Podcast: Splunk’s OT Security Add-On

Podcast Archives - Dale Peterson: ICS Security Catalyst «

3+ y ago

Inhalt bereitgestellt von Podcast Archives - Dale Peterson: ICS Security Catalyst. Alle Podcast-Inhalte, einschließlich Episoden, Grafiken und Podcast-Beschreibungen, werden direkt von Podcast Archives - Dale Peterson: ICS Security Catalyst oder seinem Podcast-Plattformpartner hochgeladen und bereitgestellt. Wenn Sie glauben, dass jemand Ihr urheberrechtlich geschütztes Werk ohne Ihre Erlaubnis nutzt, können Sie dem hier beschriebenen Verfahren folgen https://de.player.fm/legal.

Most of the OT Detection and Asset Management solutions have developed ‘integrations’ with SIEMs, with Splunk and QRadar being the most common. I put integrations in quotes because they did little more than push alerts and events to the SIEMs with little context. This all changed with Splunk announcing their OT Security Add-On last month.

In this episode of the Unsolicited Response podcast I talk with Ed Albanese, the VP Internet of Things at Splunk about the OT Security Add-On.

https://traffic.libsyn.com/secure/unsolicitedresponse/20-21_Splunk.mp3

This is a more detailed, technical episode as I try to dig into the features and benefits of the integration today and where it can be improved in the future. This includes:

The additional OT fields in the Splunk Asset Framework
The OT_Asset and OT_SW_Asset data models
How the 29 OT search queries will work with integrations likely using different terms (such as different names for asset types) and the types of search queries currently supported.
The value of having standardizations for some OT alerts/events sent to Splunk, such as “modify control logic”. This support for standardized notables, as Splunk calls them, is not in the released Add On but can be configured.
How Splunk is tracking vulnerability management (currently no OT integration)
And how Splunk is calculating the Risk Scores in the OT Security Posture Tab