Baselining and Beyond: What's New in OT Security Add-On v2.2

Today, we are happy to announce that version 2.2 of the OT Security Add-On for Splunk is now available on Splunkbase.  This update adds capabilities based on industry best practices and customer feedback and is designed to help companies mature in their OT security journey.  

Evolution

Over the last year, Splunk has seen tremendous interest from customers looking to implement our OT Add-On into their production environments.  This growing adoption has allowed us to get feedback from our customers about the highest value features, areas for improvement, and additional capabilities.  As a result, we have made many enhancements (including bug fixes) to improve the OT Security Add-On.

Improved Integration With Risk Based Alerting

One of the biggest challenges customers have with bringing in data from a new environment and new data sources is the impact it could have on their security monitoring teams.  Many tools can produce thousands of alerts daily, which may have limited security value.  In addition, when organizations first begin to monitor OT data, they often detect suspicious activity that may be benign and serves as a distraction from higher value activities.  Triggering a notable for each security alert can lead to an overwhelmed security team responding to false positives, especially if they are unfamiliar with how to deal with OT security events. 

With Splunk’s risk-based alerting (RBA), an organization can consolidate all of those alerts and produce fewer Splunk notables based on factors like priority, asset types, or severity to cut down on this noise and make notables more actionable.  At the same time, it is essential that the analyst has access to the details of what led to that notable being created so they can respond accordingly.  Several pre-configured OT-specific RBA factors have been added that enable users to define the most appropriate response to an incident that balances the need to continue operations with the need to prevent damage.    Additional ready-to-implement RBA correlation rules exist based on asset, user behavior, and facility or site level.  These correlation rule thresholds can then be customized to an individual customer environment.  Each provided correlation rule also has a risk analysis response action, which can be customized and leveraged by RBA alerts.

Moving Beyond Good

Splunk’s Security Field Solutions team is guided by our maturity model for OT Security.  This includes monitoring the perimeter (good), monitoring IT and OT Software systems (better), and ultimately the physical process and control layer (best) to protect all of the OT environment.  Since our last release we heard overwhelmingly positive feedback on the perimeter monitoring aspects of the solution and wanted to go further and help our customers mature in their security journey.  We have heard from our customers that they would like to go beyond perimeter monitoring and have more out-of-the-box content for monitoring the IT within their OT environment and consolidate OT Security data into a single place to look across different technologies.

As part of this release, we are including content for going beyond the perimeter to understand systems like Active Directory, account management, host access, system changes, endpoint protection, use of external media devices, and file share access.  This additional content focuses on industry best practices and evolving OT threat landscape.

Baselining Assets and Devices

In earlier versions of the OT Add-On Splunk released some features around the baselining of asset configurations for computers and networks (based primarily on NERC CIP requirements).  While useful for identifying deviations, the process of building these baselines could be difficult and largely manual.  Baselining is a common practice used to harden OT environments, where sometimes security teams cannot deploy specific security protections.  As a result, and partly due to the more static nature of these environments, some customers seek to harden endpoints by ensuring consistent software, services, ports, and other configurations are set up on endpoints.

Splunk has added the ability to build baselines from the data known about endpoints.  The first type of baseline allows endpoints to be gathered together into groups.  For example, if all SCADA servers should be running the same software, those machines can be grouped so only a single baseline needs to be defined for software, versus having to build separate baselines for each machine.  The second type of baseline specifies a hardware or software configuration such as network port configurations, computer software versions, service status, and operating system (these baselines are included). Still, as always, if the out-of-the-box baselines are not enough, you can configure new baseline types within Splunk without needing to update the underlying app.

Along with the ability to build these baselines comes several dashboards that use the baselines to identify deviations.  For example, on the Computer Baselines dashboard, users can detect the wrong version of operating systems installed or software installed that isn’t approved or is missing on an endpoint.

MITRE ATT&CK for ICS

Early on, we wanted to make sure customers could leverage MITRE’s ATT&CK framework for ICS.  In previous versions, we prioritized getting the ability to map detections out. Still, with the latest version, MITRE ICS detections can easily be added to correlation rules and leverage the existing pre-built framework mapping mechanism of Enterprise Security (ES) to make sure our customers can take advantage of all security frameworks.  We didn’t forget the general MITRE ATT&CK, CIS 20, NIST, or Kill Chain - every correlation rule provided by the add-on is pre-mapped for anyone who wants to use other security frameworks.

Use Case Library

Splunk’s Enterprise Security (ES) provides a ton of functionality and our team has worked to make sure the OT Add-On takes advantage of all of these features.  This includes making sure macros can be directly configured from ES’ configuration page, additional linking between dashboards, and taking advantage of existing ES security frameworks.  ES’s Use Case Library helps customers better understand how to apply both the OT Add-On and existing ES and ES Content Updates (ESCU) detections.  Mappings to security frameworks and existing correlation rules now come shipped with the OT Add-On, and you can find them in the new use case category for OT Security.

Additional Enhancements

We want to ensure the OT Add-On is versatile enough to address unique situations and environments.  As a result, we have added mechanisms that allow customers to customize exactly how they identify their OT assets so they show up in dashboards correctly.  

This allows assets to be displayed with the same icons and fields across the entire add-on.  Previously asset names were displayed mainly based on the original data sources, such as firewall data which often includes IPs or Windows security logs that use DNS or host names.  This sometimes made it difficult for users to correlate activity across data sources when different names were used.  In the latest version, users can now specify which field to display and choose what asset names are used based on what is available.

What Next?

Going forward, we plan to have more maintenance releases to speed the pace of innovation and provide updates more frequently.  Customer feedback has been essential to the features we’ve added in this release, and we will continue to pay close attention to what you need.  If you have questions, or feedback, or would like to know more about the OT Security Add-On for Splunk, contact us at otsecurity@splunk.com.