From the unprecedented breach represented by Sunburst to the more recent bone-chilling attack at the Oldsmar water facility, the urgency to secure critical infrastructure in transportation, utilities, energy, water, critical manufacturing, telecommunications, healthcare, government facilities and the defense sector has never been higher.

Over the last 12 months, the Splunk IoT, Manufacturing and Energy team has worked with hundreds of customers exploring how best to secure their OT environments. From these many interactions, we have observed three common patterns:

  1. Just getting started: A high percentage of teams responsible for securing OT environments are just getting started in their journey. Some may have taken initial steps beyond firewall configurations, network segmentation and personnel training. The most common next step is to procure and deploy an OT-specific network intrusion detection and inventory discovery tool. Few have invested in the application of a considered, framework-driven vulnerability monitoring program such as that outlined by MITRE in the MITRE ATT&CK for ICS.
  2. Under-invested: The teams responsible for protecting OT are notably under-funded; the capacity of staff, budget and tools is low relative to the threats and potential impacts they seek to mitigate. This challenge has been a driving force behind the convergence of IT and OT into a unified SOC.
  3. Can’t keep up: Even the most sophisticated and well-funded organizations we engage with actively seek new ways to accelerate the pace and quality of their detect to response decision cycles; they do not believe they are currently keeping up.

Perhaps unsurprisingly, most of the organizations we interact with are actively seeking to better understand how, where, when and how much they should rely upon Splunk technology to aid them on this journey. The fact that Splunk’s role in OT and the benefits it might deliver were not self-evident was a key motivation for our decision to invest in the Splunk for OT Security solution.

Splunk OT Security Add-On 2.0.1 Updates

In August 2020, we announced the availability of the OT Security Add-on for Splunk for users seeking to monitor OT environments better. Today, we are excited to announce version 2.0.1 of the solution, which includes several significant enhancements:

The impact of applying Splunk for OT Security can be immediate. For example, circling back to threats revealed in the last 90 days, organizations concerned about the Oldsmar attack who are using Splunk for OT Security would benefit in several ways:

The Splunk for OT Security content steers directly into the pain points we hear from organizations looking to do more to increase their OT security posture and visibility. With tight alignment to the MITRE ATT&CK for ICS framework, a bevy of new integrations to first-class OT inventory discovery / anomaly detection platforms and the potential for even under-staffed SOCs to increase the pace and quality of investigations using Phantom, we look forward to working with our customers to advance the security of their OT environments.

To learn more about applying the Splunk Security Operations Suite within OT contexts, watch this overview presentation, review the latest documentation here or download the OT Security Add-on for Splunk. For any questions, comments or ideas, don’t hesitate to reach out to us directly.

----------------------------------------------------
Thanks!
Ed Albanese

Related Articles

Visualising a Space of JA3 Signatures With Splunk
Security
2 Minute Read

Visualising a Space of JA3 Signatures With Splunk

One common misconception about machine learning methodologies is that they can completely remove the need for humans to understand the data they are working with. In reality, it can often place a greater burden on an analyst or engineer to ensure that their data meets the requirements, cleanliness and standardization assumed by the methodologies used. However, when the complexity of the data becomes significant, how is a human supposed to keep up? One methodology is to use ML to find ways to keep a human in the loop!
Elevating Security Intelligence with Splunk UBA's Machine Learning Models
Security
4 Minute Read

Elevating Security Intelligence with Splunk UBA's Machine Learning Models

Splunk UBA uses machine learning to detect evolving threats beyond rule-based approaches in SOC operations, tackling overwhelming event volumes.
Introducing Splunk Attack Range v4.0
Security
3 Minute Read

Introducing Splunk Attack Range v4.0

Splunk Attack Range v4.0 empowers security teams to build detections & emulate adversaries.