What is Dragos? They have a diagram on their site that shows three business areas:

  1. Threat Intelligence
  2. Threat Operations Center (which are consulting services including incident response)
  3. Platform (their detection and response product)

Dragos currently dominates whatever market exists in ICS Threat Intelligence and Incident Response capabilities (and potentially in other areas of ICS security consulting). This “domination” is based on an unprecedented accumulation of top tier ICS security talent they have scooped up over the last two years. Not too long ago I wrote the question of when will a 20-person team of ICS security consulting talent exist and be sustained? Many, including Digital Bond, had grown past 10 people only to fall back into single digits. Dragos has rocketed right past that number.

FireEye for a couple of years had the lead in both ICS Threat Intelligence, with the purchase of the Critical Intelligence team via iSIGHT, and ICS incident response. FireEye has had some losses in the team and apparent changes in emphasis and strategy in the ICS space. In fact, I’d estimate Accenture, IBM, Capgemini and other large professional services teams are more likely to challenge Dragos in these two areas in the next three years rather than FireEye based on recent hires.

Before moving on to the analysis of the Dragos product, I want to take a second to acknowledge the accomplishment of being in a dominant position in ICS Threat Intel and Incident Response in such a short time as a start up. And to recognize the risk of potentially throwing that position away by doing what it takes to truly be a product company.

The structure, strategy and tactics of a product company and services company are not compatible. companies risk being mediocre, or even failing, at both if they don’t make a choice. And sometimes, like the erstwhile Industrial Defender did, companies jump back and forth between products and services to their detriment. Dragos, having a clear winning path on services, saying they are a product company is a bold move. History will tell whether they make the moves to commit to being a product company, if this strategy sticks, and whether it is wise.

The Dragos Platform

I’ve received numerous demonstrations of products and pitches in the ICS Detection category. Most of them are very similar in terms of the capabilities, and the pitch the vendor makes as why theirs is the best is basically emphatic assertion. We REALLY understand and support the protocols and process better! We REALLY are the one that wins when tested in pilots, see are reference accounts A, B, and C! This was one of the reason S4x18 and x19 expended so much effort in the ICS Detection Challenge, unfortunately to little avail.

Dragos, on the other hand, stridently claims they are different. Even though Dragos has closed the gap and potentially caught up to their competitors in the anomaly detection and signature areas, Dragos’ positioning emphasizes behavioral analytics and tries to put the competition in the anomaly detection box.

(In actuality, the ICS detection category, in almost all product demos I’ve seen, leans most heavily on signatures of passively captured communications as the initial source of events.)

I received the latest demo of the Dragos Platform last week, and the most instructive view was a four quadrant display that included: Indicators, Configuration, Modeling and Behavioral Threat Analytics (Threat Behavior). The last item is what Dragos claims makes them different.

There are currently 78 different Threat Behaviors in the Dragos Platform. While it is a different way of presenting the information, the other market leaders would detect most, but not all, of these threat behaviors and even report them out with a similar description in many cases. I’ve seen it in the competitions demos and typically highlighted as correlation rules or meta events, and increasingly as behavioral analytics in response to the Dragos’ positioning.

Perhaps this approach will be of more of a differentiator in the future, but I doubt it. The competitors understand the value of correlating events and this is a major area of product development now that so many protocols and systems are supported in the products. You could argue that this is where Dragos’ Threat Intel and Incident Response services give them an advantage, but I’m not convinced of this given strong talent pools, particularly in Nozomi and Claroty.

Actual Product Difference

I did see a significant difference in the Dragos Platform and its positioning. It appears that it is moving towards being a lightweight OT SIEM to support a low to moderate skilled analyst in Operations, who is likely more highly skilled and knowledgeable about the process and automation environment. This is consistent with Rob Lee’s position in the OT SOC v. Enterprise SOC debate at S4x18. Importantly, Dragos has not made the leap or commitment to build in the functionality to compete with full featured Enterprise SIEM’s.

Here are the two examples:

1. Playbooks – Dragos promotes their playbooks as an important Platform feature. Each of the 78 different Threat Behaviors have a set of recommended investigative and response actions. I looked at a handful of these during the demo, and they are lists and short descriptions of what seemed to me to be a small number of obvious ordered actions. The playbooks are of little value to the moderate to highly skilled analyst or ICS security professional. However if you envision the person who knows a plant or pipeline ICS best, who is also the first call when anything important is not working, this playbook could be extremely helpful.

2. Integration of Other Data Sources – this is limited today, but Dragos is one of the few (maybe only) that is pushing the idea that they will bring in AND correlate other data sources than the passive monitoring or active probing. Again, essentially becoming a OT SIEM.

While these two examples are product differences, the key point is they see a different customer use case, have a strategy for this use case, and are building a product to meet it.

OSIsoft PI Deviation

The coolest feature in the product demo was the integration with PI Historian. They were showing events like Low Temperature or High Pressure in one of the event windows (believe this was in the Modeling Window), and then this could feed into Threat Behaviors, although I didn’t see an example of this.

I was baffled how the Dragos Platform knew a tag from PI was a High Pressure alarm. Would this tag to Platform context need to be configured for each customer and location? Dragos said no, but it didn’t seem possible.

Luckily I had a chance to sit down with Bryan Owen of OSIsoft at RSA, and he explained PI Templates to me. OSIsoft provides these templates, and customers and integrators can create their own templates. The customized mapping occurs between the individual customer tag and the PI Template, and then a product like the Dragos Platform will be sent the information from the template and know the context without requiring customization for each customer.

Of course the asset owner still needs to configure the tags to template. This work could be done by the PI team with no need to understand the security solution and the template can be used for multiple purposes, not solely work done for the detection solution. Very cool, and perhaps a precursor for providing ICS Detection to Enterprise SIEM context?

Endgame (or at least Round 3)

I’ll likely expound on this in a full endgame article in upcoming months, but here it is in brief.

The ICS passive monitoring, which is finally morphing into the passive plus active probing, for detection and response purposes is only a part of what an asset owner will want for a detection and response tool. Given the ICS sector is conservative and relatively slow moving, this may be the solution for three years, but it’s not a viable long term strategy for a product or vendor.

Dragos, at least at this moment in time, has an endgame product strategy. I’m skeptical that an OT SOC / SIEM will be the answer for most asset owners, but if you believe it is then the Dragos product strategy makes sense.

If you believe in the Enterprise SOC / SIEM this information will be fed to the Enterprise detection and response solution, or managed service, who will have more information and analysis capability. Will asset owners want to spend the money to have someone monitoring an OT only / limited data source solution as the product in the ICS detection space exist today? Unlikely. Even if you believe in basic analysis and response at the ICS / OT level, as Dragos appears to believe, the other products in this category do not have an announced plan to provide the information and analysis you would want as an asset owner.

Which means as the market matures the GUI / monitoring and analysis interface of the products that Claroty, Nozomi, Indegy, CyberX, Sentryo, … will become less important unless they have an as yet unseen pivot to a different product. The data these products gather and analyze will be needed, but it will be an edge device that provides one of many data feeds to the SIEM, and it will likely command less of a price than the concept being sold today as an ICS detection and response solution.

Agree or disagree with Dragos product roadmap and envisioned use case, it is a strategy with a path to success if their assumptions are correct and they can implement the strategy. The ForeScout / SecurityMatters offering appears to have an endgame strategy as well, although it is to early in the acquisition to be certain of the direction they will go.

The other twenty competitors will not only have to pedal fast to keep up with the top tier, but will also need to determine if they will be an edge device that feeds info to the correlation and analysis solution, develop a different endgame strategy, pivot to the asset management solution (which I’m increasingly falling into the Langner camp that this will be a separate solution from detection), or whatever else is yet to come. Of course the likely course for many of the 20+ competitors is to exit before this phase of the market is over which would warrant a different strategy.

I’m wondering if any of the leaders in this space will make their primary focus on providing information and context to an Enterprise SOC / SIEM. The OSIsoft PI Templates show a way to do this. It would be a bold move as it would lower the sales price significantly and likely slow down the sales in the short term.

Note: All analysis of this market fall into the “strong convictions, loosely held” category. So far the market has followed my expectations and analysis, with the exception of the Top Tier being determined faster than expected, and this could change quickly with some key customer selections, acquisitions or economic disasters.