DIY Security Indicators—Leveraging the Value of OT Metadata

DIY Security Indicators—Leveraging the Value of OT Metadata

In my last post, I provided considerations and imperatives when scoping the right security operations center (SOC) model for your OT needs. I highlighted reasons why an integrated IT/OT SOC is the best approach for many organizations wanting to achieve truly holistic monitoring and response operations across both their IT and OT environments.

The next step, after your organization has determined the right SOC model for the business, is to begin applying operational intelligence across both environments. To properly protect your IT and OT environments from threats, you need visibility and context, which requires capturing indicators—pieces of data that help indicate adversary activity.

What comes to mind when you think of indicators? …hashes? …IP addresses? …domain names? These well-known atomic indicators can be helpful to throw into a detection tool and raise an alarm if there is interaction with your network traffic, but are there other higher-fidelity data points hiding in your metadata, asset inventory, or configuration files that could be turned into indicators? Could those indicators provide more value than a paid external threat intel feed?

Where to Uncover the Most Valuable Indicators

Traditional indicator-based detections have been implemented and practiced in traditional IT-focused SOCs for a number of years. It is also common for organizations to pay for threat intelligence that includes well-known indicators of compromise (IOCs) which may cover one or several different industries. This intel can be useful for surface level protections, but it is heavily IT-threat focused. Modern cyber incidents can traverse both IT and OT environments, so there is a serious need to have sufficient intel sharing practices for both IT and OT environments. Commercialized threat intelligence is just on the cusp of being commonplace and relied upon within OT-focused SOCs, yet we believe some of the most valuable indicators can be hiding in your existing infrastructure.

One of the best strategies for collecting indicators from your existing infrastructure relies not on cutting-edge cybersecurity protections, the latest malware signatures, or IOCs, but rather on mature network security monitoring (NSM) practices. NSM is a repeated effort to monitor traffic, understand normal activity, and explore anomalous behavior, rather than simply responding to an alert on a security appliance. If mature NSM practices are followed, they will enable robust asset discovery and inventory practices.

Tapping Network Security Monitoring for Your OT Environment

One advantage of NSM is understanding what types of infrastructure are in your environment. In turn, asset discovery and inventory management serve as a strong foundation to enable additional initiatives such as vulnerability management, baselined network traffic, and anomaly detection across both your IT and OT environments.

NSM is especially beneficial in OT environments because a lot of the supporting infrastructure is running on legacy or outdated software. This may be caused by operational concerns or lack of vendor-provided security patches, but the end result is the same: vulnerabilities are present and may not be detected by traditional monitoring and response strategies. For example, NSM could provide information regarding partner connections, network telemetry, and expected communication protocols being leveraged by field devices. Once you have a solid understanding of what vendor hardware, firmware versions, or network protocols exist on and traverse your network, you will be better equipped to respond to OT related cybersecurity vulnerabilities.

How useful is a vendor notice about a vulnerability in a firmware version if you’re not even sure what version(s) are on your network? How valuable is a paid threat intel feed about the latest TTPs associated with an APT if you don’t have any network visibility into lateral movement? How valuable is a list of malicious IPs if you’re not monitoring both ingress and egress network traffic? If you’re not intentional with your NSM practices, then third-party intel may provide little to no value to you.

If I had to choose between indicators I discover myself inside my own networks and indicators I pay for from a third-party intel provider, I would always choose the former. The indicators identified through asset discovery and NSM will have much higher fidelity, will be directly applicable to my environment, and will better aid me in identifying anomalous network behavior.

Need help identifying your system indicators? Looking for a security partner who understands NSM practices?

Contact us today to discuss your need, we’re certain we’re the right partner for the job.

Request a Meeting


Three Reasons to Add a Discovery Phase to Your Next OT Security Assessment
Breaking the OT Log Jam: How to Effectively Leverage OT Security Logging