By Jason Maynard
Mid- to large-sized enterprises have, for many years, built the operational technology (OT) environment like an egg – a hard exterior protected by traditional security elements such as firewalls, IDS/IPS, and malware detection (if you are lucky) with a soft interior leaving critical operational assets at risk against advanced threats and non-existent visibility.
As companies continue to digitize bringing real-time analytics to the business and to their customer’s, isolation is no longer viable. Visibility into the operational network has become critical in order to maintain secured operations of the process.
Network behavioral analytic platforms overcome the visibility and security analytics challenges by maximizing existing investments in your network infrastructure. It collects the rich network telemetry (IPFIX, sFlow, etc.), and performs a baseline of the network environment using behavioral analytics and multilayered machine learning to detect what is abnormal. We will discuss this in more detail, but first let’s discuss the challenges most organizations are faced with today.
A hard exterior may include one, many, or all of the following items: Firewalls, intrusion detection/prevention systems, content protection, DNS-based controls, malware inspection, and email.
These controls and inspection points may exist at the edge of the operational environment and/or within the business network. This in the past reduced a significant amount of risk to the operational environment, but in today’s world it is no longer enough. Leveraging a soft interior presents a variety of risks over and above what the hard exterior is able to mitigate.
Having a soft exterior may present the following concerns:
• Supply Chain: The firmware you downloaded was compromised by a bad actor – would you be able to determine or alarm on subtle behavioral changes to the network indicating something of interest?
• Normal Operations: Do you truly understand how the network operates 24x7x365, and are you able to detect changes based on new behaviors? These changes may be related to a security event; however, they also may be based on a misconfiguration, all of which may impact your operational process.
• Localized Malware: Malware introduced to systems from field technicians, contractors, USB keys, etc. As the infection takes hold, it starts to communicate and move laterally. Would you be able to detect the changes to the network behavior based on this new threat?
• Vendors/Contractors Access: This brings up a significant amount of risk to the operational environment as the vendors/contractors’ asset may be compromised and/or misconfigured causing disruption to the operational process. There are a variety of ways to mitigate this risk, but it goes beyond the writing of this article. If assets are connecting, would you be able to prove whether a vendor/contractor actually caused the outage within the operational space? Having a transaction of all communications that take place during the time the asset is connected will provide much needed evidence. Additionally, having the ability to alert on interesting traffic patterns may give you the insight into an upcoming event.
• Protection Agents such as Antivirus and Antimalware Protection: Not all assets within the operational environment will support agents and/or the vendor will not allow agents onto systems and if installed, the vendor may revoke support. Also, not every flow may traverse a control or inspection point. The network provides an opportunity to detect anomalous and/or bad behaviors without the need of an agent.
• Confidence in the Control: Are you certain the controls in place are working 100 percent of the time? What about the fat-finger syndrome when adding a control? Are systems talking to systems they should not be? Can you prove the process is pristine at any point in time? The network provides flow data which can provide long-term transactions of all communications taking place.
• Compliance/Audit: Today the audit process may include examining multiple access control lists and requires multiple teams highlighting a control exists and the communication to the environment meets the compliance requirement. Does this really ensure the control was accurate throughout the year or only during the time of the audit? Can you prove throughout the year with 100 percent confidence the environment did not communicate outside of the accepted boundaries? The network can provide you the ability to go back throughout the year and prove the control was in place and no unauthorized communication took place.
These are some simple examples of some of the challenges and risks when leveraging a hard exterior only.
As the operational environment continues to evolve and IP becomes more prevalent deeper within the operational environment, there is an opportunity to gain greater visibility leveraging telemetry data. This is something that your operational environment may produce today. Note: Not all flow data is the same, but leveraging a technology that supports multiple flow technologies is advantageous to the consumer, allowing for greater coverage. Additional note: If the operational environment does not support flow data and has the ability to SPAN data, then consider introducing capabilities that can generate flow from SPAN sessions. Always consider the capabilities of the networking gear you purchase as it may limit your ability to get rich analytics out of the network in areas where other visibility capabilities are limited. You must know how your network behaves in order to know when it is misbehaving.
Some of the benefits of leveraging the network not only include visibility into the operational process, but also assists in troubleshooting the environment. Consider the following business outcomes:
• Creating a logical boundary within the operational environment to alarm on communications activity that violates the logical trust boundary. Business outcome: Identify risks to the environment earlier in the process maintaining secured and trusted operations.
• Anomaly detection discovered a comprised camera port scanning the network. Business outcome: Significantly reduce the time to detect which allows the team to mitigate the threat sooner. Operations maintained.
• Problematic wireless access point in a factory floor that is occasionally flooding the plant floor with goofy packets. Business outcome: Mitigate the issue sooner and ensure the integrity of the network is maintained.
• Connectivity aberrations in the distribution network – abnormal (not necessarily an attack). Business outcome: Optimized the network ensuring maximum operational uptime before the incident is realized within the operational environment.
• Systems chatting with things that were supposed to be retired. Business outcome: Removed retired assets reducing the potential threat vector from the environment and optimizing the environment.
• A spike in traffic that was not an attack itself, but an indicator of change that may have disrupted the operational network if left unexamined. Business outcome: Quickly identified the issue which allowed the right team to be engaged to mitigate the spike in traffic. This also removes the concern around a potential security breach optimizing resource allocation and reduced mean time to repair.
Network Behavioral Analytic Platforms
Network behavioral analytic platforms provides deep visibility using metadata (flow data) from the network providing visibility at scale.
These platforms can also provide the ability to do full or selective packet capture in areas that require you to maintain the capture of a packet for compliance or other reasons. This tool can be leveraged by a variety of teams including: Operational teams, networking teams, applications teams, security teams, and audit/compliance teams, and the super hero team (one person doing many roles).
Network behavioral based analytic platforms with machine learning, and security intelligence should be 100 percent out-of-band as this is a recipe for success within the operational environment.
Jason Maynard is a senior consulting system engineer for cybersecurity at Cisco.