At its core, the Verve Industrial Protection company is unique because of our origin story. Founded 30 years ago by industrial automation engineers to design and implement reliable and secure industrial control systems, this heritage, mindset and experience as operators and designers of these systems is foundational to what sets Verve apart.

The original development team deeply understood how OT systems are programmed, networked, how the various components work together, and the key elements of how they’re used by operators. They used this knowledge to test dozens of approaches to cybersecurity. They tested for safe operation on every major OEM-branded system to ensure there would be no impact on operations or warranties. They tested for effectiveness on a wide-selection of network designs and industries. They tested for cost and labor efficiency to bring down initial costs and reduce ongoing resource requirements – the single biggest OT cybersecurity challenge.

The result is a solution that is:

  • proven 100% safe for OT
  • low cost
  • vendor-agnostic
  • effective in achieving IT-level security within complex environments of OT/cyber physical systems


Question 1:

How does Verve Industrial perform asset discovery, and how is it different from other/competitive approaches?

Verve’s approach to asset discovery leverages the company’s 30 years of knowledge and testing to deliver a much deeper, wider, and less disruptive discovery than any other approach available. Our ability to go wider means we see through complexities such as network segmentation, NATs, backplanes, and dual-nic devices to identify any device connected whether it is communicating or not. We go deeper in gathering more detailed and accurate data than any other approach by going directly to the asset rather than relying on packet analysis.  Our approach is less disruptive as it does not require network outages to gather traffic, nor does it require inbound WMI calls to devices to gather asset information.


Challenges with alternative tested solutions for OT asset discovery

Over the decades, Verve’s team tested numerous approaches to asset discovery and found many drawbacks. The primary ones included:

“Passive” network-traffic sniffing approaches
  • Limited visibility to assets behind segmented networks or connected to backplanes
  • Lengthy “learning” or “observing” time to discover assets since they only appear once they communicate and their network traffic reaches a span/tap
  • Costly and time consuming to deploy at scale because gaining wide visibility requires multiple collectors, spans, taps and possibly fiber implementation
  • Inaccurate view of vulnerabilities and patches because they rely on information in packets which often doesn’t contain enough information for accurate vulnerability or patch mapping
  • Potential operational disruption to capture traffic from spans and taps from older or sensitive network devices
“Active” endpoint “scanning” or “probing” approaches
  • Operationally disruptive due to heavy network bandwidth usage and WMI scanning of devices spiking CPUs on critical machines
  • Possibly challenging to deploy on HMIs and workstations given the size and operation of the executables (or agents) deployed onto those devices
  • Significant visibility gaps with devices that do not respond to vendor’s library of “probes”
  • Disruption to segmentation approaches with need for inbound connections to devices to execute the “probe” or “scan”
  • Often out-of-date results/no real-time updating of changes because tools are not run regularly due to network congestion


Verve’s proven, OT-safe endpoint discovery approach

Based on lab testing of the alternative approaches, Verve’s team developed an innovative approach that takes the best of active endpoint approaches and blends it with the passive network approaches, without the need for expensive span and tap requirements.

Like many technical innovations, Verve combines multiple technical advantages into a single solution.

1. Network communications-based asset discovery without the need for spans or taps

The network discovery approach, while picking up assets as they communicate, had the disadvantages of time lag, expensive span and tap infrastructure, and lack of visibility into segmented networks. Verve’s innovation queries all locations where network traffic traverses – IT switches, Firewalls, OT switches, dual-nic PCs and servers, etc. – as opposed to waiting for a message to be sent and attempt to pick up the device, port, and communication method.  From these queries, Verve builds an immediate picture of all the devices that communicated over the past 60, 90 or 120 days without waiting for weeks for the “Polaroid Photograph” to emerge as a passive solution would – which at that point is already out-of-date.

2. Passive, client-based discovery on OS-based devices

The “agent-based” or “executable-based” solutions for discovering data on OS-based devices such as HMIs, workstations, servers, etc. have three challenges. First, they require an inbound “call” to the device triggering “data response” sending all data back to a server, thereby creating significant network traffic in the collection of the data. Second, they actively query the device, rapidly increasing CPU usage at times that might be operationally critical. And third, they are very large, potentially challenging the capacity of the OT devices.

Verve’s innovation deploys a passive client of 4MB that was proven effective on all OEM brand systems on each OS device. This client requires no scanning of the device and is capped at less than 1% of CPU usage. Furthermore, instead of requiring active communication to the device, it passively collects information and only sends changes to the main server, reducing bandwidth consumption by 99% versus other approaches.  The result is a client that runs on any OS-based device, from any vendor, without operational or warranty impact.  The client retains all advantages of an endpoint solution in its ability to gather 500+ pieces of information from each device as well as act as sensor in the network to potential rogue devices.

3. Vendor-agnostic agentless-device interface (ADI) with a library built over 30 years of OT device knowledge and delivered with OT-specific architectural options

The “scanning” or “probing” approaches have historically struggled on three dimensions. First, IT-type solutions often “brick” PLCs or other devices. Second, the library of devices they could connect to were limited. And third, they required inbound connections from higher levels of the Purdue model or breached IEC-62443 zones and conduit models.

Verve’s innovation was in part its heritage – 30 years of experience with a vast range of legacy OT devices to build effective interfaces with each of these devices. For instance, Verve works through backplanes to automatically identify all the devices 1, 2, 3 or more levels below the PLC or controller. The second innovation was Verve’s architecture which allows discovery from the same subnet as the device is on if required without the need for multiple pieces of hardware, thereby allowing for secure communication and central aggregation of data.

4. An integrated platform that brings all data together across a global footprint of plants

A big challenge with prior OT cyber or asset management tools was the lack of centralized visibility of the discovery data across sites. A particular plant might have an OEM tool or spreadsheet, but that data was stuck at the plant or in an aggregated workbook of spreadsheets. And when plants – or even different units running the same OEM software – had duplicative IP addresses which is so often the case, there was no way to sort it.  Verve’s innovation takes all of the data from various sources and creates a standardized, centralized database that manages duplicate IP ranges, analyzes different data captured to prioritize risks, and allows for rapid remediation when an issue is found.

The below diagram provides a high-level view of Verve’s architecture.

Verve Industrial architecture

The result is a much more comprehensive view of the environment, as well as much lower cost and simple deployment.

The depth of data on each asset is shown below.

The cost and simplicity of deployment is enabled because we negate the need for span or tap infrastructure. Unlike passive solutions that have added separate active elements (like network broadcasts, ping sweeps, WMI calls, etc) as an add-on, Verve does not rely on invasive probing or network traffic to do its discovery. This direct approach also means the product discovers the assets immediately, rather than requiring a period of time to capture enough traffic patterns to see all assets. In addition, unlike the network-based tools which require the operator to log into the embedded device to trigger it to send its firmware over the network, Verve does not need this extra manual labor of the operator or non-traditional network traffic.

Lower Security TCO


Question 2:

How does Verve approach vulnerability management for OT systems?

Two big challenges that OT cyber operators face are 1) how to prioritize the huge volume of risk, and 2) how to remediate those risks in complex, sensitive OT environments. Verve provides two unique features that solve these challenges.

1. Prioritizing vulnerabilities and risks

Even in IT security, lack of integration across different silos or towers of security creates gaps in security and efficiency. The patching team and solution does not integrate with configuration management or user and account management or backup and restore. As a result, each team and tool is aggressively trying to produce maximum results with a limited world-view of the environments. In OT, this problem is exacerbated by the distributed nature of the operational units as well as the complexity of heterogeneous OEM vendors that may not integrate their data at all.

As discussed above, Verve was developed to address the significant resource challenges in OT cybersecurity. According to survey after survey, the biggest challenge organizations highlight is finding enough skilled talent to manage OT security.

Verve brings together a comprehensive view of the risk of an asset including:

  • Vulnerabilities
  • Configuration insecurities & compliance
  • Missing patches
  • Insecure accounts and users
  • Presence and proper configuration of network protection elements
  • Anti-virus and application whitelisting status and alerts
  • Backup status
  • Anomalous endpoint behavior
  • Host intrusion detection

After asset discovery (or inventory), vulnerability assessment and management is the second-most requested component of Verve. Because of the architecture and innovations described above, Verve highlights vulnerabilities from all device types from firmware to OS to applications. We are 100% certain of each device’s firmware because it comes directly from the asset. In addition, because of our client architecture, Verve captures detailed patch status on the device, not just the OS version. We have seen passive network tools have significant errors in vulnerabilities as a result. (Brief aside: What if someone told their CISO that going forward they were going to use their NIDS tool for vulnerability management? The CISO would fire them. But for some reason, people accept this in OT. It is NOT ACCEPTABLE in our view).

Verve aggregates hundreds of pieces of information: vulnerabilities, configurations, users & account risks, presence of firewalls, configuration of those firewalls, software, open ports and services, dual-nic devices, presence of application whitelisting and whether it is locked down, current signature versions of anti-virus, recency of successful backup, function of the device, asset criticality, redundancy, etc.

One of the keys to this is inbound integrations. Many vendors highlight all of their integrations, but in most cases, these are outbound integrations…i/e. they send their data to another tool. Verve is unique in its focus on inbound and outbound. Inbound means we pull data into Verve – from backup tools, to AV alerts and status, to whitelisting alerts and status, firewall alerts, process alarm data, NIDS tools, etc. Verve uses this data in open-book models to allow our customers an “out-of-the-box” score and customization based on their own internal risk metrics.

This 360o risk analysis allows the organization to develop a robust remediation roadmap of how to most efficiently and effectively drive a reduction in that risk score.

2. Integrated remediation

Verve is the only OT security tool that integrates remediating actions directly into the platform. All other solutions are visibility or monitoring only. Verve ties the above risk analysis directly to the ability to remediate those risks. Verve includes a wide-range of remediating capabilities from the same console:

  • Patching
  • Configuration hardening
  • User & account management
  • Software management
  • Closing unused ports and services

The integration of remediation not only accelerates security, but also significantly reduces the cost of management of the OT environment.


Question 3:

How does Verve avoid false positive threat alerts?

One of the greatest complaints about current cyber physical security solutions is they are overwhelmed with alerts with little way of prioritizing or responding. Verve’s solution to that problem has two innovations:

1. Aggregate more data to deliver greater insight

As the diagram below demonstrates, Verve aggregates a wide-range of telemetry into an OT-XDR solution. The reason this is key in OT is that by tying these pieces of data together, the platform determines which of these events are critical security events versus just standard operational changes.

Verve brings together endpoint data such as user behavior, log data, AV alerts, device behavior, flow data, configuration change, even process data. We also integrate with network intrusion detection tools such as Nozomi, Mission Secure or others to add additional richness to the threat picture.

But the key to intelligent alarms is integrating this data to narrow down the alerts to recognize true threats. By combining these data sources, the security personnel prioritizes actions based on whether that network alert ties to specific endpoint changes. We believe in Mandiant/FireEye’s rule of 99 that states 99% of attacks on IT will interact with the OS-based devices (HMI, Workstations, etc.). Verve gathers very detailed behavioral data on these devices to provide a very accurate picture of what is a real threat vs. a false alarm.

2. Least-disruptive response

The second capability Verve offers is assigning these alerts back to the endpoint data about each asset. One example use case is an alert that identifies a potential pass-the-hash attack. Using the Verve platform, the SOC operator quickly pivots from the alert and determines which user account is potentially compromised. Within Verve, they identify exactly which assets that user account is present on. Finally, they use Verve’s remediation capabilities to disable that user on those specific accounts. This creates a targeted response that creates the least operational disruption.


Question 4:

What is a typical deployment timeline, and how quickly do customers see an impact?

Verve’s innovative, OT-specific architecture allows deployment without network infrastructure such as spans/taps/collectors and the results are immediate rather than needing months to learn or discover the assets communicating. As a result, deployments are quick and results instantaneous.

The typical client deployment time for a site ranges from a day to a couple of weeks, depending on the complexity and size of the environment. At the end of this time, however, it is not that the technology is beginning to capture data and eventually will provide insights. No. The insights on all assets are already captured and the solution is complete. We have many customers ready to implement remediation one week after installation begins.

In most situations, Verve deploys remotely. Since the architecture does not require separate hardware or any plant-level cabling, fiber, taps and hardware, the team remotely accesses the environment and deploys in a matter of hours or days. In a recent client experience, Verve completed 60 site deployments at specialty chemicals manufacturing within six months.


Question 5:

What kind of services does Verve offer?

Verve’s heritage as an automation engineering services firm is alive and well today. Our strong belief is that many, if not most, clients don’t just need software, but also services support to bridge the resource gap. Verve provides a range of OT security services, shown below.

Managed Services - Verve

One of our most popular services is the Technology-Enabled Vulnerability Assessment (TEVA) which leverages Verve’s technology to conduct deep assessments of every asset across a global operational environment, bringing that data into a common enterprise reporting console.

Once the assessment is completed, Verve provides a range of managed services that we call OT Systems Management. While not purely a technology solution, Verve’s managed services are built off the platform. Verve provides a wide range of services to customers as pictured below. Our OT Systems Management Services is an offering that allows customers to outsource the significant volume of tasks related to ensuring both the security maintenance of the environment as well as operational reliability that sometimes can be challenged by certain tools – eg application whitelisting. These services are built off 30 years of excellence in service management.

Related Resources


Verve Value Prop

Read about the origin and philosophy of Verve and examine how our OT/ICS cyber security solution works and differentiates from others in the market.

Learn More

A CISO’s Guide to Building an OT Cybersecurity Program

Learn how CISOs and OT cyber security leaders should manage risk in industrial OT environments against key drivers.

Learn More

5 Elements to Build a Business Case for OT Cyber Security

Develop a business plan to creates the right momentum, focus and budget to truly make measurable progress against cyber-related threats.

Learn More

Contact Us

Want to dive deeper into the only OT security tool that integrates remediation actions into its platform?

Contact Us