Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

How to Jumpstart Your NIST CSF for OT Environments: Detect Function

Brian Proctor, Principal OT Strategist – Americas | March 3, 2020

Continuing our blog series on how to jumpstart your NIST Cybersecurity Framework (CSF) maturity, we’ll now dive into some of the industry-leading use cases we’re seeing for the Detect function. This is the function that really brought operational technology (OT) security to the mainstream back in the early 2010s when some of the first intrusion detection technologies for control systems (like ours) were introduced to the market. Security activities categorized under the Detect function can include everything from implementing continuous network security monitoring, as mentioned above, to assembling a blue team that proactively hunts for indicators of compromise (IoCs) on your network.

Whatever tactics you use, the spirit of this function is to implement procedures and technologies that can identify the occurrence of a cybersecurity event. Here’s how our most innovative customers are applying the Detect function in their OT environments:

  1. Focusing on techniques, tactics and procedures (TTPs) mapped to MITRE ATT&CK or Cyber Kill Chain
    Our customers are moving away from just analyzing alerts and shifting their focus to TTPs. This enables security teams to focus resources on those events that are further down the kill chain to potentially prevent an attack from being successful. Using a framework with a common nomenclature like the MITRE ATT&CK Framework for ICS or the Cyber Kill Chain can help accurately prioritize these events and also facilitate better communication among incident responders.
  2. Automating ingestion of threat indicators and feeds into OT network monitoring system
    You probably have tons of industry, government and commercial threat feeds that you’re monitoring. Our most mature customers are taking information from those feeds and leveraging the threat data ingestion capabilities in our solution to turn that threat information into actionable intelligence to check for emerging threats in near real time.
  3. Analyzing historical OT analytics data for newly discovered TTPs and IoCs
    Building on the automated threat ingestion capabilities above, our customers take it one step further and go back in time with our Forensic Time Machine to analyze historical data and see whether a particular TTP or IoC from those threat feeds has been seen on the network in the past.
  4. Finding unknown threats via detection of malformed messages or protocols
    If a threat actor takes advantage of protocol vulnerabilities, or if a machine is simply malfunctioning and sending malformed packets, the effects could be devastating and potentially cause communication interruption or system downtime. Many of our more advanced customers are customizing their threat hunting for both security and operational issues by leveraging our extensible scripting engines and backend framework to really get inside packets and look at payloads to help make decisions about the health of their devices, as well as pull out telemetry information.

For more details on how our most forward-thinking customers are implementing the Detect function of NIST, watch the video clip from our presentation at S4x20 below and then:

Demo RequestForescout PlatformTop of Page