If you operate an industrial network, you know that it is important to recognize operational errors and malicious changes as fast as possible to prevent unsafe and costly conditions from emerging. But achieving this goal requires you to be able to ingest enormous volumes of data and reduce this to an actionable volume of events that indicate the presence of a problem.
You don’t have days to get this done. You need an answer in a matter of minutes.
Tripwire, a Belden company, and Claroty have teamed up to blend the power of log management with continuous threat detection to achieve this objective. Both companies have an extensive pedigree in industrial security that makes their collaboration a powerful combination. In this blog post, I would like to discuss how the Tripwire Visibility for ICS systems can be used to accomplish amazing feats of data distillation – a claim which you probably don’t see often enough.
Sherlock Holmes once said, “When you have excluded the impossible, whatever remains, however improbable, must be the truth.” The process Mr. Holmes followed in detection is essentially the same that Tripwire Visibility performs to isolate operator errors and hacker penetration. Finding the interesting data is a process of throwing out the uninteresting data. Obviously, that’s a little easier said than done.
Fortunately, the nature of ICS networks makes the elimination of uninteresting data easier than it might otherwise be.
Unlike IT networks, ICS networks are designed to manufacture a consistent product experience and to perform service operations consistently and predictably. Every candy bar or gallon of gas produced on a production line should be identical. Every time a consumer plugs in a fan or vacuum into a wall socket, the power received should be within an acceptable tolerance range. Unexpected change is the enemy of consistency.
This need for repeatability and consistency provides an advantage that security services can exploit. In ICS, the overwhelming percentage of activity repeats with minimal variance. If it is possible to identify the “normal” cadence of production, it is possible to remove these events from consideration and focus on what remains. Machine learning systems are superb for this purpose. These systems don’t require programming. They learn through direct observation.
The machine learning capabilities embedded in Tripwire Visibility are designed to observe the operations of the ICS network for a small number of factory cycles. This takes anywhere from a few weeks to a month depending upon the normal factory routines. From this observation, it learns how the network is expected to behave as it goes about the task of production.
When all of the events logged as part of normal operations are removed, the mountain of events is a small fraction of its former self. By eliminating the normal activity on the network, what remains is a collection of negative or ambiguous events. This is where the problem becomes more challenging.
The remaining pile of events is still far too large to efficiently evaluate using personnel. The concept of “Alert Fatigue” was coined to describe this problem. People do not perform well when given redundant and boring tasks. They lose focus. Their attention wanes. They begin to miss signs of intrusion among the noise. Processing a never ending supply of false positive alerts definitely counts as boring and redundant work. Additional automation is definitely required to deal with the problem.
The primary tool needed to achieve further automated filtration is correlation. In Tripwire Visibility, correlation is a suite of programmable tests. Individual tests are written to detect and discard innocuous behavior that cannot be easily identified by machine learning routines. Other tests are written to isolate bad behavior.
This includes testing to detect brute force password cracking and scanning activity used by hackers to map out a network they are planning to attack. Tripwire Visibility ships with a large collection of pre-configured tests for events that occur in most networks. Correlation tests can also be easily written by consumers.
We have made the process of writing correlation rules very easy. A graphical editor is included that uses flow chart logic (similar to Microsoft Visio’s user interface) to make new correlation rule development fast and painless. A screenshot is included below.
This correlation rule tool also makes it possible to quickly generate rules for conditions that are unique to your facility.
Once the collection of events has been reduced to a manageable level, the final step is to hand the remaining events over to a human analyst to evaluate. Even here, Tripwire Visibility helps simplify the process. Forensic tools are provided to help simplify and expedite analysis.
As an example, a forensic analyst will shift between different views of the data to understand the devices that have been affected and the changes that have been made. Because the amount of data that they are sorting through is so large, new views can take a long time to process. We have made the process much faster by indexing the data and putting it into a normalized form. Data can be found rapidly and displayed in a way that is easy to read and absorb.
Tripwire Visibility for ICS combines the strength of two proven leaders in industrial security to bring the industry a product that rapidly finds anomalous behavior and makes alerts both reliable, as well as easy to process.
To learn more about how the strategic partnership between Tripwire and Claroty delivers visibility and monitoring of all networks and endpoints across the enterprise “from the shop-floor to the top-floor,” join our webcast on October 29.