Cyberattacks are a major concern for industrial organizations around the world. Most have accepted the need for cybersecurity and invested in defensive technologies and practices recommended by automation suppliers and security consultants. This should protect operations from common hackers and malware. But, these passive defenses are often not enough to stop advanced, targeted attacks. To deal with these risks, industrial organizations need an active defense program guided by intelligence.
Defensive technologies and practices recommended by automation suppliers and security consultants are enough to stop common hackers and malware. But, critical industrial facilities need an intelligence-driven, active defense program to manage advanced, targeted attacks.
This report describes the requirements for an effective intelligence-driven, active defense program. It also discusses the offerings of Dragos Inc. relative to these requirements.
The SANS Institute defines active defense as "the process of analysts monitoring for, responding to, and learning from adversaries internal to the network." Active defense requires the right mix of knowledgeable people, proven processes and fit-for-use technology. The right people have expertise spanning cybersecurity, control systems and industrial processes. The right processes reflect an understanding of attacker behavior and defender best practices. The right technology integrates detection of suspicious behavior with capabilities for effective, efficient investigation and response.
Recently, ARC Advisory Group discussed this with executives at Dragos Inc., a company that offers active defense solutions. The company’s staff has extensive experience in industrial cyber defense and intelligence. They leverage this and the Dragos Platform technology solution to deliver threat intelligence, incident response, and management support.
The Dragos Platform passively identifies and visualizes industrial assets, monitors industrial facilities for threats using threat analytics, and codifies the Dragos team’s knowledge and expertise to recommend response actions and best practices to customers when issues arise.
ARC developed the Industrial Cybersecurity Maturity Model to help industrial managers understand their cybersecurity challenges without having to become cybersecurity experts. It enables managers to balance cybersecurity investments with their willingness to accept cyber risks and the cost benefits of additional security layers. This model also provides a convenient way to explain the differences between passive and active cyber defense.
ARC’s model breaks cybersecurity into a set of steps that incrementally reduce cyber risks. Each step addresses a specific, easily understandable, security issue like securing individual devices, defending plants from external attacks, containing malware that may still get into a control system, monitoring systems for suspicious activity, and actively managing sophisticated threats and cyber incidents. Each step has an associated set of actions and technologies that can be used to accomplish its goals. The model also shows the human resources and tools required to sustain and utilize the technology investments effectively.
While cybersecurity recommendations from automation suppliers and security consultants span all the steps in this model, ARC’s research indicates that most companies have only equipped their facilities with the passive, defensive technologies shown in the first three steps. Many organizations also lack the resources to maintain and use the more sophisticated defenses above this level.
This may be adequate for companies that can tolerate process disruptions. But operators of critical infrastructure cannot accept any unnecessary risks. They need to be prudent and ensure that their programs include active defense of all facilities, driven by an intelligence-based approach. This will ensure rapid root cause analysis and appropriate response to cyber threats that minimize the mean time to recovery for any incidents.
An effective active cybersecurity defense program requires continuous monitoring by people who can recognize and react to sophisticated cyberattacks. Intelligence provides them with the context and appropriate action recommendations for each threat. This often requires organizations to make additional investments in technology, people, and processes.
Industrial anomaly and breach detection is necessary for active defense, but not sufficient. A good anomaly and breach detection product will notify users of changes in endpoints or message patterns, but active defense requires additional features that support the needs of active defenders. These include:
As the ARC model illustrates, most organizations lack the resources for active defense. They could address this through training plant staffs, developing shared corporate resources, and contracts with external service providers. Whichever approach is chosen, the final team requires both expertise that spans cybersecurity, control systems, and industrial processes; plus the tools to do their work efficiently. Good defenders need to appreciate industrial constraints and have the knowledge to anticipate paths attackers may take to disrupt operations.
As ARC learned, Dragos offers a suite of products and services that span all active defense elements in ARC’s model and ICS-specific threat intelligence.
Experts in the Dragos Threat Operations Center can augment a company’s internal resources to help manage sophisticated attacks, support incident management, and train staff. Cy- bersecurity experts in Dragos Threat Intelligence group provide ongoing insight regarding actions a company should take to recognize and manage emerging threats to industrial plants and infrastructure operations.
The company’s flagship product, the Dragos Platform, is designed to support active defenders. It codifies the knowledge of the intelligence and threat operations teams. Its capabilities and features reflect the company’s extensive experience in cyber defense. The company continuously updates the Dragos platform with threat behavior analytics, providing context to inform defenders about what they are looking at and recommending appropriate responses for new threats identified.
The Dragos Platform includes a data pipeline that collects network traffic information from passive network sensors and augments this with additional information from repositories like controller logs and alarms. The asset discovery module uses this information to develop asset maps and network connectivity patterns across all major industrial protocols. Information collected by the data pipeline is centralized and normalized, acting like an ICS SIEM (security information and event management) system.
Dragos’ threat behavior analytics are run across the collected data. Unlike conventional anomaly detection, behavioral analytics provide an intelligence-driven approach that incorporates specific threat context. This lowers the total cost of ownership of investigation for a company’s security team. The Dragos Platform also includes knowledge-based incident response playbooks and workflows that provide guidance based on the lessons learned by the company’s threat intelligence and operations team. The workbench provides user-friendly access to all platform capabilities.
The company demonstrated the capabilities of the Dragos Platform to several ARC analysts. This made it clear that any defender could gain significant benefits from its capabilities. ARC notes some capabilities that illustrate how this product differs from industrial anomaly and breach detection solutions. These include:
The passive, cybersecurity defenses used in most industrial cybersecurity programs may be adequate for low-risk facilities. But operators in critical industries need to recognize that, increasingly, they are on “the radar” of sophisticated attackers and must be able to ensure that their programs can defend against non-traditional, targeted attacks. Active monitoring and management of anomalies by qualified people is essential. Adopting a context-aware, intelligence-driven approach, like that offered by Dragos, can help ensure that these resources have the information and tools they need to be both effective and efficient.
For further information or to provide feedback on this article, please contact your account manager or the author at firstname.lastname@example.org. ARC Views are published and copyrighted by ARC Advisory Group. The information is proprietary to ARC and no part of it may be reproduced without prior permission from ARC
We don't require you to submit your information but if you would like to stay up to date with the latest news and events from Dragos, Inc then let us know who you are.