Podcast: Splunk’s OT Security Add-On

Podcast Archives - Dale Peterson: ICS Security Catalyst «

4y ago

Contenu fourni par Podcast Archives - Dale Peterson: ICS Security Catalyst. Tout le contenu du podcast, y compris les épisodes, les graphiques et les descriptions de podcast, est téléchargé et fourni directement par Podcast Archives - Dale Peterson: ICS Security Catalyst ou son partenaire de plateforme de podcast. Si vous pensez que quelqu'un utilise votre œuvre protégée sans votre autorisation, vous pouvez suivre le processus décrit ici https://fr.player.fm/legal.

Most of the OT Detection and Asset Management solutions have developed ‘integrations’ with SIEMs, with Splunk and QRadar being the most common. I put integrations in quotes because they did little more than push alerts and events to the SIEMs with little context. This all changed with Splunk announcing their OT Security Add-On last month.

In this episode of the Unsolicited Response podcast I talk with Ed Albanese, the VP Internet of Things at Splunk about the OT Security Add-On.

https://traffic.libsyn.com/secure/unsolicitedresponse/20-21_Splunk.mp3

This is a more detailed, technical episode as I try to dig into the features and benefits of the integration today and where it can be improved in the future. This includes:

The additional OT fields in the Splunk Asset Framework
The OT_Asset and OT_SW_Asset data models
How the 29 OT search queries will work with integrations likely using different terms (such as different names for asset types) and the types of search queries currently supported.
The value of having standardizations for some OT alerts/events sent to Splunk, such as “modify control logic”. This support for standardized notables, as Splunk calls them, is not in the released Add On but can be configured.
How Splunk is tracking vulnerability management (currently no OT integration)
And how Splunk is calculating the Risk Scores in the OT Security Posture Tab