Splunk For OT Security: Perimeter And Vulnerability Evolution

O

wners and operators of Operational Technology (OT) environments are being increasingly tasked with providing more information and security controls for their OT Environments, whether those demands are driven by the board, executive orders, or new regulations. One of the biggest fallacies that we encounter when our customers begin monitoring their OT environment is the idea that OT systems are air gapped and completely isolated from IT systems. In many cases, operational environments take in information to increase efficiency, meet business demands (such as contracts), or to run operations more efficiently. Data from OT systems often goes directly into business systems, and may be critical to operations. This can be directly shown by the recent Colonial Pipeline incident in which ransomware on a business system led to a shutdown of pipeline operations because that business system relied on operational information. The other common problem we encounter is data from the OT perimeter may be collected, but is not being analyzed or reviewed for security threats, yet, current events show how critical the perimeter is properly securing the OT environment.  

Additionally, Splunk is seeing CISO’s and CSO’s tasked with being responsible for monitoring not just IT, but OT environments as well. This means organizations are trying to gain visibility across both environments, understand their inter-connectivity, but also struggling to get started or trying to not overwhelm their SOC’s with a lot of noise from the OT environment. The Splunk OT Security Add-on contains content designed to help security operations get started pro-actively monitoring their perimeter, use existing technology investments for alerts and vulnerabilities, and leverage Splunk’s latest technologies such as Risk-Based Alerting (RBA) and security frameworks like MITRE ATT&CK. 

Splunk OT Security Add-on 2.1 Updates

In March of 2021, Splunk released the second version of the OT Security Add-on for Splunk which primarily focused around additional integrations with Splunk products, integration with partners, and expanded coverage for NERC CIP auditing. Today, we are excited to announce version 2.1 of the solution which includes the following key enhancements:

Perimeter security focused dashboards and reports: Too often we encounter companies that tell us they are collecting data from the OT Security perimeter, but when probed about what they are doing with the data, confess they are only collecting that data. The perimeter focused dashboards and reports provide the ability to focus on traffic traversing the perimeter (including prohibited traffic), changes to the perimeter devices, remote access into OT environments, as well as visualizations that allow customers to view traffic across the perimeter or across their OT infrastructure.

Cloud compatibility: Splunk’s OT Security can be leveraged both on-premises and in Splunk Cloud (on AWS or GCP) based on a customer’s environment. These integrations include making partner products Splunk Cloud compatible as many of our partners are being asked to have cloud compatible integrations.

RBA and Security Frameworks: In Splunk Enterprise Security (ES) 6.6, features like RBA and security frameworks became key elements of ES and Notables. These features are now directly used in correlation searches, security mappings, and dashboards.

Improved Partner Integrations: Many of our partner integrations provide key fields which may vary across different partner technologies, but which can result in inconsistencies for the customer. For example, one partner may name an engineering workstation, “eng wkst”, while another named it “ENG Station”. Using new integrations, fields such as the asset type can be now mapped to a common set of names and icons or allow customers to modify these mappings based on their own requirements. These new standardizations are also directly used in correlation rules, dashboards, and other visualizations to provide a more unified look-and-feel across the add-on. Vulnerability information from partner technologies is now displayed directly in Splunk dashboards that use Splunk’s Common Information Model.

New correlation searches, key security indicators (KSI), and MITRE ATT&CK for ICS Mappings: As part of this version, a thorough analysis of existing correlation searches and KSI’s were performed, including adding additional detections, to make them work better for customers. These new correlation rules and KSI’s have been added to help customers detect more suspicious behavior and be able to provide reporting when needed to management.

Design & Usability Improvements: Additional filtering and drilldown links have been added to dashboards based on customer feedback about how they actually want to view the data in Splunk. This includes both OT Security and NERC CIP related dashboards which provide additional filters for assert types, specific endpoints, and user activity. Dashboards are now linked more dynamically within the app and with Enterprise Security’s existing dashboards so can be used together seamlessly to provide quicker insight at the click of the button. For example, an analyst trying to evaluate the use of insecure protocols for an asset, can now quickly navigate to see all traffic and protocols associated with a particular asset and understand how traffic is being relayed to that asset.

More Cloud Integration

Although organizations are all at different stages of cloud migration, especially when considering their OT environments, we do see some industries and organizations moving to embrace cloud for their security solutions. We see this trend in OT as well, and as a result, Splunk’s OT Security Add-on is designed to work in both on premise and cloud environments. This also includes many of our key OT security partners, who have increasingly worked on making sure their products also work with Splunk Cloud. In fact, one of our major Cloud SaaS partners, AWS recently released updated guidance about doing NERC CIP in AWS. These integrations also include more than a handful of our technology partners who now proudly display Splunk Cloud in the compatibility section on splunkbase.

Improved Vulnerability Detection and Integration

The OT Security Add-On uses the National Vulnerability Database (NVD) to attempt to identify potential vulnerabilities on OT Endpoints. The NVD provides a standard method to categorize known vulnerabilities, but descriptions and indicators within the NVD are not always consistent. This version of the app adds additional intelligence to help you detect potential vulnerabilities

This version of the add-on also adds integration with Splunk’s Vulnerability Data Model. Many Splunk customers might already be bringing in vulnerability information via various third party integrations such as OT security products and/or vulnerability detection products. With Version 2.1, those detections made by third party integrations can be shown directly within the OT Vulnerability Center dashboard. These detections provide additional insights into vulnerabilities and help you prioritize and understand the impact they may represent across your OT environment.

Risk Based Alerting and Security Frameworks

Splunk’s Enterprise Security version 6.6 included several key enhancements to help users leverage RBA and cybersecurity frameworks. These key features can be integrated into OT Security Add-on with version 2.1.  

Splunk’s Risk Analysis framework provides the ability to identify actions that raise the risk profile of individuals or assets. RBA builds upon this to reduce alert fatigue by providing analytics on top of alerts and increasing the accuracy of alerts and provides a readily available “alert narrative.” For example, login activity into a host using a vendor account may not be atypical in OT environments; so it might not merit a notable in some cases, but could raise the risk associated with the asset and identity. However, when we see other events that increase the risk score, such as using an external media on the same machine, powershell scripts being run, windows security logs being cleared, and then additional logins - all this combined risky behavior could result in a risk notable. Drilling down on this new notable then allows us to see all the events, identities, and behaviors that contributed to a risk notable including the sequence and impact on risk for each event. Instead of a SOC analyst receiving a notable for each of these individual events, the analyst now gets a single notable with all the necessary details to do an investigation.  

These risky behaviors can leverage security frameworks such as kill-chain and MITRE ATT&CK to identify the kinds of tactics, techniques, or identify the methodology of the attack.

What’s Coming Next?

Cybersecurity leaders are asking for more content to help guide them on their security journey, including deeper integrations with third party technologies (e.g. vulnerabilities, authentication, certificate information, SOAR integration) better visibility inside the OT environment, expansion of the library of templated playbooks and workflows for SOAR, or how products like User Behavior Analytics can be used in an OT environment. We continue to invest in multiple releases of this solution per year, where we listen and respond to customer input. Please share with us; we are listening.  

To learn more about applying the Splunk Security Operations Suite within OT contexts, review the latest documentation here or download the OT Security Add-on for Splunk. For any questions, comments or ideas, don’t hesitate to reach out to us directly.