Industrial Defender ASM

Industrial Defender announced “its flagship product”, the Automated Systems Manager (ASM) last week at the SANS SCADA Security Summit. On Tuesday I had the opportunity to talk with ID’s CEO Brian Ahern and VP of Marketing Kim Legelis to learn more about the product.

Industrial Defender believes, backed by some recently commissioned Pike Research Reports, that owner/operators would like a unified management platform that handles virtually everything: log managment, security device management, security monitoring, compliance management, change management … This is largely true with the exception of some very technical types who want best of breed of everything and will cobble it all together themselves.

So if we accept the premise that most organizations want one manager to rule them all, why isn’t this prevalent in the IT space or the ICS space? Easy answer – it is very hard to do at all and even harder to do well. Network Associates tried this by buying a number of security products with the hope of unified security management, failed miserably and eventually dumped the effort. Cisco struggled to make a useable manager for firewalls and routers, and what Industrial Defender is trying to do here is even bolder.

When I raised this challenge to Brian he felt that their ownership of all of the management code will make this easier. Most of the code has been developed by ID over the past ten years, and when they use a third part product they buy IP (intellectual property) rights to use the code. A recent example of this is the CoreTrace application whitelisting product. ID has the right to modify or fork the code if they want, and use it as they choose in ASM.

I haven’t had the opportunity to sit in front of the manager and give it a test run yet, so that will be Part 2 of the review at a later date. Here are some of the main points of the ASM offering:

  • Initially ASM is being sold as a 2U appliance, but in the near future it will be available as a virtual machine loadable on customer hardware.
  • There is a plan for ASM modules that would be collectors (or jump servers) placed throughout the network. This is very similar to the managed security service provider (MSSP) model to distribute the collection and processing of data.
  • The ICS specific portion of the ASM offering are related to the agents ID has had for years that collect data from SCADA and DCS, better understanding of ICS systems and protocols, and compliance modules and reports for things like NERC CIP and CFATS.

The pricing of the ASM is very complex. First it is based on the choice of Monitor, Manage or Protect – three packages of capabilities as shown in the figure below (click on it to enlarge). With the capabilities selected, the pricing is then based on the number of endpoints, clients, servers, licenses and other factors related to the size and complexity of the system. Pricing is difficult to state even when you’re not trying to duck the question. When pressed, Brian said pricing could range from $35K to a couple of million dollars.

While those are big numbers for security product, it is more reassuring than if this very difficult product to develop and maintain was being sold for $20K. Success likely will be determined if they are able to make and support an intuitive manager, rather than pricing, where so many others have failed. Stay tuned.

Industrial Defender