New Release Introduces Hybrid ICS Threat Detection - and more

New Release Introduces Hybrid ICS Threat Detection - and more

Note: on July 23rd 2019, SCADAguardian was renamed Guardian, and SCADAguardian Advanced was renamed Smart Polling.

Amid rising threats to industrial control systems, it’s good to see more and more operators realizing there is new technology available that can significantly help them with the challenge of ICS cyber security. Companies are moving beyond relying on network segmentation, industrial firewalls and SIEMs and want to monitor and analyze their network traffic in real-time so they can immediately act to defend security and reliability.

Our passive ICS cyber security and visibility solution addresses that goal, and today I am glad to let you know that we are advancing our offering with our second major product release of 2017. It further enhances our strength in ICS threat detection and addresses the needs of large customers for easy IT/OT integration. Let’s look at the key capabilities in release 17.5.

1. Improved Cyber Resiliency with Hybrid ICS Threat Detection

Up-to-now, our SCADAguardian product has provided best-in-class behavioral-based anomaly detection that identifies any changes in communication or process variable values that could indicate the presence of a cyber threat or a risk to reliability. With our new release, the product is now enriched with signature and rules-based threat detection.

The new rules-based capability allows us to quickly identify known malware on an industrial network. For example, at a recent customer installation, SCADAguardian identified the presence of WannaCry on the network within a few minutes of deployment.

Furthermore, our hybrid approach goes beyond anomaly-only or rules-only analysis. SCADAguardian correlates the data from multiple types of threat detection to rapidly inform operators about what is happening on their network. Consider the following alerts, which SCADAguardian auto-correlated into one incident:

  • A new device is added to the network
  • New communication is coming from the device
  • Files indicating the presence of WannaCry are identified

From this information the security team quickly realized that a maintenance worker had connected their laptop to the industrial network and introduced the WannaCry malware.

What to Expect from Advanced ICS Threat Detection:

  • Best-in-class behavior-based anomaly detection enriched with rules and signature-based threat detection
  • Known malware identification using YaraRules and Packet Rules (file and packet signature matching)
  • Fine-tuned threat detection and hunting for with custom Assertions (queries and actions)
  • Real-time process analysis, powered by artificial intelligence, to eliminate noise and identify true threats

Did you Know?

Version 17.5 expands the selection of SCADAguardian appliances from 8 to 11 physical or virtual devices, covering every type of deployment.

2. Easy Integration with IT/OT Environments

Ever since I founded Nozomi Networks with Moreno Carullo, our philosophy has been to provide solutions that share data and interact with other applications to provide a complete solution. The 17.5 release takes this vision to another level in our products with the inclusion of an Open API and Protocol SDK.

Expanding on already included built-in integrations with IT security infrastructure, now an Open API provides rich, deep integration with IT/OT applications. For example, share Nozomi Networks asset auto-discovery data with configuration management applications or easily integrate SCADAguardian data with applications like incident ticketing systems.

Similarly, while our products already support dozens of ICS and IT protocols, now customers and system integrators can expand that range with a Protocol SDK. This speeds support for more protocols and eliminates the need to share proprietary information.

What to Expect from the Open API and Extensible Architecture

  • Built-in integrations with SIEMs and firewalls are extended with an easy-to-use Open API
  • Comprehensive Open API makes available all Nozomi Networks data for use in IT/ICS applications
  • New Protocol SDK extends protocol support beyond the dozens already supported
  • Rich customizations and export capabilities improve productivity and enhance data analysis

3. Real-time Monitoring and Cyber Security for OT Networks from Trusted IT Security Providers

Another positive indicator of advances in ICS cyber security is that CISO’s are now demanding enterprise-grade security that encompasses their OT environments. To help meet that need, we are thrilled to offer managed service providers a new tool for powering their offerings. Our Central Management Console (CMC) now comes with a multitenant deployment option.

It is ideal for IT security service providers expanding into OT because our solution is designed from the ground-up with a thorough understanding of industrial networks and processes. It is totally safe for sensitive control networks and it provides optimum performance on shared infrastructure. The CMC combines the benefits of centralized cyber security and visibility with data segmentation for each client.

What to Expect from the Multitenant CMC:

  • Centralized ICS cyber security monitoring for many customers using a single instance of the CMC
  • Flexible, scalable, hierarchical aggregations of cyber security and operational data to suit all organizations
  • Secure, granular control of user access to OT data and interfaces, ensuring confidentiality
  • Maximized value from scarce OT security experts across many industrial sites

Hybrid ICS Threat Detection and Easy IT/OT Integration

With this release, Nozomi Networks has reinforced our commitment to meeting the needs of the world’s most demanding critical infrastructure operators and security stakeholders. Major enterprise cyber security partners, such as FireEye, Fortinet and Palo Alto Networks rely on our comprehensive ICS/OT cyber security and integration technology to complement their IT cyber security offerings.

To learn more about what’s new in v17.5, as well as what’s always been great about our solution, explore the content below.