Detection in Depth Maturity Model

Posted on by
3

I have been discussing the idea of doing detection depth pretty heavily lately. One of the biggest questions I have been getting is about maturity of detection efforts and the effectiveness of various types of controls. Here is a quick diagram I have created to help discuss the various tools and where they fit into the framework of detection capability versus maturity/effectiveness.

The simple truth is this, the higher the signal to noise ratio a detection initiative has, the better the chance of catching the bad event. Detections layered together into various spots work better than single layer controls. In most cases, the closer you get to an asset, the more nuanced and focus (also higher signal to noise ratio) the detection mechanisms should become.
 
That is, for example – a tool like a script detecting new files with “base64decode()” in them on a web server is much higher signal than a generic IDS at the perimeter capturing packets and parsing them against heuristics.
 
When the close controls fire an alert, there better be a clear and present danger. When the distant controls alert, there is likely to be more and more noise as the controls gain distance from the asset. Technology, detection focus and configuration also matter A LOT. 
All of that said, detection only works if you can actually DO something with the data. Alarms that fire and nothing happens are pretty much useless tools. Response is what makes detection in depth a worthwhile, and necessary, investment.

Presentation Slides Available from The Ohio SCADA Security Symposium

Posted on by
Reply

Although we had a panel discussion, (and some presentations that were confidential) we do have a few we can share. If you’d like to view the slides for them, please visit our presentation page. We’re looking forward to doing this again next year! Thanks to all who came and to our speakers, who were very generous with their time and expertise!

How To Increase Cooperation Between SCADA/ICS and the IT Department

Posted on by
Reply

 

Here is a mind map of a set of ideas for increasing the cooperation, coordination and socialization between the ICS/SCADA operations team and their traditional IT counterparts. Last week, at the Ohio SCADA Security Symposium this was identified as a common concern for organizations. As such, we wanted to provide a few ideas to consider in this area. Let us know in the comments or on twitter if you have any additional ideas and we’ll get them added to a future version of the mind map. Click here to download the PDF.

Thoughts From The Ohio SCADA Security Symposium

Posted on by
Reply

 

 

This week, I had the distinct pleasure of playing MC at the 1st annual Ohio SCADA/ICS Security Symposium. The event was held in Columbus Ohio and offered a variety of speakers from federal, state and local government, as well as panels on controls that work and projects that have failed to succeed that included representatives from power, gas, water and manufacturing. These were powerful discussions and the content was eye-opening to many of the participants.

First, I would like to say thank you to all who were involved in the symposium. Their efforts in organizing, executing and attending the event are greatly appreciated. Feedback about the event has been spectacular, and we all look forward to participating again next year.
 
That said, one of the largest identified issues among the conversations at the symposium was the idea that cooperation and coordination between control network operators and engineers and their peers on the traditional business-oriented IT staff is difficult, if not nearly impossible.
 
This seems to be a common conundrum that many organizations are facing. How do you get these two sides to talk? How do you get them to participate in conversations about best practices and technology advances in their respective areas? It seems, that even though these two camps share similar architectures, common dependencies and often similar skill sets, that those things are still not enough to bring them together.
 
In the spirit of the symposium, and in the conversation openness that we identified and encouraged, I would like to ask for your input on this topic. What does your organization do to facilitate open communications between these two groups? What works for your teams? If you haven’t had success, what have you tried and why do you think it failed? Please feel free to discuss in the comments, on the OhioSCADA group on LinkedIn or even reach out to me personally on twitter (@lbhuston).
 
As always, thanks for reading and I look forward to the conversation that follows. Maybe together, we can identify some strategies that work and potentially bridge the gap between these two stakeholding groups. Clearly, from the discussions at the symposium, if we can fix this we can go a long way toward helping ourselves better the security posture and operational capabilities of our environments.

MSI Strategy & Tactics Talk Ep. 14: Security Rants and More!

Posted on by
Reply


This edition covers a variety of topics —  Discussion questions include:

  • Footprinting and understanding environments
  • Attack against Mitsubushi and Japan
  • Security with corporate networks and SCADA
  • Where information security is going as an industry

Panelists:
Brent Huston, CEO, Founder, and Security Evangelist
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

MicroSolved’s HoneyPoint Wasp Nominated for TechColumbus Innovation Award

Posted on by
Reply

MSI is proud to announce their nomination in the annual Innovation Awards, sponsored by TechColumbus, which recognizes outstanding achievements in technology leadership and innovation. HoneyPoint Wasp has been nominated for Outstanding Product for companies with 250 employees or less. 

We’re thrilled to be nominated. We believe our HoneyPoint Wasp is an excellent product, helping our clients battle bots and malware on their desktops. For more information, please read our press release and visit our HoneyPoint webpage. We look forward to the Awards Dinner in February 2012. Good luck to everyone who has been nominated!

Central Ohio ISSA Presentation: “Social Media Threats: Real, Imagined, & Maybe…”

Posted on by
Reply

Brent Huston, CEO and Security Evangelist of MicroSolved, Inc., delivered a fascinating presentation on social media security. In this talk, Brent discusses:

 

  • The explosive growth of social technology 
  • Conspiracy theories – what is real and what is imagined 
  • Where the real threats exist 
  • What controls you can use to minimize risk 
  • What you can do to deal with social media’s security risks

To download the slide deck and audio, click here for the zip file.

And as always, stay safe out there!

Reason #1 To Attend Ohio SCADA Symposium: DHS Warns “Hacktavists” Are Focusing on Control Systems

Posted on by
Reply

The Department of Homeland Security recently warned:

“…that Anonymous hacktivists may cyberattack industrial control systems. In fact, the Department of Homeland Security and Idaho National Laboratory have engaged in mock hack-offs to wreak havoc and to highlight the vulnerabilities at factories, electrical plants and chemical facilities.”

Full story

It isn’t a surprise that attacks are increasing on industrial control systems. Claiming responsibility for knocking out an electricity company may seem cool, but I’m not sure how “cool” it would be when they realized they knocked out their own Internet and cable connection.

This brings up a great reason to attend our Ohio SCADA Security Symposium on November 1. Click here for details!

MSI Strategy & Tactics Talk Ep. 13: SCADA & Handling Threats In a Post-Stuxnet World

Posted on by
Reply


SCADA is becoming a hot property among security professionals who work with Industry Control Systems (ICS). During this discussion, our team tackles how to view threats and respond accordingly. Discussion questions include:

  • How can organizations get their heads wrapped around what it takes to secure a modern SCADA/Business environment hybrid?
  • What happened to the air gap approach that we hear so many SCADA history folks talk about? Why did that model break down? Why can’t we go back to it?
  • What happens to threats against SCADA/ICS as mobile integration, smart grid components and other disruptive technologies come online?
  • How can SCADA/ICS security teams engage with other security professionals and each other?

 
Panelists:
Brent Huston, CEO, Founder, and Security Evangelist
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

MSI Announces The Ohio SCADA Security Symposium

Posted on by
Reply

The need for the latest information about SCADA/ICS is extended to Ohio businesses and utility companies and supports security for Ohio. We’d like to invite all Ohio SCADA/ICS professionals to attend this free event!

The Ohio SCADA Security Symposium, to be held on November 1, 2011 in Columbus, Ohio, is designed to serve as a level set for teams and organizations who are actively managing production SCADA and Industrial Control System (ICS) environments in Ohio.

A full one day session will include best practices advice, incident response, detection techniques and a current threat briefing focused on SCADA/ICS providers. Presenters will cover a variety of topics about what is working and what is not, in terms of information security, network protection and trust management.

Takeaways from this event will include peer networking, insights into emerging threats, action items for actively improving the availability, integrity and confidentiality of control systems, utility networks, manufacturing lines and other SCADA/ICS concerns.

Topics include: How the State Is Here to Help You, Physical Security, Assessment of SCADA/ICS Environments, Cyber Security, Honey Pots in SCADA/ICS Environments, and The FBI Viewpoint. Key participation will feature NiSource, American Electric Power, American Municipal Power, Greater Cincinnati Water Works, Ohio PUCO, the Department of Homeland Security, and the FBI.

The event runs from 8:30 AM to 6:00 PM. Registration opens at 8:00 AM and is free. Those who work with SCADA/ICS are invited to attend. RSVP’s can be sent to mmaguire@microsolved.com. Please include your contact information. Seating is limited and available ONLY to those individuals actively working in Ohio with SCADA/ICS components.

MSI looks forward to providing an excellent event that will help organizations secure their SCADA/ICS systems and discuss best practices and industry standards at the event!