Sample Operating Company (OpCo) is embarking on an overall cyber security program enhancement with a special emphasis on OT security.
The goal is to improve security across an entire program of security functions such as those laid out in the NIST CSF. However, the near term or specific objectives this year include the need to monitor ‘shadow IT’ through asset awareness technology, increase security monitoring (i.e., incident or malicious actor monitoring) and, where possible, improve upon the current Vulnerability Management (VM) practice in OT which has some obvious gaps in reporting, execution and maintenance. As part of this pursuit, SOC embarked on a series of market research efforts primarily targeting point solutions that offer to provide monitoring, VM scanning, asset inventory, etc.
This document outlines how the Verve Security Center (VSC) platform provides far greater insights and coverage for asset awareness and system monitoring through our superior architecture and also includes patch management, configuration management, incident response, and other requirements of the NIST CSF. The following sections walk through the origin and philosophy of Verve and examine how our solution works and offers comparatives to other technology options often seen in the market.
About Verve Industrial Protection
Verve is uniquely qualified to assist OpCo in this project. For over 25 years, Verve has worked with industrial customers on their most critical reliability and security requirements on their control systems. The Verve Security Center has a 12+ year track record of providing visibility and security management across a range of industries and all OEM vendor environments.
Our history in controls engineering means that unlike our security software peers, we understand the process control portion of resource extraction (i.e., multi-million dollar control system projects integrating across multiple vendor systems). This experience gives us insight into the inner-workings of these control systems, rather than beginning from a more traditional IT security mindset. Further, we understand the challenges operators face in their day-to-day tasks and the burden that security places on an already complex schedule.
The Verve Security Center is built from the feedback of hundreds of clients. We heard the pain points with current solutions and designed a low cost, easy-to-use platform. The solution comes with the support of dozens of dedicated, experienced ICS engineers who understand the impact of potential vulnerabilities and risks in an OT environment, not from their CVSS scores, but from the potential damage they can cause to operations.
The Verve Security Center has been deployed in operations environments for twelve years. We have dozens of customers around the world ranging from power to oil & gas to manufacturing and beyond. The platform has performed safely and effectively on every major OEM brand of control systems for over a decade.
As one example of its impact, the below chart is a comparison of the before and after deployment of the Verve Security Center in this client’s cyber security maturity journey. Note that a score of “1” was their lowest possible score.
Verve’s approach to securing OT environments is based on 25 years of experience and is significantly different from alternative approaches such as passive anomaly detection tools.
Our basic premise is to provide a solution that allows for rapid, streamlined improvements in overall cyber security maturity. The approach is based on three fundamental principles:
- The solution must be easy and low cost to deploy at scale and simple to manage, not just for some assets, but for all
- The solution must provide a comprehensive view of risks, not just traditional IT vulnerabilities, but risks caused by the “insecure by design” nature of OT
- The solution must simplify and accelerate time to remediation given the lack of resources available to manage OT security
To achieve this approach, we developed an integrated platform to address the various components required of a robust security program. The integrated approach was combined with an architecture built for safe and efficient operation in an OT environment.
The Verve Security Center addresses the program requirements as evidenced in the NIST CSF below, but our abilities apply equally well across NERC CIP and CSC 20 as well.
Benefits of Verve’s products and services:
- Demonstrate rapid improvement in ICS cyber security maturity with OT endpoint risk management platform
- Deploy quickly with no hardware taps or spans
- Provide rich endpoint risk assessment data that you cannot get from passive
tools or one-time assessment exercises
- Speeds time to remediation with integrated risk remediation actions
- Support from a 25-year-old company with dedicated, vendor-agnostic ICS expert technicians
The Verve Security Center is based on an innovative architecture proven over the last 12 years in industrial platforms across every major OEM control system vendor. This approach leverages an OT-designed agent and agentless software architecture which eliminates the need for expensive network tap/span port infrastructure and provides deeper asset visibility and integrated response actionability. Further, it provides centralized analysis and planning functions while ensuring operations have control over the final automated remediation action.
High-level view of Verve’s architecture:
Key features of Verve’s approach:
100% Software Solution
The Verve Security Center does not require scanners, taps, or span ports.
The graphic shows how we use agents on OS-based devices and OT- safe agentless profiling or networking and embedded equipment to capture a robust profile of the endpoint in real-time.
The first benefit of 100% software is cost and speed. One of our clients came to us after realizing the cost of deploying hardware taps across their pipeline infrastructure would be twice the cost of the software and would take over a year of scheduled time to complete. Our solution deploys in a matter of days or weeks depending on the infrastructure.
The second benefit is the depth and breadth of data we collect. By connecting directly to all OT asses in scope, the data collected is far richer than what little data is available on the wire.
Additionally, Verve sees deep into segmented or complex networks so often found in OT environments. It cuts through the backplane of different devices to collect serially connected devices on the back end, etc. This level of depth provides a more robust asset inventory and vulnerability picture.
360-Degree Risk Management
Verve’s unique architecture also allows the platform to provide a richer set of detail on asset risk information to improve risk remediation prioritization. Verve digs deep into asset specifics.
The benefit to 360-degree risk management is that users gain a richer sense of the asset’s risk. They can easily determine if the asset is missing relevant patches, but also allows them to understand whether they have dormant user accounts that offer access with no “vulnerability” or if there are possible network connections in the firewall configuration that reduce the effectiveness of the network segmentation.
Further, by adding operational context to the asset records, they gain insight into the operational criticality of an asset and correlate that with CVSS scores to identify those most in need of remediation.
Please see the appendix to learn how these views come together for focused behavior on true OT risk. We have included a filtered vulnerability view (focusing on critical risk to high impact assets) and system hardening (least privilege) views among others.
As previously mentioned, Verve provides a single tool to assess and remediate risk. There are no gaps. There is no handoff from one tool to the next, hoping the ticketing system captured the right asset name. There is no need for the scan- patch-rescan process to ensure the patch remediated the vulnerability.
Verve puts these pieces together to accelerate time to remediation and includes data points from multiple perspectives (from patch levels to NVD identified risks, unwanted or questionable software to real-time and emerging activities). Things like syslog collection, failed user logins, netflow data or triggering on specific behaviors are monitored by our machine learning capabilities.
These asset-related touchpoints or insights are delivered in a single dashboard view.
Once risk and its operationally-specific context is understood, the choice of actions is broad because the potential right remediation strategies vary in OT. Patching may not be feasible. Unmanaged devices need clean up to get rid of risky software or dormant accounts. Reliance on anti-virus may be misplaced as signatures are often out-of-date but unknown. The list goes on.
Verve allows users to take hundreds of different actions (and write new actions as desired) to remediate and manage assets. These actions include patching, software and account removal, and configuration hardening. This integrated actionability provides speed and flexibility in remediation.
Think Global; Act Local
Verve was built to address distributed and sensitive OT environments. It is critical our clients have the ability to scale their analysis and planning team to reduce cost. But at the same time, it is critical that any final remediation/protection action went through the review of the operators that know their systems best. Therefore, Verve employs a Think Global; Act Local architecture.
As seen below, Verve aggregates data from a site/group of sites into an Asset Database (Verve Asset Manager or VAM) and layers additional asset and risk context into that database including metadata such as asset criticality to operations, known exploits from the NVD, plus any third-party tools deployed for status (i.e., anti-virus, backup or whitelisting status).
One or more VAM instances roll up to a read-only, corporate or global view of risk. This centralized view allows the central team to analyze all risks and threats. They design and determine which actions to deploy across the environment.
The operators most aligned with those systems take the final trigger of the action once they have been tested and find the right time given operational requirements. The diagram above shows how the Verve Security Center scales resources and significantly speeds remediation efforts while protecting OT oversight and system safety in our Think Global; Act Local approach.
Practical Results / Output
In summary, Verve provides the following important benefits:
- Affordable, small footprint install
- OT-safe inventory, including embedded assets
- OT-specific context of the asset
- All known vulnerability or risk markers
- Ability to remediate (patch or compensating controls)
- OT oversight on actions
- Contained ecosystem for reporting
- Real-time updates
- Scalable (no use of WMI), near real-time data
- User-friendly, dynamic, navigable filterable dashboards to contextualize and direct remediation. Unlimited filters to see data exactly how you
For a comparison between Verve and other products, please see Appendix B.
The original discussion between Verve and OpCo began as a discussion about asset awareness and detection-based security in the OT environment. Verve delivers a robust, OT-safe solution on those fronts and provides a complete automated inventory, endpoint asset management, add ed context to assets in order to facilitate and verify the use of compensating controls, and the remediation of issues after they are detected.
Main takeaways from this proposal:
- Speed/cost/network efficiency of assessment visibility vs. network taps or calls to devices
- Deeper endpoint risk assessment visibility with IT-like endpoint management capabilities built safe for OT (including netflow, syslog, and machine learning)
- Faster time to remediation with integration risk remediation actions
- Lower cost OT systems management with an integrated, single dashboard view
- Greater levels of support with in-house dedicated team of ICS engineers, not just cyber people
Many organizations purchase multiple stand-alone tools like a passive detection tool and scan/patch tools, forcing them to navigate through different data points and toolsets to perform various investigations, reporting, correcting, and tracking assets. They also invest in additional tools or design manual processes to manage system health, least privilege, software, user and security permissions, etc.
Verve provides a superior solution within specific disciplines of asset awareness, inventory and management as part of a comprehensive security program. Verve is a single investment that delivers dozens of benefits.
Because the Verve Security Center is a multi-function program management tool, it is difficult to compare our platform to other options on the market in an apples-to-apples way.
The following section compares Verve to a typical passive detection approach and illustrates Verve’s unique features.
Passive Anomaly Detection (PAD) Tools
There is no shortage of passive listening tools. Many provide robust anomaly detection, but fall short in there ways compared to Verve:
- Achieving visibility requires significant hardware investments to tap networks
- PAD only sees what is communicated over the network rather than deep asset visibility
- PAD does not offer actionability to additional tools are required to remediate vulnerabilities and threats
Claroty was built for passive anomaly detection. While it does provide asset visibility into what is on the wire and communicating through tapped network devices, it was not designed as a vulnerability assessment or endpoint management tool. People often try to stretch it into providing these functions, but its architecture was not intended for this use case.
Verve was built from the ground up to be a comprehensive security and risk management platform. Verve starts from the asset back to gather much richer and more expansive information than a passive tool – while also providing remediation. Verve’s security incident detection capability also starts with the endpoint. Verve provides OT SIEM which leverages endpoint content like syslog, netflow, machine performance data, and DCS alarm data. It combines these into advanced machine learning algorithms to detect potential threats in the environment.
The real benefit is that the OT SIEM functionality is the same database as the rest of the information. As you investigate alerts in the OT environment, all OT asset data from known vulnerabilities to security controls (like patch, backup, anti-virus or whitelisting status) and OT content (like asset location, criticality, and ownership) are all at your fingertips. This makes our security insight just as valuable – if not more valuable – and letting you pivot into investigation and remediation far surpasses any passive listening tool.
3 Benefits of a 360-Degree Vulnerability Assessment
Defending critical infrastructure environments requires 360-degree visibility into asset and network vulnerabilitiesRead the Story
4 Steps to Think Globally, Act Locally in OT Vulnerability Management
The Think Global, Act Local concept emerged to describe how to scale vulnerability analysis, remediation design, and audit in industrial control systemsRead the Story