Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
The building blocks of good detection and response services for the ICS environment
1
By:Søren Egede Knudsen
sorenegedeknudsen
3
Our objectives today are to give Gartner a better understanding of:
1. why do customers choose Ezenta MDR and what have we learned from our engagements• Sales cycle , in d u stry , cu sto m er size , d ecis io n m akers, im p lem en tatio n h o n eym o o n• R ecap – w h y d o cu sto m ers say yes
2. How is Ezenta sales organised and what are our sales strategy on MDR going forward
4
THE TEAM LeadershipNobody want managers we wants leaders!
Understanding the people’s value set is critical
The leader Team members
ValuesKnow
ledge Strategy
Values
InnovationInves
tmen
t
Practice as you preach!
5
Organisational priorities
1 101 101 10Casualties (H)
AvailabilityRemote control
Staff
Auditors
You Value Chain
Threats
6
TEAM Setting
Incident
Event
CrisisRecommended
Define the needed technical level of the team
7
TEAM Setting
Name Skills Personality
Manager People, Business and
Technical skills and
experience. IT and OT.
Transformational leader
Common purpose / goal
Value basedHonest
Security Network
specialist/Analyst
FW, IDS, OT, IT, SIEM,
Network
Team player
Follow a list
Communicative
OS Security
specialist/Analyst
Windows, Linux,
application, SIEM, OT
IR and forensicsanalyst
OS, Network, pen-test, forensics, OT
Plus: Analytic,Digger
SCADA specialist IT, OT, SCADA processes
and logic
Plus: Process
Analytic
Selecting “do’ers”
IT not OT focusedOnly technical knowledgeNot team player
Pitfalls in selecting people
Empower the team !
8
TEAM Structure
R=Responsible, A=Accountable, C=Consulted, I=Informed
Integrated team (in-house & consultants)
Horizontal vs hierarchical team
Plant level
Area level
9
Incident response plan
Regulation and rules
Agreements
Easy to understand
Proactive services
Priorities and stakeholders
Roles
Communication IR Plan
10
ICS visibility
11
ICS visibility
Asset Communication Profile(Assets, protocol, tags)
NSM + Asset + Segmentation = visibility
12
INCIDENT readinessAre you ready for an incident?
8 step for readiness
Stakeholders and priorities
Definition of IR types
Members of the IR team
Empowerment of the team
Model (RACI)
Network (segmentation)
AssetsDataflow
13
BUILDING blocks
Organisational priorities
leadership
Team members
Skills and experience
Visibility
THANK YOU!