Professional Documents
Culture Documents
RSA Solution Brief - SIEM Advanced Threat Detection
RSA Solution Brief - SIEM Advanced Threat Detection
Threat Detection
Visibility, Security and Control Across
Your IT and OT Environment
• Full and instant inventory Today’s attacks are significantly more sophisticated and include
management down to firmware zero-day and targeted attacks, social engineering, and spear
and patch level on each and
phishing—all designed to establish a beachhead and modify
every device
or destroy critical industrial operations. The key to a successful
• Audit and papertrail as to whom breach is to keep the nefarious activity undetected for as long
made what changes when
as possible.
• Full forensic capabilities that
provides context when an
incident occurs
1
Unlike IT networks, Industrial Control Systems lack a proper foundation of visibility and security
controls. Most devices don’t require authentication, making it difficult to prevent unauthorized
access or changes to critical devices. In addition, there are no event logs or historical data to
help with event detection and response. Without this proper foundation of visibility and control,
added challenges emerge in managing assets, detecting threats, and managing systems
configurations in OT environments.
The RSA NetWitness Platform provides pervasive visibility across a modern IT infrastructure,
enabling better and faster detection of security incidents, with full automation and orchestration
capabilities to investigate and respond efficiently. RSA NetWitness Platform takes security
“beyond SIEM,” extending the traditional log-centric, compliance-focused approach to security
to include state-of-the-art threat analytics, including user and entity behavior analytics (UEBA),
and visibility into cloud, network and endpoints. Organizations are experiencing a rapidly
changing threat environment, and they need tools and services that can keep up with the
changes. RSA NetWitness Platform is designed to offer the maximum amount of visibility, with
automated analysis and prioritization, and in context of the real business risk of a threat.
2
Indegy provides situational awareness and real-time security for industrial control networks to
ensure operational continuity and reliability. The Indegy Security Suite delivers comprehensive
visibility and oversight into all OT activities, whether they are network based, device based or
industrial controllers. These include changes to controller logic, configuration and state across
all vendor devices, network communication patterns, rouge devices, malware propagation, and
more. This is done by utilizing both the Deep Packet Inspection engine of proprietary control
communications, and Device Integrity technology that is able to query devices safely in their
native communication protocols without ever affecting them. This allows for validation of PLC and
PCs firmware/OS, code/software and configuration. Indegy provides a critical feed into RSA’s
NetWitness Platform and delivers visibility, security and control for your operational environment.
This, combined with the native capabilities of the NetWitness Platform delivers the intelligence
required across both the OT and IT environments.
Results
The interoperability between Indegy®
• Improved security automation, sensing
and RSA NetWitness solution offers and visibility
processes. As part of the joint solution, • Better decision making based on more
detailed information
monitoring occurs across the IT and
• Proactive maintenance and reduced
OT environments to ensure early and response times to unforeseen disruptions
3
Activity Policies relate to the activities in the network (i.e. the engineering commands that impact
controllers’ state and configuration). It is possible to define specific activities that always generate
alerts or to designate a set of criteria for generating alerts. For example, if certain activities are
performed at certain times and/or on certain controllers. Both black listing and white listing of
assets, activities and schedules are supported.
Controller Policies relate to changes that take place in the controllers in the network. This can
involve changes in the state of a controller as well as changes to the firmware, asset properties,
hardware/module change or code blocks (done over the network or locally on the device). The
policies can be limited to specific schedules (i.e. firmware upgrade during a work day), and/or
specific controller/s.
Network Policies relate to the network assets and the communication streams between
assets. This includes assets that were added to or removed from the network and includes traffic
patterns that are anomalous for the network or that have been flagged as a cause for concern.
For example, if an engineering station communicates with a controller using a protocol that is not
part of a pre-configured set of protocols. These policies can be limited to specific schedules and/
or specific assets.
Data Plane Policies detect changes in set-point values which can harm the industrial process.
These changes may result from a cyber attack or human error.
About Indegy
Indegy, a leader in industrial cyber security, protects industrial control system (ICS) networks
from cyber threats, malicious insiders and human error. The Indegy Industrial Cyber Security
Suite arms security and operations teams with full visibility, security and control of ICS activity
and threats by combining hybrid, policy-based monitoring and network anomaly detection with
unique device integrity checks. Indegy solutions are installed in manufacturing, pharmaceutical,
energy, water and other industrial organizations around the world.
Follow us: