Asset owners know that a robust cybersecurity strategy depends on comprehensive visibility into all of the devices in their environment, including the communications between them across the network. With every release of the Dragos Platform, we strive to deliver exceptional value through the best industrial threat detection with expert-authored response playbooks available, while carefully designing a user experience that ties together visibility and insight not available anywhere else.
The Dragos Platform continues to expand on a strong history of innovation and capabilities that have been engineered based on customer feedback and field experience. Our teams are already hard at work on the next major release, but we are excited to highlight some key use cases of how customers are already leveraging the platform to manage and protect their environments.
Asset Visibility – shining the spotlight on your environment
Use Case – OT SOC operators expect to have rich, actionable information at their fingertips that summarizes the current operating environment with clear indication of suspicious activity. A thorough asset inventory is required that is continuously updated through safe, passive techniques with drill down capability on asset details. The volume of data generated in industrial environments can quickly overwhelm human operators so establishing a baseline of connected systems and how they communicate with each other is critical so that deviations can be raised as notifications. Operators expect to know immediately if a PLC starts receiving commands from an unexpected source, or if an engineering workstation starts beaconing out to a destination outside of the environment and receiving files. Here’s more information on how the Dragos Platform supports this:
Dashboards – “at a glance” asset information that you can dig into
Significant investment has been made to elevate data visibility as a first-class experience through highly configurable dashboards. The initial screen when you login to the Platform now presents rich information on asset and protocol communications within your environment. These can be further filtered according to specific time periods, individual assets, specific protocols or scoped to a particular sensor. Users can create customized dashboards tailored to their environment, operational requirements, and any specific process-related visibility. We’ve also extended this same filtering capability to certain Query-Focused Datasets (QFDs) for a more consistent and powerful experience across the platform.
Baselines – getting clear on what “normal” looks like …
OT environments can generate an overwhelming amount of data and detections. Efficiently processing this information and focusing on the right signals instead of being distracted by all the noise is critical for cybersecurity teams. Although baselines have been a feature of the Dragos Platform for some time now, we made some key improvements based on customer feedback. Not only were we able to optimize foundational components of baselines to improve speed and scalability, this feature positions the platform for powerful enhancements in future releases.
Here are a few of the ways we’ve improved baselines:
- Relocated to the Asset Explorer tab for a more intuitive user experience
- New notification rollups to consolidate duplicate baseline changes into a single notification
- A completely redesigned learning mode to train the Platform on normal environment activity
- Audit logging to support administrative requirements
- A powerful new visualization that overlays baseline deviations on an interactive asset map (pictured here)
Threat Visibility – Find active and potential threats in your environment
Use Case – Industrial security analysts have a tough job and need to know the detection tools installed in their environments have eyes on systems 24×7 to monitor and catch incidents that may otherwise escape human attention. This includes intelligence that combines asset information as it flows across the network with detailed host event activity and compares it to attacker tactics, techniques, and procedures (TTPs) for comprehensive visibility. This threat intelligence needs to be updated on a regular basis to provide insight to protect against recent attacks that other operators might have experienced. It isn’t always possible to install agents on industrial end points to collect data so ingesting all appropriate data sources for focused analysis is extremely important.
Host Event Log Integration – using information already being collected
One of the major features introduced in the Dragos Platform last year was the inclusion of MITRE ATT&CK for ICS content. These Threat IDs are now incorporated elsewhere in the platform for broader contextual reference along with some enterprise-focused tactics, supported by new Windows Host Event Log collection and analysis for threat detection correlation with network events. This can leverage either agentless Windows Event forwarding or existing 3rd party syslog agents.
Threat Detection updates – new SolarWinds and FireEye signature analytics added
Knowledge Packs are a core component of the Platform. These monthly updates contain carefully curated information on threat intelligence, detections, playbooks, asset characterizations, protocol decoders, and much more. As noted in recent coverage from Dragos, the common use of third-party monitoring tools by industrial companies is exposing their environments to potential threat vectors that require detection updates for rapid identification. More detail about these and other Knowledge Pack updates are described here.
Ready to put your insights into action?
Take the next steps and contact our team today.