At S4x19, a detection vendor had one of their customers on the Sponsor Stage to sing the praises of the product. In a moment of candor, the asset owner said the detection vendor’s product was fantastic … but they never looked at their management system because they sent everything to QRadar. They didn’t want to look at another screen in the SOC. The tool they chose and used was QRadar.
Most of the market, the companies not necessarily Operations, wants the alerts and information the ICS detection products can obtain sent to their SIEM for security (most often we’re hearing Splunk and QRadar) and to solutions like ServiceNow for asset management and other workflow issues. There are reduced costs, less complexity and potentially better results from this integration.
There are integrations today, but they are primarily data dumps from the ICS detection product. The ICS detection alerts and events can be seen on the SIEM screen with minimal context, essentially what you can glean from the alert marked as OT.
I had thought the reason the integrations were so limited was because the ICS detection vendors did not want to lower the value of their product. If the asset owner is not looking at the ICS detection management screen, and the detection sensors are being integrated into the switch, then the price point of this product is likely to go down significantly. There is some truth to this, and we see the level of effort on developing and pushing the management UI/UX dwarfing the integration effort.
What I missed is for effective and useful integration the SIEM or Asset Management solution must add OT elements to its data model and applicable application elements. It is not building a new product. It is looking at their existing product and saying this is what we need to add for OT.
2020 saw the first significant example of this with the Splunk OT Add On. I covered this in detail in an article and podcast. It was a minor first step, and this minor first step makes using Splunk for OT detection and response much improved.
Hopefully the Splunk, QRadar, ServiceNow and other teams have been busy working on this capability and will release something in 2021. Then we will see which ICS detection vendors are willing to embrace the fact that many customers don’t want to look at their screen.