At the recent it sa fair in Nuremberg, we got the impression, that every medium sized security company is trying to provide 100/100 of security components, that the potential customers might need, plus of course, managed security services. This is the normal way of “me too” and a little bit disappointing, because specialization in some kind of products seamed to provide better quality. Managed security services will be as good as the security engineers behind it. But apparently, the exhibition was an overall success for many companies so that the boothes were booked out for the next year at day three of the fair. But what did we contribute?
UNeedSecurity presented the splunk integration of OT security components and this is the focus of the Rhebo Industrial Protector App:
The specific cyber attack surface of industrial environments consists of hundreds or even more sensors, actors and controllers connected by a diversity of standard busses and protocols. Often industrial processes are used 7*24 and components are sometimes sensitive against timing conditions. To effectively reduce risk, you need to maximize your insight and control of all devices on your network.
Rhebo Industrial Protector monitors all communication within, to and from the operational technology 24/7. The monitoring is integrated non-intrusively and passively at key points of the OT. Any communication that indicates cyberattacks, tampering, espionage or technical error conditions is reported in real time. This allows early detection of progressive attack patterns as outlined by the MITRE ATT&CK for ICS framework. Companies can then respond quickly to risks and professional attack pattern to ensure the security and availability of their industrial processes.
By combining Rhebos industrial device visibility, rich contextual device and network properties data with Splunk’s comprehensive data correlation, analytics and incident management, security operations teams can efficiently reduce time to incident identification, analysis and mitigation. They are alerted on relevant anomalies, vulnerabilities and threats for their specific environment.
As the company behind the Industrial Protector is a well established but still young crew, they adapt new protocols and anomalies seen among industrial customers. So you can expect more and better integrations of this app into your own environment. With the provided demo data you can even test it out before you have the first Industrial Controller available in your network.
All the sources are published on https://gitlab.com/splunk-apps-uns/rhebo and the rhebo app is on splunkbase.