Transcription

SOLUTION BRIEFImproving Threat Detection andResponse in Industrial NetworksMcAfee and Dragos technology combine to providecomplete coverage of IT and OT environmentsMcAfee SolutionIdentification, detection, and response are a few of thecritical components to a successful cybersecurity strategy.Dragos and McAfee are working together to improvethese components for defenders to help protect againstsophisticated attacks that impact both the informationtechnology (IT) and operational technology (OT)environments. Dragos PlatformMcAfee Enterprise SecurityManagerConnect With Us1Improving Threat Detection and Response in Industrial Networks

SOLUTION BRIEFThe Business ProblemSecurity teams at industrial organizations often havelimited visibility into OT networks—not just from anasset identification perspective but also when it comesto threats targeting industrial control systems (ICSs). ITsecurity tools are not optimized for OT environmentsand are based on different technologies, protocols,policies, and skills, with unique consequences thatrequire different approaches.There is an increasing demand for security teams to havea broader converged view that provides more holisticcoverage of the entire network, including IT and OT.This means security teams must face the challenge ofsupporting unfamiliar technology, systems, and threatswhile maintaining efficient workflows. The potential riskto businesses is magnified as threats to ICS increasein frequency and sophistication—with potentiallysignificant consequences. It is critical to provide analystswith improved, complete situational awareness anddecision-making support as efficiently as possible.McAfee and Dragos Joint SolutionEffective security starts with visibility across allsystems and networks. Security information and eventmanagement (SIEM) solutions are a core foundationalcomponent of effective security operations.McAfee Enterprise Security Manager, the core of theMcAfee security information and event management(SIEM) solution, working in conjunction with the DragosPlatform, provides defenders with the necessary visibilityand detection/response capabilities to quickly prioritize,2Improving Threat Detection and Response in Industrial Networksinvestigate, and respond to threats and help compliancerequirements across both IT and OT environments.The Dragos Platform is designed to provide assetvisibility, threat detection, and incident responsefunctions specifically for industrial environments.Through the technology integration, all notificationsfrom the Dragos Platform can be sent to McAfee SIEMto enable security operations staff the necessaryinformation to centralize potential detected threatactivity. The Dragos Platform detects and displays ICSthreats in four different ways, which are then displayedlocally on the four types of detection dashboard andshared with McAfee SIEM, where initial response teamscan perform validation and then triage the notification.How It WorksThe Dragos Platform is an ICS cybersecurity solutionthat provides defenders with unprecedented knowledgeand understanding of their industrial assets and activityand threats and threat behaviors. It also providesthe information and tools defenders need in order torespond quickly and efficiently.Unlike anomaly-based threat detection methods, theDragos Platform leverages threat behavior analytics asthe primary method of threat detection, as they providemore context-rich insight of the threats, which reducesthe mean time to recovery (MTTR). Threat behavioranalytics are characterizations of known adversarytactics, techniques, and procedures (TTPs) that rapidlypinpoint malicious behavior with a higher degree ofconfidence.Challenges Limited understanding of OTenvironments and OT-focusedthreats Insufficient monitoring andthreat detection capabilities inOT environmentsIsolated IT and OT solutionsfor security analystsSlow awareness and reactionto threatsResults Combine existing and newtechnologies to broadensecurity operations coverage Increase efficiencies:More coverage of the entirenetworkBetter integration of IT and OTenvironmentsFaster awareness andresponse to threats

SOLUTION BRIEFThe Dragos Platform provides defenders with contextrich alerts and notifications, which are accompanied byinvestigation playbooks to help guide ICS cybersecuritypractitioners through the steps necessary to respondto threats efficiently. Dragos threat detections andplaybooks are produced by the experienced Dragosteam and are continuously updated to further enrich theDragos Platform via Knowledge Packs. The combinationof technology and shared experience provide customerswith a more scalable, efficient, and effective securityoperations team. Figure 1 depicts a sample architectureon how the Dragos Platform and the McAfee EnterpriseSecurity Manager can integrate to help protect IT and OTsystems.LEVEL 4BusinessLogisticsSystemsLEVEL 3OperationsSystemsLEVEL 2ControlSystemsLEVEL 1IT SECURITYIntelligentDevicesOTITSOCMcAfee ESMSIEMDragos SensorLocalSCADAand HMISpanDragos SensorLEVEL 0PLCsPhysicalProcessDRAGOS PLATFORMSensorsRTUsActuatorsLocal Plant (SCADA/DCS/PLC)Figure 1. Example of an architecture combining Dragos Platform and the McAfee Enterprise Security Manager in an industrial control environment.3Improving Threat Detection and Response in Industrial Networks

SOLUTION BRIEFSince analysts and other security professionalsoften need to further aggregate all of their detectiontechnology into one view for efficiency and speedof response, the overall goal is to help get the rightinformation to the right person at the right time sothey can make the best decisions possible for thebusiness. The McAfee IT-based detection indicators andDragos OT level detections form a powerful technologycombination and comprehensive solution. The jointsolution supplies the intelligence required for securityoperations teams to uniformly support requirementsacross both the IT and OT environments.Figure 2 illustrates how the threat behavior analyticnotifications from the Dragos Platform can be displayedwithin the dashboard view of the McAfee EnterpriseSecurity Manager and subsequently leveraged by asecurity analyst to understand threats targeting the OTenvironment.Figure 2. How the Dragos Threat Behavior Analytics are displayed in the McAfee Enterprise Security Manager.4Improving Threat Detection and Response in Industrial Networks

SOLUTION BRIEFKey Advantages of the Joint McAfee and DragosSolution The Dragos Platform is continuously updated with newdetection and response content through intelligencedriven Knowledge Packs.It covers the needs of analysts for both IT and OTnetworks for improved, end-to-end situationalawareness and decision-making.The solution reduces mean time to detection ofthreats and the ability to react.Together, McAfee and Dragos improve understandingand the ability to react to IT adversaries that oftenpivot from enterprise networks to OT.About DragosDragos has a global mission: to safeguard civilizationfrom those trying to disrupt the industrial infrastructurewe depend on every day. The expert practitionerswho founded Dragos were drawn to this missionthrough their decades of experience in the US Militaryand Intelligence Community going head to head withcyberattackers who threaten the world’s industrial2821 Mission College Blvd.Santa Clara, CA 95054888.847.8766www.mcafee.com5Improving Threat Detection and Response in Industrial Networksinfrastructure. Our solutions combine advancedtechnologies for asset identification, threat detection,and response with the battle-honed insights of our eliteteam of industrial control systems (ICS) cybersecurityexperts. We arm enterprises with the tools to identifythreats and respond to them before they becomesignificant breaches.Learn MoreFor more information, contact yourMcAfee representative or channelpartner, or visit www.mcafee.com.Dragos currently protects hundreds of organizationsand provides the industrial control systems communitywith selected free technology products, research,and thought leadership. Dragos is privately held andheadquartered in the Washington, DC area. Visit dragos.com for more information or follow us on Twitter orLinkedIn.About McAfee Enterprise Security ManagerMcAfee Enterprise Security Manager—the foundationof the SIEM solution family from McAfee—delivers theperformance, actionable intelligence, and real-timesituational awareness at the speed and scale requiredfor security organizations to identify, understand,and respond to stealthy threats, while the embeddedcompliance framework simplifies compliance.McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Othermarks and brands may be claimed as the property of others. Copyright 2020 McAfee, LLC. 4444 0420APRIL 2020

Unlike anomaly-based threat detection methods, the Dragos Platform leverages threat behavior analytics as the primary method of threat detection, as they provide more context-rich insight of the threats, which reduces the mean time to recovery (MTTR). Threat behavior an