Forgive me for stating the obvious, but IT-OT/ICS environments are incredibly complex. SOC teams need better tools that provide contextual information about connected devices and network operations in a coherent, quickly digestible way. Splunk started the ball rolling in August 2020 with its OT Security Add-on release, expanding the Splunk Enterprise Security platform’s ability to improve threat detection, incident investigation and response. And now, Forescout takes a giant step in that same direction with the new version of the Forescout OT Network Security Monitoring App for Splunk.
More comprehensive OT device visibility and context delivered to your Splunk SIEM
When a cyberthreat surfaces, asset owners must detect and respond rapidly to avoid potential downtime that, on average, costs large enterprises more than $100,000 per hour, according to a recent survey.1
To minimize the potential for disruptions and downtime, IT and OT managers must see threats and respond quickly with the most effective mitigation actions. This requires multifunction ecosystems that integrate best-in-class solutions. It’s the only way to effectively respond to threats, reduce management workloads and fully maximize return on investments previously made to existing infrastructure.
The Forescout OT Network Security Monitoring App for Splunk is built for this purpose. It’s the ideal solution for industrial asset owners who want to integrate rich OT asset intelligence and threat detection capabilities into their existing Splunk installation. With the Forescout application for Splunk, users can leverage the exceptional OT device visibility and threat detection capabilities of eyeInspect to defend their OT/ICS networks from operational failures and cyberattacks, such as Ripple 20, WannaCry, NotPetya and TRITON.
How does it improve incident/threat response times?
Through the integrated Security Dashboard, the app helps users identify and correlate alert trends with other network activity, enabling faster detection of anomalies, cyberthreats, dangerous commands sent to OT devices and device misbehavior. This results in enhanced situational awareness and reduction of Mean Time to Response (MTTR) by providing the context needed to determine the most efficient mitigation action.
Is it an effective asset management tool?
Yes. By correlating Forescout eyeInspect and Splunk SIEM data, the app offers an Asset Inventory Dashboard to provide SOC teams with high-value device information to gain a richer context of the OT network, better identify unexpected changes in the network and prioritize investigations. With this heightened awareness, analysts can quickly and confidently acknowledge new assets, communication patterns and protocols on the network, making asset inventory and maintenance processes more efficient.
What can it do in terms of system health and user activity oversight?
With the Administrative Dashboard the user can retrieve deep insights on system health status and user activity from eyeInspect, thus helping to detect undesired user activity while helping to prevent system damage and disruptions.
What are the Key Features of the Forescout OT Network Security Monitoring App for Splunk v1.1?
- Tight integration with the Splunk OT Asset Data Model. The integration provides security analysts with visibility across all the zones of the enterprise perimeter and enables stronger control of potential security gaps resulting from IT-OT convergence. It also allows better organization and representation of asset inventory and vulnerability data captured by Forescout eyeInspect. Specifically for North American power customers, this Forescout-Splunk integration provides for the smooth transfer of NERC CIP-relevant information that was previously contained in eyeInspect only.
- Automated Alert Mapping on the Alert component of the Splunk Common Information Model (CIM). This enables OT security components to be fully integrated into reports, correlation searches and dashboards to present a unified view of the enterprise domain. Users can display normalized data in the dashboards provided by other Splunk applications such as Splunk Enterprise Security or any other application supporting the CIM.
- Multi Command Center (CC) support: The Splunk OT Security add-on can receive events from multiple CCs, identifying which CC generated the event. This is essential in today’s multi-tier deployments for large enterprises, where Splunk becomes the final point of integration of the security ecosystem.
1 ITIC’s Hourly Cost of Downtime Survey, June 2020