Remediation in 90 Minutes with Think Global, Act Local

The concept “Think Global, Act Local” is truly an example of what a future OT security program should look like.

This case study is unique because it is unprecedented in its efficiency. But more important than that, it directly addresses significant challenges in the industrial industry, such as the lack of enough skilled team members in OT environments. This case study safely introduces automation of OT security tasks in an OT safe way, while scaling assets that typically outnumber our OT teams.

The Situation

This case study describes how a customer used their cybersecurity solution to maintain and execute typical OT security and maintenance tasks. It is important to point out that this client deployed Verve’s agent and agentless asset management solution in their OT environment.

They accessed local data collection technology at the sites, on the assets themselves. Each site collected individual asset information in an on premise (operational site) database that provided an aggregated and normalized database. They used one central support team at HQ with a web-based reporting portal to view the databases from each of the six different sites.

A little background is needed here: The asset management solution collects asset-specific data (which the asset has), third party security data (ie, connects to information about the assets last backup, whitelisting status, AV and/or whitelisting status, outstanding patches and risk levels according to the NVD CVEs found on each device), and finally, metadata or tribal knowledge.

Asset attributions, such as the system’s criticality to operations, its physical location, the owner, etc. were identified. The centralized team has visibility into any form or filter of asset and security specifics by type, location, risk, vintage, criticality, etc. This particular client chose to refresh this level of information from the operating facilities to the HQ SOC every fifteen minutes, so the inventory and status were never more than fifteen minutes old.

The Challenge

Let’s add the CISO into the mix. He phoned the SOC team to ask if a certain specific brand of antivirus was fully removed from all of the operating assets. The SOC replied, not yet. The CISO demanded all instances be removed and verified in a report to him by Monday morning. This was Saturday afternoon.

If you are doing mental math in your head to calculate how long it would typically take to complete this task in most operating environments, it probably seems laughable.

The Solution

The HQ team sat at the reporting console and navigated to the software report. They filtered the view of the specific software in question and quickly verified all instances of the software and the offending host asset. There were 147 instances across six different sites in four different states.

Using the same software filter, they sent a command to those specific assets. The software-only agent approach goes beyond profiling, as inventory seems very rudimentary. The software agent allows clients to remediate and act as well.

Setting up a flagged command for each target asset to uninstall the software becomes simple. The agent on the box uninstalls the command as an offer, meaning someone would need to be physically present at the console to accept the offer locally at the asset and supervise its safe execution.

The Result

Due to the asset metadata (remember we append unit, floor, room, rack, owner, etc), VSC provided a targeted list to each sites’ cyber support designate. All six sites simultaneously targeted the exact systems in scope, oversaw the safe removal and once completed, the agent reported the successful uninstallation back to the reporting team. Here’s the kicker – the entire exercise (identify, craft the command, deploy local techs to accept and oversee, confirm uninstall, print and send the report) in only 90 minutes!

“Think Globally, Act Locally” is a direct response to the challenges of large volumes of complex assets and tasks, coupled with scarce OT security resources available in the market today. It is also why OT owner/operators no longer need to search for the elusive silver bullet. Instead, they start tackling the endpoint management work that is desperately needed. Most importantly, it is centralized, automated, scalable and proven OT safe.