In case you missed it, we co-hosted a webinar with SANS on June 2, detailing and demoing our latest Dragos Platform release, version 1.6. Hosts included Jon Lavender, Dragos Co-Founder and CTO, and Ben Miller, Dragos VP of Professional Services and R&D.
The complete webinar can be viewed here:
Dragos v1.6 Overview
Dragos Platform version 1.6 offers ICS/OT practitioners the most comprehensive asset inventory, discovery, and identification capabilities to date to help them go beyond simply identifying what is abnormal vs. normal in their environments to helping them understand what’s needed to build a truly defensible, intelligence-driven ICS/OT cybersecurity strategy. With this reinforced visibility and asset information delivered, we’ve also enriched our threat detection capabilities by incorporating the MITRE ATT&CK for ICS Framework into our notifications–enabling more robust context of adversary tactics and techniques and providing custom-authored investigation playbooks to respond to threats with the expert guidance of our team of practitioners.
After the Dragos Platform demo, we had a lot of great feedback and questions from attendees that further discuss the specifics and key features highlighted in the Dragos Platform. Below are the top 10:
Q: Can the tool map the current state of an ICS into the MITRE ATT&CK Framework based on discovered system vulnerabilities and compare that against TTPs?
A: Yes, the Platform provides a mapping between the Detections and the Mitre ATT&CK for ICS framework.
Q: To what extent do you find that customers export the discovered asset data into enterprise asset management systems as part of a consolidated view?
A: This is common practice and does offer some benefit to be able to aggregate logs/alerts into a central location. However, when triaging an alert or exploring your network, assets, and communications, that is best done in the Dragos Platform, because of the amount of additional context and details that are pulled together and presented to the user in a single-pane view.
Q: What intelligence feeds do you incorporate into your capability?
A: Dragos includes indicators and threat behavior analytics that are derived from our threat intelligence WorldView product. You also have the ability to import your own indicator lists into the platform.
Q: How does the Dragos Platform compare to your competitors’ technology?
A: The Dragos Platform is a full featured visibility, detection, and response solution. The other products on the market provide coverage in visibility and only offer a subset of detection capabilities typically focused on anomaly based detections. The Dragos does all that plus offers advanced detection with our analytics that detect threat behaviors. In addition the Platform is enabled with and mapped to the MITRE ATT&CK for iCS framework that was announced in January 2020. Our technology also serves as a mechanism to transfer our ICS/OT expert’s knowledge to Platform customers directly via Knowledge Packs which are delivered monthly. Knowledge Packs contain the latest IOCs, signatures, analytics, and investigation playbooks to proactively defend your environment and respond to threats more efficiently.
Q: Can you please explain what needs to be installed in the ICS to allow the asset tool to gather the asset details? Are these specific Dragos components?
A: The Dragos Platform does passive monitoring. If you have a Dragos Platform, all that is needed is a network tap, span port, or traffic aggregator to feed traffic to the Dragos Sensor.
Q: Do you span ports or taps on every switch at the layer 2 level?
A: While as broad of a collection strategy as possible is ideal, Dragos works with customers to identify critical points in their network to add taps or configure span ports in order to maximize analytic coverage relative to the number of collection points that can be supported. The deployments specifics must be discussed with each customer to ensure the deployment model matches the customer’s priorities, but a common decision often comes down to having to choose between deploying closer to the edge of a network and closely monitor all traffic going to and from key assets, versus deploying in the backplane to monitor for pivots and laterally movements between different sites or up and down the security layers in order to monitor the overall health of the network.
Q: Is the platform able to passively detect firmware versions of ICS devices? (If yes, can you list a few vendors that it can do this for?)
A: Yes, we support many vendors and protocols. To name a few: SEL, Rockwell, GE, Yokogawa, Emerson, and more. Check out the full list of protocols here: https://www.dragos.com/wp-content/uploads/Dragos-Supported-Protocols.pdf
Q: How many days data can be stored–logging the traffic? Is there an immediate alert generated if the laptop is connected to the network?
A: This is completely dependent on the environment and the size of the deployment. We have customers that have 6 months or more of asset, asset communication, and detection data. Log and data storage and retention can be configured as needed based on local security policies.
Q: Do you integrate with Elasticsearch?
A: We support sending Syslog data (multiple formats, LEEF, CEF, JSON, and others), which can be integrated into a pipeline using Elastic’s stack.
Q: Does it allow permission assignment based on assets? (So some people could see one part of the plant… and other?) Is that based on tag? Zone?
A: The Dragos Platform provides role-based access controls at the API level to restrict visibility, access, and operations based on roles and permissions that can be defined by the user.