ICS VILLAGE - A SOC in the Village

Video thumbnail (Frame 0) Video thumbnail (Frame 927) Video thumbnail (Frame 1582) Video thumbnail (Frame 1863) Video thumbnail (Frame 2373) Video thumbnail (Frame 2879) Video thumbnail (Frame 4061) Video thumbnail (Frame 4672) Video thumbnail (Frame 5459) Video thumbnail (Frame 6031) Video thumbnail (Frame 6745) Video thumbnail (Frame 9034) Video thumbnail (Frame 9735) Video thumbnail (Frame 10084) Video thumbnail (Frame 11813) Video thumbnail (Frame 12336) Video thumbnail (Frame 12839) Video thumbnail (Frame 13340) Video thumbnail (Frame 18073) Video thumbnail (Frame 19271)
Video in TIB AV-Portal: ICS VILLAGE - A SOC in the Village

Formal Metadata

Title
ICS VILLAGE - A SOC in the Village
Alternative Title
A SOC in the Sandbox
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Service (economics) System on a chip Energy level Game theory
Operations research Arithmetic mean Multiplication sign Operator (mathematics) System programming Sound effect Förderverein International Co-Operative Studies Information security Information security Physical system Sound effect
Data management Software bug Simulation Event horizon Mapping Intrusion detection system Cybersex System programming Information security Information security Product (business)
Area Multiplication System on a chip Information privacy
Enterprise architecture Process (computing) Integrated development environment System on a chip Combinational logic Integrated development environment Incidence algebra Information security Mereology Information security
Goodness of fit Multiplication sign Uniqueness quantification Energy level Area
Software bug Group action Dependent and independent variables Event horizon Blog Different (Kate Ryan album) Bit Process (computing) Incidence algebra Login Event horizon Software bug
Software bug Game controller Server (computing) Email Uniqueness quantification Multiplication sign Projective plane Multitier architecture Stress (mechanics) Mathematical analysis Mereology Web 2.0 Malware Process (computing) Event horizon Blog Different (Kate Ryan album) Single-precision floating-point format Process (computing) Quicksort Whiteboard Procedural programming Physical system
Thread (computing) Multiplication sign Source code Electronic mailing list Similarity (geometry) Computer network Complete metric space Mereology Event horizon Software Process (computing) Procedural programming Whiteboard Computing platform
Software Software Video game output Computer network Bit Complete metric space
Point (geometry) Multitier architecture Disintegration Virtual machine Complete metric space Cross-correlation Different (Kate Ryan album) Computer configuration Hybrid computer Software output Physical system Control system Service (economics) Multiplication Simulation Touchscreen Information Cross-platform Control engineering Multitier architecture Internet service provider Computer network Sign (mathematics) Data management Computer configuration Software Rootkit System on a chip Hybrid computer System programming Computing platform Information security Odds ratio Resultant
Area Proof theory Arithmetic mean Software Different (Kate Ryan album) Image resolution Internet der Dinge Area
everyone my name is tom Van Norman I'm a director engineering services at draggers we're talking about a stop today it's often a the ICS village that we have gonna be really I'm gonna speed through the things here pretty quick because we have to close up and get out of here breakdowns we're having at an arcade party tonight next door in our village if you had come back at 10:30 we had some really cool retro arcade arcade games that we are setting up and and I'm gonna have ten thirty to thirty so as I said is talking the villages is my talk a very high level if we have questions
afterwards by all means come next door and we'll we'll run them through things with you it's just what we do we have an introduction to an ICS sock unfortunately we're not going to do a demonstration because we have to break down everything at six o'clock so by the time we get done here everything we turned off and then I'm going to understanding the effects of attacks on ICS systems so what is it
oh geez security operation or security operations center anyway and do you really need them and that that question comes up all the time I and you know some people say you do
some people you don't but what are they are they did anomaly detection solutions the next door we have a you know we have an assembly over there we have clarity over there we have security matters over there cyber X you know all these fantastic products they have but is that really your what your soft looks like is the
sim we have a sim like grab well over there no T sim that your sock 90s we we had a scared young even running over there but we replaced it with some other things or is it here that the pukey maps or they really you
know unicorns i well they really do
exist who has them well many men you fortune 100 companies have them operated to you socks today they are becoming more and more common i whether through an MSP or on-site well we are seeing a lot more of that data pushed up from the front from the plant floor up into socks for monitoring i depending on a size your company might have multiple socks global companies you'll have issues with data leaving the country or leave in that area and privacy and everything else so you might have multiple socks depending on where you're at and how you're operating of
course you know someone more or outsource someone done announced so a
sock is a combination of people processes and technologies that proactively search for abnormal teas in the environment to identify and respond to security incidents so you can read just like many but instead of the riedesel what what exactly are we talking about well the people part what
it is not you never throw people at a problem to fix it that just not working no we've seen that time and time and time again that you have a problem so let's just hire a bunch of people well that doesn't really really work i what you needed good people various skill levels but they have unique talents and we can go over the talents after this here you must have the three-tier so now
you hear your tier one people all your
analyst are going to look through through your logs the alerts your your different events day after day and say hey you know this that's not does not look right you'll have the most people in that group your tier two are your
incident responders i so you hear wonder courses I'll push it up to here to this here to you're going I'll say incident responders see you and see what exactly is going on there you know they perform the triage they're gonna dig a little bit deeper into everything apply the appropriate mitigations now
Tier three it is where we really get into the uniqueness here the tier one is here too is the same between you know all the all the different socks but when we get into tier 3 for no T these are the people that are closest to the process so you have a you have something going on you find some sort of malware I unlike your conventional IT systems you know you're gonna look at your web servers your email servers and things like that that's pretty standard across the board stuff ot though you need somebody to understand there's controllers you need somebody understand the system processes how they how they work so you know if there's a chemical process what's going on in that chemical process what impact does this have the 90 guys not going to know that at all if you need a process engineer you need somebody that really understands the process what does that controller do what what is the impact of that that is the biggest part or the biggest difference to here also when when you do your investigation it can't be left with hey I don't know what happened I you know we have to identify what exactly did happen you know you know if we want three tier 1 and tier 2 obviously something happened to your three just can't write it off you have to rule it out blow everything out projects apart
documentation and procedures are a must I that's how you use a standard investigation every single time document everything that happens again can't stress the do documentation part a lot of people including myself really cannot stand documentation however when you do this you have to document every single thing look at the big picture when you're done follow the same procedure every time and
if it one doesn't exist make it up you know we it doesn't have to be a real super detailed procedure but you have to follow the same steps every time to get a similar outcome technology part there
is no silver bullet I work for a vendor you know we've dragged this we make a threading platform first one to say and everybody helps need companies and say there is no silver bullet i firewalls you know what we not the answer you're not only detection users are not the answer there is no one silver bullet any vendor that tells you that and just trying to sell you something I one of them one of the problems that here in the ICS village that we hear all the time every single event we go to is network visibility I have no idea what my assets are I have no idea what's on my network I how do I do it where do I get it the list goes on and on and on you know you talk about spam ports and sometimes you can't get spam boards you know the manage which is three layers up it's down below any cabinet source on Manus which is how do you how do you bring that data back up network visibility is a it is a problem you know do you want to do active scanning do you want to keep it all passive it's not an easy problem and every solution can be different it's all free to find
networking is a is alternative to it there there are a couple of couple vendors out there doing software-defined networking for ROG networks if you're not familiar with it and saying you look me afterwards all I'll talk to you a little bit previous life that's what I did for ot networks very interesting technology that's out now so
you got all your spam ports you your your Mariner data you're spending your data what do you what do you deal with it you know you again you you could have hundreds of Meg's of data you have gigs of data depending on how you spend everything what are you doing it to now you input
it to a threat detection system and put it to a ass in there there are several tools that you you import it to but import it save that data I've find it find a tool that works best for you fits your budget fits your needs so another
problem is correlation of data from multiple systems so what do we mean what do we member that I I'll have you know my my historian I'll have my my one asset detection tool I'll have an anomaly detection tool I have you know all of these detection tools if I put them up on my screen all these dashboards I can't read it it's really at that point worthless because there's just too much data integrated into a sim I only showed it the information that you that you really want so over here in in in the ICS village we had that problem you know we're running multiple platforms I so for a Def Con here we got gravel well who makes a sim and we fed all of them in Terran we made up a dashboard I had zooming clarity and I said management everything up on on the one on the one dashboard and there's there's many some solutions out there now portent gigabyte hundred percent infection should be either false positive should be a false positive or result in a in an defining that that's a a very important thing you know you've said before you get the Tier three these are the people that are really hunting down the problem talking the control system engineers maybe our control systems engineers you really need to find the of that problem it may not be easy might be a rootkit on your on your PLC might be malware might be something else but it is a challenge so there are many options for running us up to VMs MSSP in-house or a hybrid so a couple things that I've seen was you know your tier 1 and tier 2 or MSS P's and you push them up through there's again many of those and then your tier 3 since they have to be that highly specialized work with either your control engineer or work with closely with your control engineer maybe they're an in-house employee but a tier wanted to hear one end to Alice ORS I might might work pretty good more data is a better for when you talk about Sox give it as much data as you can so you can go back and corley you can track things back technology's never replacement for people just like you can't throw people at a problem and expect that probably fix you can't replace people for technology technology is a fantastic thing they give you give you that data present it data in many different ways but you still need that human to go and look through especially when we're talking about that control system network where it can do funny things you know with that control system network we're dealing with three things that can go you know bad is health like and safety when things go bad you know your machine is not gonna pick that up but your person will
so there's a couple things that we're doing every year and in the ISS village we built an area where you can interact with sneeze and and discuss many different topics I t know T topics CTF just just finished while I was waiting to get up here I have to say the team dragged this one that and you know you avoid just sales pitches to see how things actually work get that proof of concept don't let the vendors come in and say hey you know we got this wonderful thing for you it's gonna solve everything great but in my network we let it run for 30 60 90 days 180 whatever you can negotiate for your proof-of-concept might cost you a few bucks might get for free every vendors different but do that proof of concept just don't buy because the salesman said to buy it and I flew
through them pretty quick that's who I am if you have any questions by all means come up to me later gladly talk to you about this or any other topic thank you
Feedback