Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

How to Jumpstart Your NIST CSF for OT Environments: Respond Function

Sandeep Lota, Sr. Systems Engineer | March 12, 2020

Building on our previous blog posts, we’ll now dive into some of the more advanced use cases we’re seeing in the field for the Respond function of the NIST Cybersecurity Framework (CSF). This Function requires organizations to develop and implement the appropriate activities to take action if a cybersecurity incident is detected. Its intent is to improve the ability of an organization to contain the impact of a potential incident. Some examples of categories within this function include response planning, communications, event analysis, and mitigation.

Here are some use cases from industry leaders who are using Forescout to help comply with NIST CSF’s Respond function in their operational technology (OT) environments:

  1. Bi-directional integrations between security technologies to enable quick threat response
    Industry leaders are going beyond one-way communications like sending out Syslog data to a SIEM or asset inventory data to a RESTful API. Using our 70+ bi-directional integrations with other technologies like CMDBs, NGFWs, endpoint micro-segmentation technologies and SIEM, our solution can automatically create SOC tickets when suspicious alerts are detected and even quarantine malfunctioning, suspicious, or rogue devices. This allows our customers to not only mature their incident response plans, but also get the maximum ROI on all of their technologies.
  2. Enriching OT threat detection data with IT data sets
    IT/OT convergence is accelerating, and many of our most forward-thinking customers are using our platform to take OT data from an event of interest and compare it with IT data to understand the context of a threat, such as where it initiated and how it spread. Having both IT and OT data together on a single pane of glass helps improve collaboration among incident responders, while also helping to contain a potential threat more quickly.
  3. Automating response workflows to trigger based on threat conditions and policy violations
    Operational efficiency is always first and foremost on our mind. Any opportunity to make our customer’s lives easier is a big win for us, which is why we’ve built so many automation capabilities into our OT solution. As mentioned in previous posts, our customers are using our solution to not only create advanced segmentation strategies, but also to enforce them. If a policy is violated or a threat is detected on a certain network segment, a workflow can be triggered for a specific corrective action to take. This can be anything from email notifications to ticket creation, or a quarantine VLAN assignment.
  4. Reducing overall response times for investigations of suspicious alerts or alarms
    The data from our OT solution provides our customers with an understanding of when and where a suspicious event occurred, so they can quickly assess and determine (or automate) the appropriate remediation actions to take. Leveraging those bi-directional integrations and workflow automation capabilities, our industry-leading customers are empowering their teams to respond to a suspicious event faster than if they were using fragmented tools, which helps reduce the overall mean time to respond (MTTR) for security events.

Want more details on how OT industry leaders are increasing their maturity for the Respond function? Check out the short video below and then:

Demo Request Forescout Platform Top of Page