Splunk for OT Security V2: SOAR and More

In the last 90 days, the news of cyberattacks on critical infrastructure has been stunning. From the unprecedented breach represented by Sunburst to the more recent bone-chilling attack at the Oldsmar water facility, the urgency to secure critical infrastructure in transportation, utilities, energy, water, critical manufacturing, telecommunications, healthcare, government facilities and the defense sector has never been higher.

Over the last 12 months, the Splunk IoT, Manufacturing and Energy team has worked with hundreds of customers exploring how best to secure their OT environments. From these many interactions, we have observed three common patterns:

1. Just getting started: A high percentage of teams responsible for securing OT environments are just getting started in their journey. Some may have taken initial steps beyond firewall configurations, network segmentation and personnel training. The most common next step is to procure and deploy an OT-specific network intrusion detection and inventory discovery tool. Few have invested in the application of a considered, framework-driven vulnerability monitoring program such as that outlined by MITRE in the MITRE ATT&CK for ICS.
2. Under-invested: The teams responsible for protecting OT are notably under-funded; the capacity of staff, budget and tools is low relative to the threats and potential impacts they seek to mitigate. This challenge has been a driving force behind the convergence of IT and OT into a unified SOC.
3. Can’t keep up: Even the most sophisticated and well-funded organizations we engage with actively seek new ways to accelerate the pace and quality of their detect to response decision cycles; they do not believe they are currently keeping up.

Perhaps unsurprisingly, most of the organizations we interact with are actively seeking to better understand how, where, when and how much they should rely upon Splunk technology to aid them on this journey. The fact that Splunk’s role in OT and the benefits it might deliver were not self-evident was a key motivation for our decision to invest in the Splunk for OT Security solution.

Splunk OT Security Add-On 2.0.1 Updates

In August 2020, we announced the availability of the OT Security Add-on for Splunk for users seeking to monitor OT environments better. Today, we are excited to announce version 2.0.1 of the solution, which includes several significant enhancements:

• A new model and supporting content to apply Splunk’s Security Orchestration, Automation and Response product, Splunk Phantom, within OT contexts. The content is expressly aimed at providing a framework for an OT investigation while simultaneously accelerating the pace of response. This content will be beneficial in environments that subscribe (or aspire) to the MITRE ATT&CK for ICS framework. Read much more here in our updated documentation.

• 

  More robust integration to key vendors in the OT cybersecurity space, including Claroty, Nozomi Networks, Forescout, Armis and Dragos. These integrations can collect, organize and represent asset inventory, alerts (including MITRE ICS mappings), network traffic and vulnerability data into Splunk. Once integrated, a security analyst has visibility across all five zones of the ISA-95 model. (Note: this last point is a truly big deal for anyone serious about detecting issues earlier.)

• An applied model for using Splunk Event Types to organize notables within the MITRE ICS framework and ensure logical identification from data ingestion to investigation through response.

• Expanded coverage of both MITRE ATT&CK for ICS and NERC CIP. This add-on includes detection rules supporting four additional MITRE ICS TTPs, as well as dashboards and reports for NERC CIP 006, 007, 008 and 009.

• New ways to explore and adopt Splunk within OT environments, including the introduction of an OT Security Autobahn lane, a prescriptive, SaaS-based proof-of-value program.

The impact of applying Splunk for OT Security can be immediate. For example, circling back to threats revealed in the last 90 days, organizations concerned about the Oldsmar attack who are using Splunk for OT Security would benefit in several ways:

• Detect the use of software products like VNC and TeamViewer in use on endpoints.
• Detect suspicious DNS calls to *.teamviewer.com which are present when native ports are not used
• Detect specific TCP/UDP traffic that is associated with products like TeamViewer.

The Splunk for OT Security content steers directly into the pain points we hear from organizations looking to do more to increase their OT security posture and visibility. With tight alignment to the MITRE ATT&CK for ICS framework, a bevy of new integrations to first-class OT inventory discovery / anomaly detection platforms and the potential for even under-staffed SOCs to increase the pace and quality of investigations using Phantom, we look forward to working with our customers to advance the security of their OT environments.

To learn more about applying the Splunk Security Operations Suite within OT contexts, watch this overview presentation, review the latest documentation here or download the OT Security Add-on for Splunk. For any questions, comments or ideas, don’t hesitate to reach out to us directly.

----------------------------------------------------
Thanks!
Ed Albanese