• Home

  • Documents

  • Key Benefits Limitations of the Traditional Approach
8
Industrial Immune System Passively learns ‘self’ in real time, no configuration needed Complete visibility across OT, IT, and IIoT Protocol and technology agnostic Cyber AI Analyst reduces triage time by up to 92% Illuminates points of IT/OT convergence Identifies assets with a passive and active option Key Benefits Limitations of the Traditional Approach CISA confirms that “current ICS security technology focuses on reactive defense against known threats with limited capabilities to detect threats based on behavior rather than pre-defined indicators.” SANS adds that many advisories for ICS devices have no practical mitigation advice, and over a fifth of reported common vulnerabilities and exposures (CVEs) do not even include a patch, making most vulnerability management workflows a process of diminishing returns. Static baselines cannot keep pace with changes in the diverse technologies used in ICS ecosystems, where legacy devices are often retrofitted and used alongside IIoT. Siloed security solutions also fail to detect attacks that span the entire organization—for example, malware that enters through a phishing email and then moves laterally, eventually disrupting visibility into OT. Defending Diverse Industrial Environments By analyzing all traffic and activity on a granular level in a protocol and technology agnostic capacity, Darktrace provides continuous detection, full visibility, actionable insights, and, where appropriate, Autonomous Response for diverse and complex ICS ecosystems. Rather than forming static baselines that need constant tuning and manual configuration, Darktrace harnesses Self-Learning AI to continuously learn ‘normal’ for all forms of machine and human behavior, identifying deviations indicative of an emerging attack. The Industrial Immune System can be configured to defend all the way down to Level 1 devices in the Purdue model and indirectly into Level 0. It also covers all higher Purdue levels, from supervisory functions, business logistics, and enterprise networks (Level 4&5), and beyond into cloud and SaaS. The technology also provides visibility into and around the DMZ. Product Overview Powered by scalable, Self-Learning AI, the Industrial Immune System detects unpredictable attacks in their earliest stages, before the damage is done. By learning the normal ‘patterns of life’ for every device and operator in an industrial environment, the Industrial Immune System detects known and unknown threats with the same AI-driven methods, as well as granting visibility across all levels of the Purdue model, and into and around the DMZ. Figure 1: The Industrial Immune System provides self-learning protection of the entire ICS ecosystem IIoT ICSaaS IT/OT Convergence All Purdue Levels SCADA DMZ PLC HMI

Key Benefits Limitations of the Traditional Approach

  • Upload
    others

  • View
    5

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Key Benefits Limitations of the Traditional Approach

Industrial Immune System

✔ Passively learns ‘self’ in real time, no configuration needed

✔ Complete visibility across OT, IT, and IIoT

✔ Protocol and technology agnostic

✔ Cyber AI Analyst reduces triage time by up to 92%

✔ Illuminates points of IT/OT convergence

✔ Identifies assets with a passive and active option

Key Benefits Limitations of the Traditional ApproachCISA confirms that “current ICS security technology focuses on reactive defense against known threats with limited capabilities to detect threats based on behavior rather than pre-defined indicators.” SANS adds that many advisories for ICS devices have no practical mitigation advice, and over a fifth of reported common vulnerabilities and exposures (CVEs) do not even include a patch, making most vulnerability management workflows a process of diminishing returns.

Static baselines cannot keep pace with changes in the diverse technologies used in ICS ecosystems, where legacy devices are often retrofitted and used alongside IIoT. Siloed security solutions also fail to detect attacks that span the entire organization—for example, malware that enters through a phishing email and then moves laterally, eventually disrupting visibility into OT.

Defending Diverse Industrial EnvironmentsBy analyzing all traffic and activity on a granular level in a protocol and technology agnostic capacity, Darktrace provides continuous detection, full visibility, actionable insights, and, where appropriate, Autonomous Response for diverse and complex ICS ecosystems. Rather than forming static baselines that need constant tuning and manual configuration, Darktrace harnesses Self-Learning AI to continuously learn ‘normal’ for all forms of machine and human behavior, identifying deviations indicative of an emerging attack.

The Industrial Immune System can be configured to defend all the way down to Level 1 devices in the Purdue model and indirectly into Level 0. It also covers all higher Purdue levels, from supervisory functions, business logistics, and enterprise networks (Level 4&5), and beyond into cloud and SaaS. The technology also provides visibility into and around the DMZ.

Product Overview

Powered by scalable, Self-Learning AI, the Industrial Immune System detects unpredictable attacks in their earliest stages, before the damage is done. By learning the normal ‘patterns of life’ for every device and operator in an industrial environment, the Industrial Immune System detects known and unknown threats with the same AI-driven methods, as well as granting visibility across all levels of the Purdue model, and into and around the DMZ.

Figure 1: The Industrial Immune System provides self-learning protection of the entire ICS ecosystem

IIoT ICSaaS IT/OT Convergence

All Purdue Levels SCADA DMZPLCHMI

Page 2: Key Benefits Limitations of the Traditional Approach

Product Overview | 2

Self-Learning AIRather than relying on pre-defined indicators of compromise (IoCs) and external threat feeds, Darktrace analyzes an ICS ecosystem’s native data through layers of machine learning to detect any unusual behavior, regardless of whether the source is human or machine. This self-learning approach allows Darktrace to detect known and unknown attacks in the same capacity including, but not limited to: zero-day exploits, supply chain attacks, insider threats, ransomware, and devices infected prior to deployment.

Comprehensive VisibilityBeing protocol and technology agnostic, Darktrace does not need to access specific protocols to perform its threat detection, allowing the AI to identify abnormal activity no matter where it occurs in the digital ecosystem. At the same time, Darktrace can read into over 50 diverse industrial protocols, including Modbus, IEX-61950, CIP and BACnet. This allows the technology to grant visibility into a wide range of bespoke industrial environments, regardless of whether they employ decades old devices or the latest IIoT and ICSaaS technologies.

Adapts to Evolving EnvironmentsAs legacy devices are retrofitted, technologies such as IIoT are being adopted, and remote working is becoming an increasing practice for industrial environments, ICS ecosystems are evolving. Darktrace’s Self-Learning AI takes an adaptive approach, with its native ability to learn these changes ‘on the job’ without human input, removing the need for manual configuration and constant tuning.

Figure 2: Darktrace coverage directly covers all levels of the Purdue Model and indirectly into level 0

Figure 3: The Industrial Immune System detecting anomalous connections to a SCADA ICS workstation

Page 3: Key Benefits Limitations of the Traditional Approach

Product Overview | 3

Cyber AI Analyst: Augmenting the HumanThe barrier to attacking industrial environments is lowering as threat actors expand from nation states to cyber-criminals, as seen with the Colonial Pipeline incident. OT security teams simultaneously are suffering from a skills shortage and tight budgets, remaining perpetually understaffed.

Cyber AI Analyst augments security and operation teams, providing actionable insights and closing knowledge gaps between IT and OT specialists. Autonomously investigating all unusual activity across the whole ecosystem, Cyber AI Analyst connects the dots among disparate events, reducing triage time by up to 92%.

With specialized models for OT, Cyber AI Analyst rapidly cycles through the process of building hypotheses, querying real-time data, and refining its theories. This creates fleshed out Incident Reports that put teams in a position to immediately take action, allowing them to better maintain availability and integrity as an attack emerges.

“Darktrace adds another level of sophistication to our defense systems and has already identified threats with the potential to disrupt our networks. It helps us stay ahead of emerging threats and better defend our key systems.”Group Head of Security, Drax

“Other solutions require an army of engineers, whereas with Darktrace your average system admin can support it because the system supports itself. It's like having an army of virtual AI engineers for free.”CIO, Services

“Using machine learning, Darktrace detects zero-day threats and suspicious insider behaviors, without having to define the activity in advance.”Chief Innovation Officer and Director of Technology, City of Las Vegas

Figure 4: Darktrace's Cyber AI Analyst detecting anomalous encryption an a suspicious chain of ICS administrative credentials

Page 4: Key Benefits Limitations of the Traditional Approach

Product Overview | 4

OT Engineer and OT Explore OT Engineer provides an operations-focused dashboard for control engineers. This includes a subset of alerts with high operational relevance that are suitable for those with typical controls engineer domain knowledge. This feature grants access to immediate information on emerging threats for fast triage, with the aim of minimal interface time. Further, drawing on Darktrace’s native ability to evolve alongside changes in the ecosystem, no tuning is necessary.

OT Explore enables a top-down visualization of the OT environment. This provides a time-bounded snapshot of connectivity and also allows users to drill down into the subnet and device level. This can surface unexpected relationships through tags, such as clusters of similar devices not associated prior to exploration.

Passive Asset ID, Active OptionDarktrace’s ability to passively identify assets eliminates the risk of operational disruption. Based on the behavior of devices, Darktrace autonomously catalogues IP-connected and non-IP ICS devices. This allows the Industrial Immune System to create a profile and full history of all devices seen on network. This device data is fully searchable with Advanced Search, Elastic Search, API, and OT threat detection models.

Additionally, Darktrace provides an active identification module to be used where desired. The active identification module makes requests to known OT devices to identify them using their observed and current protocol and service port combination.

Capabilities for OT/ICS Specialists

“Darktrace never keeps you in the dark where threat actors are concerned. This product is awesome and provides exactly what we need to secure and protect our assets.”Senior Director of Technology Infrastructure, Miscellaneous

Figure 5: OT Explore provides a top-down visualization of the industrial environment and a time-bounded snapshot of network connectivity.

Page 5: Key Benefits Limitations of the Traditional Approach

Product Overview | 5

Illuminating IT/OT ConvergenceWith the ability to provide a unified view across IT and OT environments, Darktrace is uniquely positioned to highlight any points of IT/OT convergence. In an anonymized study of its client base, Darktrace detected over 6,500 suspected instances of ICS protocol use across 1,000 enterprise environments. The ICS protocol which was detected most in this review was BACNet, seen in approximately 75% of instances. Illuminating these points of convergence is a critical step in preventing attacks from pivoting from virtual infections to disrupting physical processes.

“We had connections between our IT and OT environments that we didn’t know existed. Darktrace gives us that crucial visibility of both the OT and IT on a single screen.”Head of Telecommunications and Information Systems, Copperbelt Energy Corporation Plc

Complimenting OEM SolutionsProtecting machinery from Original Equipment Manufacturers (OEM) involves a number of challenges, including legacy hardware and software, proprietary protocols, and poorly documented security configurations. With its flexible platform approach, Darktrace easily overcomes these challenges. When network traffic is not available, for instance, Darktrace can provide coverage at a higher Purdue level, defending traffic into and out of the OEM ICS Network. Darktrace can also ingest log output from OEM security solutions to perform AI analysis. Further, if an OEM is using proprietary protocols, Darktrace can build a ‘pattern of life’ based on the metadata.

Figure 6: Challenges faced by the cyber security community with OEM networks and devices

“Darktrace's machine-based learning product does all the SOC heavy lifting, filtering out only the most important events. During side-to-side testing with another vendor, Darktrace consistently found potential concerns, where the comparable product missed the same event.”CIO, Energy and Utilities

Page 6: Key Benefits Limitations of the Traditional Approach

Product Overview | 6

Defending Against Industrial RansomwareRansomware directly targeting industrial environments has become a major concern after EKANS ransomware demonstrated the disruptive potential of these threats in 2020. The Colonial Pipeline incident in 2021 affirms the sustained risk that ransomware poses to critical infrastructure.

At an integrated oil refiner and supplier, Darktrace’s Industrial Immune System stopped a ransomware attack that originated in the corporate network. Self-Learning AI identified the first signs of a ransomware infection in a desktop device. In addition to writing its own ransom note files, the device made a series of connections to rare external destinations via an internal proxy server and then downloaded potentially malicious files.

The device proceeded to make a number of SMB directory queries. The Industrial Immune System instantly detected this activity and highlighted it as likely ransomware, alerting the security team before the infection was able to spread into the OT environment.

Protecting Industrial IoTThe mass adoption of IIoT devices has made industrial environments more complex and more vulnerable than ever. Darktrace recently detected a series of pre-existing infections in Industrial IoT (IIoT) devices at a manufacturing firm in the EMEA region.

Self-Learning AI recognized a device exploiting the SMBv1 protocol in order to attempt lateral movement. Darktrace also detected the device abusing default vendor credentials for device enumeration. The device made a large number of unusual connections, including connections to internal endpoints of which the company had previously been unaware. As these occurred, Darktrace illuminated the unusual activity’s spread from the infected device across the infrastructure.

Use CasesIn total, Darktrace identified 13 infected production devices. This ‘unknown known’ threat was detected without any prior knowledge of the devices, their supplier, or patch history, and without using malware signatures or IoCs.

By casting light on this previously unknown threat, Darktrace enabled the customer to perform full incident response and threat investigation before the attack caused any serious damage to the company.

Detecting Novel and Never-Before-Seen AttacksThe SolarWinds attack revealed the vulnerability of ICS to exploiting SNMP communications in Building Management Systems (BMS). Without a list of known exploits, company assets, or firmware versions, Darktrace’s Industrial Immune System detected every stage of a state-of-the-art attack at an international airport targeting their BMS.

The attack spanned multiple days and targeted not only the BMS but also the baggage reclaim network, with the attackers utilizing two common ICS protocols, BacNet and S7Comm. The attackers also leveraged legitimate tools in order to evade traditional, signature-based security.

Legacy security tools failed to identify the unusual activity. However, Darktrace was able to identify unusual commands used by the attacker within those otherwise ‘normal’ connections. On top of this, Darktrace’s Cyber AI Analyst was able to perform a real-time automated investigation and recommend steps that put the security team in a position to immediately take action.

“Cyber AI can detect cyber-threats before damage is done, whether they arise from an employee or from the industrial systems on our production floor. You need AI in place to quickly identify and respond to threats.”Director of Infrastructure and Technical Services, King’s Hawaiian

Page 7: Key Benefits Limitations of the Traditional Approach

Product Overview | 7

Unified ViewDarktrace’s Immune System platform provides a unified view across IT and OT systems. In today’s threat landscape, where many attacks target OT infrastructure after first pivoting through IT environments, this unified view has become an invaluable tool for detecting and neutralizing threats before the damage is done.

Page 8: Key Benefits Limitations of the Traditional Approach

Product Overview | 8

Darktrace Immune System PlatformBy detecting threats in ICS ecosystems, the Industrial Immune System represents a core capability of Darktrace’s Immune System platform. It seamlessly integrates with Cyber AI Analyst to automate threat investigations. Additionally, Darktrace’s Autonomous Response solution, Darktrace Antigena, can be used to interrupt attacks in IT before they pivot into OT. All three flagship products are rooted in Self-Learning AI technology, providing a seamless and extensible approach to protecting industrial environments and cyber-physical systems, from the cloud and the inbox all the way down to the factory floor.

www.darktrace.comtwitter @darktraceE: [email protected]

https://www.darktrace.com/en/?utm_source=darktrace&utm_medium=ds-iis
https://twitter.com/Darktrace

Over coming traditional network limitations with open source

Over coming traditional network limitations with open source

Documents
SECTION 13 - BENEFITS AND LIMITATIONSmanuals.momed.com/.../Hospice_Section13_08272012.pdfSection 13 - Benefits and Limitations Hospice Manual 4 SECTION 13—BENEFITS AND LIMITATIONS

SECTION 13 - BENEFITS AND LIMITATIONSmanuals.momed.com/.../Hospice_Section13_08272012.pdfSection 13 - Benefits and Limitations Hospice Manual 4 SECTION 13—BENEFITS AND LIMITATIONS

Documents
SECTION 13 - BENEFITS AND LIMITATIONS

SECTION 13 - BENEFITS AND LIMITATIONS

Documents
Civil Protection Orders: The Benefits and Limitations for

Civil Protection Orders: The Benefits and Limitations for

Documents
Benefits and Limitations of Organizational Development

Benefits and Limitations of Organizational Development

Documents
The Benefits and limitations of international educational ...unesdoc.unesco.org/images/0011/001176/117629E.pdfPublished in the series: Trends in education The benefits and limitations

The Benefits and limitations of international educational ...unesdoc.unesco.org/images/0011/001176/117629E.pdfPublished in the series: Trends in education The benefits and limitations

Documents
Practical Benefits & Limitations of Digitally Steered Arrays · PRACTICAL BENEFITS & LIMITATIONS OF DIGITALLY STEERED LOUDSPEAKER ARRAYS . David W. Gunness & William R. Hoy . Eastern

Practical Benefits & Limitations of Digitally Steered Arrays · PRACTICAL BENEFITS & LIMITATIONS OF DIGITALLY STEERED LOUDSPEAKER ARRAYS . David W. Gunness & William R. Hoy . Eastern

Documents
The Benefits and Limitations of Permaculture in Central · PDF fileThe Benefits and Limitations of Permaculture in Central Malawi Abigail Conrad, PhD September 8, 2015 IPC UK

The Benefits and Limitations of Permaculture in Central · PDF fileThe Benefits and Limitations of Permaculture in Central Malawi Abigail Conrad, PhD September 8, 2015 IPC UK

Documents
Traditional model limitations

Traditional model limitations

Technology
Discover the benefits of TIAA Traditional

Discover the benefits of TIAA Traditional

Documents
Cumulus networks - Overcoming traditional network limitations with open source

Cumulus networks - Overcoming traditional network limitations with open source

Technology
Limitations and benefits of ARISA intra-genomic diversity

Limitations and benefits of ARISA intra-genomic diversity

Documents
Data-driven Instruction. Benefits and Limitations

Data-driven Instruction. Benefits and Limitations

Education
THE BENEFITS AND LIMITATIONS OF HYDROSTATIC TESTING …kiefner.com/wp-content/uploads/2013/05/apihydro.pdf · THE BENEFITS AND LIMITATIONS OF HYDROSTATIC TESTING by John F. Kiefner

THE BENEFITS AND LIMITATIONS OF HYDROSTATIC TESTING …kiefner.com/wp-content/uploads/2013/05/apihydro.pdf · THE BENEFITS AND LIMITATIONS OF HYDROSTATIC TESTING by John F. Kiefner

Documents
Contents Traditional levodopa – strengths Traditional levodopa – limitations of pulsatile delivery Suboptimal delivery with disease progression Optimization

Contents Traditional levodopa – strengths Traditional levodopa – limitations of pulsatile delivery Suboptimal delivery with disease progression Optimization

Documents
The nutritional importance of dairy. Traditional Benefits Sports benefits Blood Pressure benefits

The nutritional importance of dairy. Traditional Benefits Sports benefits Blood Pressure benefits

Documents
Limitations of traditional error-resilience methods

Limitations of traditional error-resilience methods

Documents
Session 4 Benefits and limitations of mentoring programs: AWARD

Session 4 Benefits and limitations of mentoring programs: AWARD

Leadership & Management
Questions We Will Answer Today How are traditional cost systems designed? How are traditional cost systems designed? What are the limitations of traditional

Questions We Will Answer Today How are traditional cost systems designed? How are traditional cost systems designed? What are the limitations of traditional

Documents
Benefits and Limitations of E-learning for Technical ...hrmars.com/hrmars_papers/Benefits_and_Limitations... · Benefits and Limitations of E-learning for Technical Drawing in Edo

Benefits and Limitations of E-learning for Technical ...hrmars.com/hrmars_papers/Benefits_and_Limitations... · Benefits and Limitations of E-learning for Technical Drawing in Edo

Documents
Attachment J-2 Benefits, Limitations and Exclusions · Attachment J-2 Benefits, Limitations and Exclusions ... the member claims the benefits or ... of active duty eligibility. The

Attachment J-2 Benefits, Limitations and Exclusions · Attachment J-2 Benefits, Limitations and Exclusions ... the member claims the benefits or ... of active duty eligibility. The

Documents
Living Shorelines: Benefits & Limitations Management/coastal... · 2019. 2. 21. · Living Shorelines: Benefits & Limitations Lindsay Dubbs Living Shorelines for Erosion Control on

Living Shorelines: Benefits & Limitations Management/coastal... · 2019. 2. 21. · Living Shorelines: Benefits & Limitations Lindsay Dubbs Living Shorelines for Erosion Control on

Documents
Analysis of culture: Paradigms Benefits Limitations

Analysis of culture: Paradigms Benefits Limitations

Documents
Benefits and Limitations of WordPress for eLearning Purposes

Benefits and Limitations of WordPress for eLearning Purposes

Documents
PNB MetLife Traditional Employee Benefits Plan Fund Based … · PNB MetLife Traditional Employee Benefits Plan Fund Based Group Non-Linked Variable Insurance Scheme PNB MetLife Traditional

PNB MetLife Traditional Employee Benefits Plan Fund Based … · PNB MetLife Traditional Employee Benefits Plan Fund Based Group Non-Linked Variable Insurance Scheme PNB MetLife Traditional

Documents
relining standards – benefits and limitations · 2017. 11. 2. · As/nZ2566.1 in the relining sector. relining standards – benefits and limitations By ian Bateman, interflow 72

relining standards – benefits and limitations · 2017. 11. 2. · As/nZ2566.1 in the relining sector. relining standards – benefits and limitations By ian Bateman, interflow 72

Documents
The Dielectric Voltage Withstand Test - Benefits and Limitations

The Dielectric Voltage Withstand Test - Benefits and Limitations

Documents
Over coming traditional network limitations with open source

Over coming traditional network limitations with open source

Documents
The Potential of Food Irradiation: Benefits and Limitations

The Potential of Food Irradiation: Benefits and Limitations

Documents
Aluminium Alloys in Solar Power − Benefits and Limitations

Aluminium Alloys in Solar Power − Benefits and Limitations

Documents