In case you missed it, we co-hosted a webinar with SANS on June 2, detailing and demoing our latest Dragos Platform release, version 1.6. Hosts included Jon Lavender, Dragos Co-Founder and CTO, and Ben Miller, Dragos VP of Professional Services and R&D.
The complete webinar can be viewed here:
Dragos v1.6 Overview
Dragos Platform version 1.6 offers ICS/OT practitioners the most comprehensive asset inventory, discovery, and identification capabilities to date to help them go beyond simply identifying what is abnormal vs. normal in their environments to helping them understand what’s needed to build a truly defensible, intelligence-driven ICS/OT cybersecurity strategy. With this reinforced visibility and asset information delivered, we’ve also enriched our threat detection capabilities by incorporating the MITRE ATT&CK for ICS Framework into our notifications–enabling more robust context of adversary tactics and techniques and providing custom-authored investigation playbooks to respond to threats with the expert guidance of our team of practitioners.
Attendee Q&A
After the Dragos Platform demo, we had a lot of great feedback and questions from attendees that further discuss the specifics and key features highlighted in the Dragos Platform. Below are the top 10:
Q: Can you please explain what needs to be installed in the ICS to allow the asset tool to gather the asset details? Are these specific Dragos components?
A: The Dragos Platform does passive monitoring. If you have a Dragos Platform, all that is needed is a network tap, span port, or traffic aggregator to feed traffic to the Dragos Sensor.
Q: Do you span ports or taps on every switch at the layer 2 level?
A: While as broad of a collection strategy as possible is ideal, Dragos works with customers to identify critical points in their network to add taps or configure span ports in order to maximize analytic coverage relative to the number of collection points that can be supported. The deployments specifics must be discussed with each customer to ensure the deployment model matches the customer’s priorities, but a common decision often comes down to having to choose between deploying closer to the edge of a network and closely monitor all traffic going to and from key assets, versus deploying in the backplane to monitor for pivots and laterally movements between different sites or up and down the security layers in order to monitor the overall health of the network.
Q: Is the platform able to passively detect firmware versions of ICS devices? (If yes, can you list a few vendors that it can do this for?)
A: Yes, we support many vendors and protocols. To name a few: SEL, Rockwell, GE, Yokogawa, Emerson, and more. Check out the full list of protocols here: https://www.dragos.com/wp-content/uploads/relocated/d/Dragos-Supported-Protocols.pdf
Q: How many days data can be stored–logging the traffic? Is there an immediate alert generated if the laptop is connected to the network?
A: This is completely dependent on the environment and the size of the deployment. We have customers that have 6 months or more of asset, asset communication, and detection data. Log and data storage and retention can be configured as needed based on local security policies.
Q: Do you integrate with Elasticsearch?
A: We support sending Syslog data (multiple formats, LEEF, CEF, JSON, and others), which can be integrated into a pipeline using Elastic’s stack.
Q: Does it allow permission assignment based on assets? (So some people could see one part of the plant… and other?) Is that based on tag? Zone?
A: The Dragos Platform provides role-based access controls at the API level to restrict visibility, access, and operations based on roles and permissions that can be defined by the user.
To learn more about the Dragos Platform v1.6, visit dragos.com/platform, or email us at sales@dragos.com
Ready to put your insights into action?
Take the next steps and contact our team today.