Tripwire Energy Working Group: TIV Demo
0 likes181 views
The document discusses new features in Tripwire Industrial Visibility (TIV) including: 1) USB detection that monitors USB devices plugged into OT assets and provides visibility of USB usage. 2) Physical connection visibility that displays physical connections between assets in asset views and layered graphs. 3) DNS artifact monitoring for threat hunting by visualizing DNS activity to detect compromise. 4) Network session analytics that provides session information and detects physical network issues from traffic volumes and retransmissions.
Tripwire Energy Working Group: TIV Demo
- 1. Tripwire Industrial Visibility (TIV) Demo Zane Blomgren, Industrial SE Manager August 12, 2021
- 2. Tripwire’s Security & Compliance Portfolio
- 3. Active Detection: USB Detection Previous situation o TIV didn’t detect USB devices connected to OT assets (like PLCs). o Unauthorized USB devices can re-configure or disrupt OT assets, creating risk What the feature does o Provides view of USB devices which are plugged into assets o New “Insight” indicates the number of assets discovered that have USB devices plugged into them. o New report shows the distribution of USB devices in the OT environment What’s the value o TIV can monitor USB insertion actions on OT assets o Hygiene score and trend will reflect activity associated with USB device usage.
- 4. Active Detection: Physical Connections Previous situation o We weren’t able to display the information regarding physical connections between assets What the feature does o New table lists all the assets that are physically connected to a particular asset o This information is available via Asset View and Layered Graph What’s the value o The user can view the physical connections for a specific asset
- 5. DNS Artifact – Threat Hunting Previous situation o We had limited ability to display DNS information. DNS is important to monitor for possible compromise. What the feature does o This feature provides visibility of DNS behavior from the TIV user interface Dedicated page Asset pages Dashboard What’s the value o We can now visualize DNS activity and detect possible compromise in the environment
- 6. 6 Network Session Analytics Previous situation o TIV did not provide visibility into communication patterns between all network devices o TIV did not provide information about physical network health and possible issues What the feature does o Provides list of sessions currently open or seen recently Includes data such as traffic volumes and retransmissions Includes graphical representation of retransmissions over time What’s the value o TIV can more easily identify physical networking issues (equipment, cabling, etc) in the OT environment o TIV can easily see the communications patterns within their network
- 7. Process Value View Previous situation o Trying to identify situations where a PLC is mis-configured (via a mistake or an attack) was challenging. Manual tuning required What the feature does o Monitors network communication to PLCs o Baselines the “normal” range of values for PLC configuration parameters o Identifies situations where a parameter is change to an “abnormal” value. What’s the value o Provides more detailed visibility of process changes that may indicate a mistake or malicious compromise. o Aids in both threat hunting, and in driving OT system availability
- 8. Reveal • Asset Discovery • Security Posture • Network Hygiene • Process and Change Visibility Connect • Audit & Compliance • SOC Monitoring • Optimize Staff • Architecture Protect • Risk and Vulnerabilities • Risk Prioritization • Zero Trust • Remote Access Control Detect • Known Threats • Advanced Unknown Threats • Insider Threats • Hunt and Investigation • Mitigate and Respond Starting Your Industrial Cybersecurity Journey First Step
- 9. People / Organization Infrastructure Complexity • Limited visibility to determine risk • Poor segmentation • IoT cloud based devices Security • Team collaboration (IT vs. OT) • Different tech stack for different BUs • Multiple teams with different needs; competence in IT or OT often limited • Limited site resources • Legacy / Unmanaged switches • Air-gapped networks • Outsourced infrastructure Common Challenges Barriers to Your Industrial Cybersecurity Journey
- 10. Easy Deployment No Network Changes Quick Time-to- Value No Hidden Costs Risk & Vulnerability Data Correlated to Asset Data Non-disruptive to Operations Comprehensive Visibility: IT/OT/IoT Overcoming Your Industrial Cybersecurity Challenges Solution Requirements
- 11. 11 A Simple, Easy-to-Use Solution That Delivers 100% Visibility into Industrial Networks in Minutes Windows-Based Edge Collector Cloud or On-Prem No Network Changes Introducing TIV Edge Risk & Vulnerability Management Full OT/IoT/IT Asset Discovery HARDWARE CONFIGURATION DISRUPTIVE
- 12. Fast & Easy: Run Any Time, Anywhere Windows-based edge collectors run on-prem or via SaaS 1. Run standalone executable on “interesting” hosts 2. Collect host and surrounding devices’ information ○ Host information ○ ICS project files ○ Subnet discovery / Active 3. Send information back to CTD Launch Point TIV Edge: How it Works