NozomiNetworks

foreign

[Music] thanks for joining us here today my name is Chris Thomas I'm a regional sales SE for physical Networks what we're going to do today is more products should be a fairly quick agenda um this is what we're going to cover today I'm going to do an overview of the nozomi solution why you need it where it's where it fits talk a little bit about the basic architecture which I've got a little graphic here uh and then we'll get into some of the details around what our solution does and why it's important so rather than bore you with these slides I'm going to flip over and I'm going to flip over to my browser and actually show you

active stuff uh I had brought a little device here that is running my software we our software is can be done on premise in the cloud Etc unfortunately uh it's not working I'm not getting a network connectivity uh as I expected so I'm going to Pivot a little bit and I'm going to talk about and demonstrate uh another aspect of our product product that we have up in the cloud so first of all um let me tell you a little bit about nozomi what we do that's uh why it's important so nozomi is a at its base is an intrusion detection system threat uh detection asset visibility and uh vulnerability uh assessment solution for operational

technology or OT Networks does everybody know what OT means in this room familiar with that excellent so unlike it networks where you can you know penetration testing and scan ports and everything to determine where your vulnerabilities are in the OT World operational technology industrial control systems that kind of scanning that kind of active spray and pray penetration testing and uh Solutions of that nature are for both we don't do that reason being in the OT World a lot of these controllers feel very prescriptive devices they are purpose built to do one thing and one thing only uh if you try to do a port scan at some of these things they will fall over in the ICS and Industrial control system

world where you know when these things fall over they have to have real impacts in the world that can crash systems that can that can harm individuals with safety systems Etc so that is only we developed a solution to give you that industrial Earth sort of give you that uh IDs solution but in a very passive manner so what we do is we we've created a software system that can live on purposeful Hardware or virtual machines or even containers that can live inside of your industrial control system Network and rather than like I say scan out and actively try to figure out what's out on your network we primarily operate in a passive mode so we will take a copy of the traffic

that you see in these industrial control system Networks ingested into our solution analyzed and parse different protocols Etc and figure out what's Happening Here rather than doing it actively that makes sense can we ask questions I encourage you to ask questions as you know absolutely better I need to have a standpoint for that in each critical point for that to do you recommend anything are you providing

half of my job is when I come in and position this solution with customers is to do an architecture diagram like this and to figure out exactly that how do we get the traffic out of your controller that you're into the tool and you're right Network span is a very popular option where you can't do Spanish you have some of these lines switches down here some of these industrial switches they're not built like a like a comprehensive it switch with a lot of different uh supporting options like like remote span or any of those sold a lot of these times we'll come in here that'll just be a done switch very little management configuration capabilities so what we'd

have to do there as we look at deploying like a network tap like a gigamon or there's other more cost effective and more industrial focused Solutions like a Garland for instance would be a good solution the idea is just to get a copy of the traffic into our sensor the sensor in this case is called a garden so you can see let's see here with the guardian sensors in this particular example I've got three of them here so the guardian is where all the heavy lift is done it's where all the all the protocol parsing is done the Deepak inspection and we build what we call a virtual image of your operational technology we build it inside the guardian and then

we watch for an office Etc okay now I was going to show you that interface sure great question so in our portfolio I've got you can see here I've really got four pieces that make up the solution the guardian is kind of the brains that's the non-optional one that you can deploy it Hardware itself virtual Etc um the remote collector is another option Hardware or a virtual option that acts as a remote Guardian interface so in this case here I've got a switch of a Spam and sending data directly into this Garden no problem but let's say over here let's say this is in this is in a bunker somewhere this is a you know I can't go and deploy a

full Guardian there but I have network connectivity I have to deploy a very small remote collectors that effectively acts like a remote interface of this so the remote collector would come and connect to the guardian and feed this data directly into one of the sensors so it's kind of like a think of it as like a mini a mini Guardian but what it does is it sends it to an actual sensor an actual guard a specific question 56 substations somewhere

all our Guardians yeah depending on if again if there's no one-size-fits all with this solution we customize the deployment every time talk to a customer no two OT networks are the same in my experience everyone does things a little differently for example this in this diagram I'll be teaching teachings like switches are isolated they're not connected to each other they're not connected to the core they're completely in complete isolation in this case you have to deploy a guardian image specific location and then we have to figure out a way to get traffic from those opportunity so a couple of other components if you have multiple sensors our recommendations to roll them up management in this case an on-premise solution

called the CNC optional here that can roll up multiple sensors and from that console you can see each of the sensors you can focus in on each one Etc I also had it down with the CLT render though but unfortunately I'm having a bit of network connectivity issues on my laptop so what I'm going to show you today is the fourth and final piece of this solution which is called Vantage let's see that up at the top uh nozomi was the first and we are the primary provider in this space that provides suffers of service options for OT a lot of customers say the name I don't want to send money data to the cloud

question this is a question for the gentleman here to follow up so and you mentioned substations you had a number of substations you know in today's world there's there's substations that have access like dark fiber and things like that but there's still a lot of it out there same thing with oil and gas that have radio-based communications to a lot of these sites what's the traffic requirements coming out of state of Guardian like do I need to do I need to kind of rebuild the whole network do you have to support because right now a lot of these spots have enough for me to support minor commands to a PLC or rtu in the field exactly we run into this

Alta it's a great question again that that gets into more deeper architecture kind of questions and I could certainly if you want to take that offline we can do that but what I will say is that we have solutions to that for example if I were to put a simple Guardian in here the bulk of the traffic would remain local the only thing would be set up would be methane so we've got 10 or less of the actual generated traffic if I was going to expand this traffic from here up to a central Guardian then I'm duplicating my entire right the entire network traffic from that for for sites with radio links we generally don't do

that it depends on how much bandwidth is how much Headroom you have in those networks but those are the kind of things that we we will in pre-sales role we will come and help you architect that if it's choose a solution we also have full uh Professional Services that can do a deep design of your of your deployment in this case Okay so this is going to be a deep dive I was going to show you a demonstration of the guardian of the CNC but technology being what it is I'm having a little trouble getting my my little Intel Nook connected in properly so what I'm going to do instead I'm going to kind of pivot and I'm going to

show you this piece up here called Vantage now Vantage is a full SAS solution this is the Vantage uh demo environment that I have here um the way the system works breaks [Laughter] I kick something oh there we go we're back wonderful so the way that this system works is again the to recap the sensors generate the collect data they generate we lost it again because most presenters are not so outgoing you know oh am I flapping my arms too much is that what's going on okay I'll stay on this side of it then now they're connected to problems [Laughter] [Music] love live demos they are the best there we go okay I'm gonna stay as far away from this as

possible exactly um okay so recap the Guardians do the heavy lifts they do a little processing we send metadata from the Guardians up to management what I'm going to show you now is Management in the clouds right now a lot of my customers in specific OT environments say my OT data in the cloud are you crazy um we've take we've we've uh we tackle that problem in a couple different ways which I will show you some of my customers are perfectly happy taking metadata and putting it up you know encrypted up into the cloud depends on the customer depends on the environment Etc so our Cloud solution is called Vantage this is the the window here I just log

in it's welcome me back and what I'm going to do is use Vantage as sort of the central point to show you the data and show you some of the solutions that we can bring to bear down closer to your process Network I was going to show you the guardian but having a little difficulty will will go with what we got so in the nozomi solution the first step is to identify what you have you guys are we've all been in security you know that you can't secure what you can't see very common uh very common uh theme there so the first thing we do on these networks is we search out and find out what assets we

have now the nice thing about industrial protocols is when when a programmable logic controller PLC sends data to an HMI or it's a human machine interface or your for your operators will will work a lot of these protocols embed information about the asset directly in the Stream So like a Rockwell PLC talking ethernet IP a lot of that there's certain register values that will send direct information about what that Rockwell PLC is what firmware version it has Etc so we can grab all that information as we see it pass over the wire and start to build out a list of assets that we see in the environment so rather than just show you a list of

assets which is boring I'm going to show you our the way we oh there we go it's logging me up give me one sec I'm logging back in there I'm going to show you our funky graph so this graph is built on the fly with real-time data of what the what the sensors see as far as who's communicating to whom on what protocols and uh detailed information on the device so I'm going to zoom in a little bit because that's a bit of an eye chart so you can see it's learning that information as we go it's gleaning this from this in this case Vantage is actually gleaning this from the sensors on site and so now I have individual devices

assets out here in in blue the blue ones are considered uh producers so they're generating data and they're sending it to Red uh device which is a consumer so this would be like a HMI so I can show you some of the detailed data that we can get so I just clicked on one randomly here this one is a an AC 800m controller from vendor ABB and if I want to go and check details I can see a lot more detailed information about this device this was all collected completely passively at no point did we pull this device or query this device to send any active traffic into this OT Network this was all just gleaned passively there's a

couple of other components in our solution that are optional that you can leverage to get this type of detailed data one of them is an asset intelligence feed so we talk out we have Partnerships with all the major vendors Rockwell all these big uh OT vendors and we work with them so they send us detailed feed information about their products so that we can then say watch but it looks like there's a picture from the vendor here's all the detail around it and in some cases we can even get detailed information around end of life end of sale so if you're out there as if anyone attended Vivint uh the next talk earlier this morning he was talking

about the life cycle in some of these OT networks unlike a typical it Network it is not a three or five year uh life cycle of this product some of these can be out there for 10 20 years right a lot of this is Legacy out there so uh getting end of life and into sale information from the vendors is critical in some of these cases so we can glean all of that using a combination of the passive ingestion that we talk about plus this asset intelligence feed from event it's going to merge it all together and we provide you a detailed information your asset unlike a static asset solution like you know recording all

this stuff on a spreadsheet if something changes in the environment we detect it we reflect it in the in the tool okay so that's asset visibility I just want to do a time check okay good when we collect this information from an OT Network once we have asset info information around product firmware Etc we can then determine where we're vulnerable we have all that information we then can translate that into vulnerabilities so here we are at this particular asset shows these level of vulnerabilities and the cves that are associated to them uh this brings me to the second uh feed optional feed that we can bring into our box which is our threat intelligence fee

so once we um if you enable that through a license on the zombie system we curate it as only we have a there's only Labs based in Switzerland that actively looks for OT specific threats in the wild curates specific CDs from different vendors and brings them all together into the box so when we know the firmware and the type of device we have we correlate all that with vulnerabilities that we know about and patch that all here for you to view quite simply now uh patching vivac talked about patching in his in his uh talk earlier this morning unlike it the IQ World OT end not to patch these boxes very frequently Sometimes some of these boxes

run well they run proprietary software some of the hmis are running Windows but they might be version seven I still see Windows XP out in the wild all the time right because that's how the vendor built their system and if you try to upgrade that to to Windows 10 first of all the hardware probably wouldn't support it and set it all that would probably break all the software that they built 20 years ago for these systems so we look at these vulnerabilities for some of these older systems and say yeah we understand that Windows XP has 1500 vulnerabilities and we present that to our customers but we don't expect to say well just upgrade that to the latest

Windows 11. off you go right we we try to look at other mitigating circumstances and come up with other compensating controls like segmentation so one of the things we can do out of this out of this graph that I was showing you earlier is show how that segmentation is possible so I'm going to come back to this funky graph this graph is showing me again it's not a physical representation of the network it's showing me who's speaking to who and what protocols but the way it's color coded can be changed so I can do things like I can filter out this by specific things and focus in on specific things in my environment so let's just say uh I wanted to see a

specific vendor well that's just scheme I Rockwell plcs there we go don't have many in this particular environment but there's one again it's drawing its map live as it sees this traffic so I can focus in on things like that specific specific vendors I can also focus in on specific zones so we have uh if you remember if if anyone saw vivex uh presentation or if you remember this diagram we have a concept in OT that's commonly referred to the Purdue model it's also known as IEC 6243 there's we allocate assets and devices into specific levels for uh to to identify what they are functionally and how we secure them so in a Purdue model like this what we

generally say is no level we should we should have compensating controls in here to sort of no device on any level can talk outside of its level Beyond one so uh something at level one can talk to devices level zero and they can talk to devices level two of compensating the controls to make sure that something about one you should never touch level three Etc so I'm going to level two you should never talk to level zero so we do these kind of things now that is the Purdue model in our tool we can further further granular around grouping devices together not only in Purdue model we can also do what we call a Zone

so a Zone can be something um that you can Define and in my case here I've done a search by Zone and I've created a few zones that I've called production networks or prodnet so I'm going to say Show me my prodnet O2 network so now it's going to just function fold in on those devices that I have allocated to be in this particular ly so I have the ability to um um you know understand where I'm segmented how my zones are created who's talking to who and most importantly I can look and see if my segmentation has been deployed properly as a compensating control do I have any devices talking prescription do I have any devices that are talking

between Purdue model levels by if I in this tool I can go and see do I have any devices at level one that are talking to level three and I can the tool app uh proactively show me that very very easily and then I can go and take steps to mitigate that that type of misconfiguration right any questions on this so far wonderful I love being clear okay um let's talk about threat detection so we talked about asset visibility we've got that down with asset visibility comes vulnerability assessment we understand where we're vulnerable but now what we want this thing to do is actively monitor for threats now in the OT world it's not just

you know your typical malware that we want to look for and we certainly have that as an example I will show you I'm going to flip over here and show you some alerts so we do watch for things like malware here's an example of an alert generated in this network and uh I've ran through some traffic that was so we have two we have two devices speaking one of them transferred the file via SSD was uh clearly infected so what we do in this tool is with these alerts is we bring all of this together we can of course take these alerts we can send them out to other systems like Sims or or other tools but we can also

um give you a great deal of information directly in this tool so if you wanted to send this data to your sock or give your sock access into this tool they can they can see these alerts in real time as they're coming up and then we can even do things from an incident response perspective by defining playbooks to say when you see this kind of alert here's what you do here's your playbook and this is completely editable as you can see I can click here and change this so these are completely definable for your organization if you have a malware file in your OT Network and you have a specific set of actions that you want to

take that can be easily put into a Playbook we also map all of this down a great deal of detail even down to the point where we automatically map it into your miter attack framework so in this case malware and the miter attack framework for ICS is uh mapped to the loss of productivity and revenue so again this can help you in your incident response and yeah we have a great uh we show a great timeline of these alerts Etc yes questions over here foreign [Music] that's that's the the thing I was talking about before vulnerabilities in an OT Network it's important to understand where you're vulnerable but it's not as simple as just patching the

system to we will recommend that sometimes in the case of you know if it's a Windows XP box we will say here's some patches that you can implement s to uh they're going to mitigate that but you can't always do that so we our system never mandates a fix right because this is an intrusion detection system we don't do we generally don't do anything automated to resolve these these issues that can cause more harm than good in an OT environment to be honest but we will certainly make recommendations so there's no direct fix the question then becomes you see these issues you see these vulnerabilities then we work together to determine what your best course of action is usually

segmentation is your best course of action in that case um where was I gonna go here I was going to show you um oh I lost my train of thought for a moment oh yeah sometimes uh I was I'd say this is mainly a passive solution sometimes that's not enough sometimes you're going to have devices that don't tell you everything right if I had a Windows XP box up there it does not tell me what version it is I can glean that information from some of the some of the traffic that I've picked but like as far as what Windows actions that device has I can't tell it a little wire I can't sniff a packet and pull out patch levels

for windows won't tell me that so we have an option in the set Guardian sensor that's called a smart pole we have the ability to use Smart polling as an option to do very targeted protocol specific uh polling of a device so I told you earlier we don't do that because like we do on the iPhone that can bring a box down but what we do is something like that but very targeted so for instance if I have a Rockwell PLC that speaks ethernet IP that is a industrial protocol uh if I were to just port scan that guy I could bring him down but if I targeted a ethernet IP query box he would expect that that would be

something that he could then respond to without causing any issue without creating any risk in the environment so we have something we call Smart bowling I can't show you in in this uh system because we don't smart pull from the cloud smart pull from the sensor which is unfortunately not working for me but what I can show you is some of the some of the results of that so I've got a Windows box in my environment previously uh and I have given a name called windrunner if anybody's a uh science fiction fan you might know what that means uh I've got this computer this is a virtual machine running in my environment and I have used my sensor on my guardian

to do a smart poll using winrm for this particular so I've gone and asked it a bunch of questions about itself what it can tell me here again just like every other thing I can see vulnerabilities Etc but it also can tell me patches and software that I have running on this box so that is a way we can get around some of the Limited