Forgive me for stating the obvious, but THIS–OTEnvironments / ICS are incredibly complex. COS Teams need better tools that deliver contextual information about connected devices and network operations in a consistent and quickly digestible way. Splunk got the ball rolling in August 2020 with its OT A version of the security add-on, extending the ability of the Splunk Enterprise Security platform to improve threat detection, incident investigation and response. And now Forescout is taking a giant step in the same direction with the new version of Forescout OT Network security monitoring application for Splunk.
More understandable OT device visibility and context provided to your Splunk SIEM
When a cyber threat emerges, asset owners need to detect and respond quickly to avoid potential downtime that, on average, costs large businesses more than $ 100,000 per hour, according to a recent survey.1
To minimize the potential for disruption and downtime, THIS and OT managers need to see threats and react quickly with the most effective mitigation measures. This requires multifunctional ecosystems that integrate the best solutions. This is the only way to effectively respond to threats, reduce management workloads, and fully maximize the return on investment previously achieved in existing infrastructure.
The scout OT The Network Security Monitoring Application for Splunk is designed for this purpose. It is the ideal solution for owners of industrial assets who wish to integrate wealthy OT asset intelligence and threat detection capabilities in their existing Splunk installation. With the Forescout app for Splunk, users can take advantage of the exceptional OT eyeInspect’s device visibility and threat detection capabilities to defend their OT/ ICS against operational failures and cyber attacks, such as Ripple 20, WannaCry, NotPetya and TRITON.
How does it improve response times to incidents / threats?
Through integration Security dashboard, the app helps users identify and correlate alert trends with other network activity, enabling faster detection of anomalies, cyberthreats, dangerous commands sent to OT devices and bad behavior of devices. This translates into better situational awareness and reduced average response time. (MTTR) providing the context necessary to determine the most effective mitigation action.
Is it an effective asset management tool?
Yes. By correlating Forescout eyeInspect and Splunk SIEM data, the application offers a Asset inventory dashboard to supply COS teams with high-value device insights to gain richer context of the OT network, better identify unexpected changes in the network and prioritize investigations. With this heightened awareness, analysts can quickly and confidently recognize new assets, communication models, and protocols on the network, making asset inventory and maintenance processes more efficient.
What can it do in terms of system health and monitoring user activity?
With the Administrative dashboard user can retrieve detailed information about system health status and user activity from eyeInspect, thus helping to detect unwanted user activity while helping to prevent damage and system downtime .
What are the main characteristics of Forescout OT Network Security Monitoring Application for Splunk v1.1?
- Close integration with the Splunk OT Asset data model. The integration gives security analysts visibility into all areas of the business perimeter and enables enhanced control of potential security breaches resulting from THIS–OT convergence. It also enables better organization and representation of asset inventory and vulnerability data captured by Forescout eyeInspect. Specifically for North American electricity customers, this Forescout-Splunk integration enables the smooth transfer of NERC CIP information that was previously contained in eyeInspect only.
- Automated alert mapping on the Alert component of the Splunk Common Information Model (CIM). This allows OT Security components that can be fully integrated into reports, correlation searches, and dashboards to present a unified view of the business domain. Users can view standardized data in dashboards provided by other Splunk applications such as Splunk Enterprise Security or any application that supports CIM.
- Support for multiple Command Centers (CCs): The Splunk OT The security add-on can receive events from multiple CCs, identifying which CC generated the event. This is essential in today’s multi-tiered deployments for large enterprises, where Splunk becomes the endpoint of security ecosystem integration.
The post office Forescout and Splunk have never looked better (Introducing the Forescout OT network security monitoring application for Splunk v1.1) appeared first on Foresight.
*** This is a Syndicated Security Bloggers Network blog by Foresight written by Luca Barba. Read the original post on: https://www.forescout.com/company/blog/forescout-and-splunk-have-never-looked-better/