Most of the OT Detection and Asset Management solutions have developed ‘integrations’ with SIEMs, with Splunk and QRadar being the most common. I put integrations in quotes because they did little more than push alerts and events to the SIEMs with little context. This all changed with Splunk announcing their OT Security Add-On last month.
In this episode of the Unsolicited Response podcast I talk with Ed Albanese, the VP Internet of Things at Splunk about the OT Security Add-On.
This is a more detailed, technical episode as I try to dig into the features and benefits of the integration today and where it can be improved in the future. This includes:
- The additional OT fields in the Splunk Asset Framework
- The OT_Asset and OT_SW_Asset data models
- How the 29 OT search queries will work with integrations likely using different terms (such as different names for asset types) and the types of search queries currently supported.
- The value of having standardizations for some OT alerts/events sent to Splunk, such as “modify control logic”. This support for standardized notables, as Splunk calls them, is not in the released Add On but can be configured.
- How Splunk is tracking vulnerability management (currently no OT integration)
- And how Splunk is calculating the Risk Scores in the OT Security Posture Tab