Most of the OT Detection and Asset Management solutions have developed ‘integrations’ with SIEMs, with Splunk and QRadar being the most common. I put integrations in quotes because they did little more than push alerts and events to the SIEMs with little context. This all changed with Splunk announcing their OT Security Add-On last month.

In this episode of the Unsolicited Response podcast I talk with Ed Albanese, the VP Internet of Things at Splunk about the OT Security Add-On.

This is a more detailed, technical episode as I try to dig into the features and benefits of the integration today and where it can be improved in the future. This includes:

  • The additional OT fields in the Splunk Asset Framework
  • The OT_Asset and OT_SW_Asset data models
  • How the 29 OT search queries will work with integrations likely using different terms (such as different names for asset types) and the types of search queries currently supported.
  • The value of having standardizations for some OT alerts/events sent to Splunk, such as “modify control logic”. This support for standardized notables, as Splunk calls them, is not in the released Add On but can be configured.
  • How Splunk is tracking vulnerability management (currently no OT integration)
  • And how Splunk is calculating the Risk Scores in the OT Security Posture Tab

Links

Splunk OT Security Add-On Announcement

Splunk OT Security Add-On Software Download Page