Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015



Similar documents
Technology Solutions for NERC CIP Compliance June 25, 2015

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

TRIPWIRE NERC SOLUTION SUITE

FISMA / NIST REVISION 3 COMPLIANCE

SANS Top 20 Critical Controls for Effective Cyber Defense

Cyber Defense & Breach Response Privacy Issues

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Cyber Security for NERC CIP Version 5 Compliance

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

QRadar SIEM and Zscaler Nanolog Streaming Service

Vendor Landscape: Security Information & Event Management (SIEM)

What is SIEM? Security Information and Event Management. Comes in a software format or as an appliance.

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Ovation Security Center Data Sheet

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

THE EVOLUTION OF SIEM

How To Manage Security On A Networked Computer System

Cyber security tackling the risks with new solutions and co-operation Miikka Pönniö

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

The Comprehensive Guide to PCI Security Standards Compliance

IBM QRadar Security Intelligence April 2013

CorreLog Alignment to PCI Security Standards Compliance

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

REPORT Perimeter Security Defenses. State of Perimeter Security Defenses, Time to Think Different?

How ByStorm Software enables NERC-CIP Compliance

GE Measurement & Control. Cyber Security for NERC CIP Compliance

Guideline on Auditing and Log Management

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

QRadar SIEM and FireEye MPS Integration

The SIEM Evaluator s Guide

SORTING OUT YOUR SIEM STRATEGY:

Ovation Security Center Data Sheet

High End Information Security Services

GE Measurement & Control. Cyber Security for NEI 08-09

Secret Server Qualys Integration Guide

Cyber Security Risk Mitigation Checklist

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

RSA Security Anatomy of an Attack Lessons learned

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

The Sumo Logic Solution: Security and Compliance

Compliance Risks in APT Response & Defense

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

CyberArk Privileged Threat Analytics. Solution Brief

IBM Security QRadar Risk Manager

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Securely Yours LLC Top Security Topics for Sajay Rai, CPA, CISSP, CISM

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Enabling Security Operations with RSA envision. August, 2009

LogRhythm and NERC CIP Compliance

Win the race against time to stay ahead of cybercriminals

Standard CIP 007 3a Cyber Security Systems Security Management

Continuous Compliance for Energy and Nuclear Facility Cyber Security Regulations

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Fight the Noise with SIEM

CAS8489 Delivering Security as a Service (SIEMaaS) November 2014

KEYW uses acquired Sensage technology to form Hexis Cyber Solutions

IBM Security Strategy

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

The Role of Security Monitoring & SIEM in Risk Management

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

IBM Security QRadar Risk Manager

Software that provides secure access to technology, everywhere.

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

The Importance of Cybersecurity Monitoring for Utilities

Ecom Infotech. Page 1 of 6

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Detect & Investigate Threats. OVERVIEW

IBM SECURITY QRADAR INCIDENT FORENSICS

Safety Share Who is Cleco? CIP-005-3, R5 How What

Statement of Work Security Information & Event Management (SIEM) December 20, 2012 Request for Proposal No

Security Analytics for Smart Grid

SecureVue Product Brochure

Standard CIP Cyber Security Systems Security Management

Analyzing HTTP/HTTPS Traffic Logs

Analysis of the Global Security Information and Event Management (SIEM) and Log Management (LM) Market All Information Becomes Actionable

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Bridging the gap between COTS tool alerting and raw data analysis

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

The Evolution of Application Monitoring

Magic Quadrant for Security Information and Event Management

RSA Security Analytics

Performanta Pty Ltd. Company Profile. May Trust. Practical. Performanta.

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Strategic Identity Management for Industrial Control Systems

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013

Patching & Malicious Software Prevention CIP-007 R3 & R4

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Trend Micro. Advanced Security Built for the Cloud

Integration With Third Party SIEM Solutions

Transcription:

www.encari.com Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

www.encari.com 2 The Problem Cyber attacks are not just a risk, they are a reality. Cyber attacks that get past the perimeter must be detected to be stopped. Cyber attackers are not stupid or clumsy. Cyber attackers are patient and persistent.

www.encari.com 3 The Problem (continued) Critical Infrastructure control systems are attractive targets. There is no data of value, so the goal of an attack is to cause disruption or damage. Manual operation is not possible in most cases shutting down control systems is not an option.

www.encari.com 4 Mitigation Activities First Steps Isolate the control system, establish a secure perimeter. Shrink the vulnerable attack surface; remove all unneeded hardware and software from the control system enclave. Understand all processes and network activities that occur inside the perimeter.

www.encari.com 5 Mitigation Activities Ongoing Detect unusual or anomalous activities or events. Identify activities or events that are malicious or may indicate an attack. Provide information to those who can act to stop the attack.

www.encari.com 6 Detect Configure systems to create logs. Configure logging for events of interest. Successful and unsuccessful login attempts. Administrative changes accounts; elevation of privileges. Configuration changes, new hardware. Process state changes. Changes in critical directories. Malware detection. Synchronize system time; use timestamps in logs.

www.encari.com 7 Identify First Step send logs to central Log Management server. Simplifies retention and review. Advanced systems can apply retention policies. More advanced systems can parse logs, correlate events and generate alerts.

www.encari.com 8 TECHNOLOGY USING MONITORING, SOLUTIONS LOGGING, FOR NERC AND ALERTING CIP COMPLIANCE TO IMPROVE ICS SECURITY Identify The Next Level Security Information and Event Management (SIEM). Collects logs and other operational data from a wide variety of systems. Parses logs and correlates events, including IDS and Netflow data. Generates alerts and reports, dashboards, highly customizable, can aid forensics and investigation of events. There is a continuum from log management to SIEM as functionality increases. Products: ArcSight NetIQ Sentinel IBM Security QRadar RSA Security Analytics LogRythm SolarWinds SIEM McAfee Enterprise Security Manager Splunk

www.encari.com 9 SIEM Challenges Expensive, complicated and requires specialized expertise to implement. Effective implementation requires customized correlation rules; without correlation all you have is expensive log management.

www.encari.com 10 SIEM and IDS Intrusion Detection System (IDS) vs. Intrusion Prevention System (IPS) IDS detects, identifies and notifies suspected intrusions IPS takes the additional step of blocking traffic. Similar to SIEM but uses raw network traffic and malware signatures (as well as known malicious sites and sources) as inputs. Can work in conjunction with SIEM as an input to SIEM.

www.encari.com 11 Actions and Activities to Identify New devices on the network Administrative activity New network traffic patterns Increased network traffic Increased rate of failed logins Changes in system directories Attempts to communicate Malware activity externally

www.encari.com 12 Final Step - Alerting Detection and Identification have no value if no action is taken. Action requires a person to know that there is a need for action. Dashboards and on-screen alerts can be effective but only if there is constant monitoring. If email is used for alerts, provisions must be made to make sure they are delivered to somebody who can act on them. Emails should be sent to groups; members of the group must have a protocol for determining who will act. Emails must be clearly marked as alerts of a possible attack.

www.encari.com 13 Start With What You Have Enable logging of important events. Use built in capabilities, such as syslog. Use inexpensive or free log managers. Configure alerting in systems when available (anti-malware for example).

www.encari.com 14 Q & A SESSION Q & A THANK YOU!

www.encari.com 15 CONTACT US (847) 947-8448 webinars@encari.com; demos@encari.com; contactus@encari.com http://www.encari.com https://www.facebook.com/encari.powersecure https://twitter.com/encarips http://bit.ly/encarilinkedin

www.encari.com 16 Encari Provides Control System Security and Compliance Solutions, Focusing on Critical Infrastructure

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information