By Dragos Team

In the industrial control systems (ICS) industry today, defensible networks are required for organizations to maintain safe and reliable operations. In order to establish those defensible networks, defenders must understand what assets are on their networks and what information those assets can offer before and during an incident.

Though many organizations have pursued the development of asset hardware and software inventories to address security needs, these approaches do not fully address the needs of security personnel, such as incident responders and security operations staff who must prepare and conduct investigations into adversary activity in their industrial environments.

In order for organizations to proactively detect network intrusions and respond to them efficiently, they must go beyond the basic capabilities of asset inventories and develop an internally-focused collection management framework (CMF).

What is a CMF?

A collection management framework is a process that documents and institutionalizes data sources that are available to defenders, including what information is available and how long that data is retained.

Why is it Important?

CMFs allow defenders to understand the visibility and lack of visibility in their industrial environments, so they can more effectively prepare for and respond to cyber threats within their organizations.

What are the Phases of a CMF?
  1. Develop requirements that reflect an understanding of business risks
  2. Develop a collection plan using available data sources internal to the enterprise
  3. Implement your collection plan with a focus on the creation of new procedures and identification of new data sources that can be internally leveraged
  4. Test and understand the implications of the collection plan to ensure its effectiveness (which could include prioritizing additional security controls)
  5. Update your collection plan to make adjustments for requirements and collection sources that are no longer relevant, and communicate those changes to all teams

Though various styles of collection management exist and will be determined by the organization’s cultural and data source differences, developing a CMF is an effective process to implement the right collection plan for your organization and to help its defenders prepare for and respond to cyber threats more effectively and efficiently.

For more in-depth information about CMFs, please read: Collection Management Frameworks: Looking Beyond Asset Inventories in Preparation for and Response to Cyber Threats