This article was updated on October 7, 2019.
Malware attacks like WannaCry, Dragonfly 2 and Industroyer have brought industrial cyber threats to the attention of corporate boards and governments around the world. As a result, CISOs and those responsible for critical infrastructure are demanding real, enterprise-grade OT security solutions. Many are reaching out to trusted partners in IT security, looking for help in securing their industrial control networks.
This is the driver behind our new partnership with FireEye. FireEye’s customers include more than 40% of the Forbes Global 2000 and they depend on FireEye to eliminate the complexity and burden of cyber security for them.
To help extend its ICS cyber security offerings, FireEye recently reviewed the market for ICS network security monitoring solutions. “Review” is not really the right word to describe FireEye’s analysis though – it was more like an exhaustive, very technically deep examination of our product and our company capabilities.
We’re happy to announce today that our solution has been selected by FireEye to provide cyber security visibility and threat detection for industrial control systems as part of their expanding services to customers. Find out why our technical excellence and ICS expertise stands out from the crowd.
Detecting Complex and Advanced ICS Threats
The Nozomi Networks solution for securing industrial control networks is a comprehensive one. To keep this article short, I am going to focus on one area of technical excellence that is important to companies offering ICS cyber security services: threat detection. In particular, let’s think about complex, hard-to-detect threats like advanced persistent threats or zero-days.
To understand how our solution identifies such threats, you need to understand how our technology works. Our Guardian product passively analyzes network traffic using artificial intelligence and machine learning techniques. It determines what devices are communicating on the network, what protocols are present and it creates detailed behavioral profiles for every device according to the process state. “Critical states” are identified, i.e. states that would disrupt the normal physical process.
In addition, Deep Packet Inspection (DPI) is used to evaluate industrial protocol communication at all layers of the network stack. This is very important as most industrial protocols are insecure by design and DPI is key to differentiating between valid and invalid commands.
The Nozomi Networks solution supports dozens of industrial protocols, and more can be easily added. Our Guardian product analyzes the communications of these protocols thoroughly for conformance with official protocol syntax and for the real-world customizations used by specific industry sectors. The robustness of our DPI was an important factor in FireEye’s selection decision.
With the help of DPI, Guardian examines process-level variables and their correlation over time to develop an internal model of the physical process.
Once this learning is done, our product automatically switches to protection mode (a featured called Dynamic Learning), and anomaly detection starts. Since the internal model has been built over multiple cycles of the physical process, it is very accurate. And, it includes knowing the likelihood of any anomaly throwing the physical process into a “critical state” – a key differentiator of the Nozomi Networks solution.
How is this useful in detecting complex and advanced anomalies? Well, besides detecting “simple” anomalies like invalid or failed communications, our solution distinguishes itself by identifying anomalies that involve multiple states of multiple variables in the ICS environment. And, it is unique in being able to detect when the update frequency of variables changes, a capability that is important for the smooth operation of many industrial control systems.
In both cases, high level alerts would be generated indicating that something irregular and potentially damaging is happening in the system. Security providers should then immediately execute the incident response plan.
“Adversaries are increasingly targeting critical infrastructure around the world and operators are prioritizing cyber security for industrial control systems and other types of operational technology. After extensive review, we chose Nozomi Networks because their platform provides industry-leading capabilities which allow us to detect anomalies and proactively hunt for threats within industrial environments.”
Grady Summers, CTO, FireEye
Superior ICS Incident Response and Forensic Tools
Once an incident occurs, how does our solution help a security consultant like FireEye resolve it?
First, our passive, automated solution provides useful foundation information, that in the past, took a lot of manual work to develop and maintain. As a result, many industrial installations don’t have this information at hand, or in an up-to-date status. This includes ICS network diagrams and visualizations, as well as asset inventories, including extensive asset attributes.
Second, Guardian automatically provides packet captures (PCAPs) before and after alerts are generated, and triggers actions such as sending logs to a SIEM infrastructure. It also uses an internal correlation engine to group alerts into root incidents, reducing noise and speeding analysis.
Next, Guardian offers a unique capability called TimeMachine™ that is especially useful for revealing advanced malware that successfully covers its tracks. Acting like a DVR for ICS networks, the Nozomi Networks TimeMachine can turn back the network state to help uncover malicious activity. The entire system can be visualized, navigated, searched and queried at an earlier point in time. “Diff” views and reports can be generated between different points in time, including comparisons to the live network state.
Finally, a real-time ad-hoc query tool can be used to check the system regarding any aspect that an ICS security analyst could possible want to investigate.
While incredibly powerful as a forensic tool, be aware that Guardian can also be used for fast proactive protection when integrated with firewalls. In this scenario, firewalls are automatically triggered to enforce policy without the need for manual intervention. Security personnel can associate rules, policies or alerts to firewall rules that can be inserted, and later removed, from firewalls in the environment.
FireEye + Nozomi Networks Secure Critical Infrastructure
We are proud that the technical excellence of our products, as well as the ICS cyber security expertise of our organization, stood out for FireEye. We are excited to be working with them on technology integration and on providing additional ways for critical infrastructure and manufacturing organizations to deal with the escalating cyber security challenge.
To find out more about the powerful capabilities of our best-in-class behavior-based anomaly detection, download the mitigation brief below. It explains how Guardian’s anomaly detection and rules-based threat analysis would identify and mitigate the Industroyer malware.
Nozomi Networks Industroyer Mitigation Brief
This brief explains:
- 3 main phases of Industroyer
- How anomaly detection mitigates impacts
- What YaraRules are and how they help
- How “assertions” facilitate threat hunting
- How real-time ICS monitoring provides cyber resiliency