Hypothesis: The current ICS cyber incident detection solutions will not exist in three years. They are interim solutions, and competitors in the market need to identify and implement an endgame strategy as they continue to run very fast with the current solution.
In a recent analysis article on ICS Detection / Threat Intelligence vendor Dragos I wrote:
The ICS passive monitoring, which is finally morphing into the passive plus active probing, for detection and response purposes is only a part of what an asset owner will want for a detection and response tool. Given the ICS sector is conservative and relatively slow moving, this may be the solution for three years, but it’s not a viable long term strategy for a product or vendor.
Dale Peterson – Analysis of the Dragos Platform Strategy
Products from current leaders such as Claroty and Nozomi Networks, as well as CipherX, Indegy and about 15 other competitors, are not what ICS asset owners actually want or need. They provide valuable raw information and increasingly valuable analysis, but it is only a piece of what is needed and will only be accepted as a product offering for the next 1 – 3 years. The companies in this space, who are already running fast to develop, sell and support this current solution, have the additional challenge of deciding on and implementing an endgame strategy for this product offering.
Let me lay out a few of the possible endgame strategies:
The Get Out Strategy … Run Fast And Be Acquired
Many, if not most, of the competitors in the ICS detection space will have no choice but to exit through acquisition or go under. The first domino fell with NexDefense and others will follow. This is not really an endgame strategy. It is a get out before the endgame strategy or continuing on the current path with a lack of strategy.
For competitors in the top two tiers (link) who can survive the competition, a viable strategy is to maximize their short-term position and get acquired prior to the realization this is only a partial solution or by someone who wants this as component of a viable solution. This strategy involves maximizing the brand, the named accounts and the installs or developing support for selected vendor ICS or protocols that would appeal to potential acquirers.
This strategy relieves the resource burden and negative sales hit that implementing an endgame strategy will entail. There is risk in getting the timing wrong in what becomes a game of musical chairs. Wait too long and the acquirers will have bought the technology elsewhere or realize this is but a part of the future solution. About half of the competitors should be pursuing acquisition now.
The Edge Device Strategy … Lower Price, No Analyst Station, Maximize Ease of Integration
At S4x19 an asset owner stated that although they liked and recommended a product in this category … “sorry detection vendor but we don’t use your dashboard, Why because the SOC analyst always work on the SIEM platform.” It’s not a bold prediction to say this is what the medium to large size clients will do in the future, if they are not doing it already.
Almost all of the competitors include the feature of sending information to a SIEM. However, if you look at their marketing, they promote an analyst using their GUI to identify and analyze cyber incidents. A competitor could take all the engineering, marketing and sales effort in presenting the product as a stand alone solution, and put that into tools, whitepapers, partnerships, selling, etc. the integration with a SIEM.
To be successful with this strategy, a company would need to realize that sales will take a short term (1 – 2 years) hit and margin will be permanently reduced. This integration solution is also a more complex sale than a standalone solution because it requires partnering or following on the SIEM vendor sales. And since the management GUI is primarily for configuration not monitoring and analysis, it is hard to justify the current price point.
This is the strategy I’m most intrigued by and would push to pursue if I was in this business. Will a competitor in the top tier or second tier take the risk of aggressively pursuing this strategy?
The OT SIEM Strategy … We Will Do It All
This is an endgame strategy that seems to be in play today with Dragos. Although they have not stated this is their strategy, Dragos has publicly taken the minority opinion that there will be an OT SOC staffed 24/7 with OT Analysts, rather than putting the primary detection responsibility on the Enterprise SOC. They are starting to integrate other data sources, such as PI Historian events, and have discussed integrating others such as security log events. It is one of two examples of a coherent endgame strategy being implemented at this time with marketing, sales and product development.
While I’m not in the camp that believes an OT SOC is the future, there are two factors I like about this position. First, the companies most likely to have an OT SOC are large companies with a lot of ICS, such as large oil / gas companies and large manufacturers with 50+ factories. A small number of these large customers is valuable. Second, this approach supports a managed service model where the asset owner outsources the OT detection and advanced response capabilities.
On an unrelated note, Dragos is one of the few vendors that does not emphasize the asset inventory / asset management capabilities of their product. This is also forward looking, in my opinion, as Ralph Langner has convinced me that asset management and detection will be two different product platforms, although they will communicate with each other.
A Solution For Engineers and Operators, Not Security Analysts
A number of competitors are half in with this strategy, Sentryo is a good example. The GUI that would be developed for an operator or engineer is very different than what you would provide for a security analyst, including a security analyst with OT experience. It would be simpler and more process focused. The information provided would be tied to call outs and specific actions rather than further security analysis, although bringing in security is a likely call out. The displays would reside in the control room and likely available in the same locations as engineering workstations.
There actually is a hybrid strategy where the GUI is focused on the operator / engineer and the Edge Device Strategy is also pursued to make integration with the Enterprise SIEM easier. The problem with this hybrid strategy is the workload on all parts of the competitors organization to pull it off.
Use The ICS Protocol Knowledge / Deep Packet Inspection For Another Purpose
It’s too early to tell, but we may be seeing this strategy being pursued by ForeScout after their purchase of previously top tier competitor SecurityMatters. While the SilentDefense product still exists, it is easy to see how the tech from that product could be integrated into EyeSight for combined IT/OT asset management and EyeControl for network access control on both IT/OT. The EyeControl is the more interesting example of the two because this is not in the core functionality of what is being offered today in this category.
This good be viewed as the Get Out strategy. I have it as a different strategy because integration into EyeControl would take it out of the Detection product category.
What Does This Mean For Asset Owners?
The video below is 30 minutes on this market from a presentation I gave at the Protect Our Power conference. At 25:46 I note the importance of setting management expectations properly and going slow on these solutions. Manage should understand that whatever you decide to do in 2019 / 2020 may be replaced in 2022 / 2023. This way you are not going to management saying you made a mistake and money was wasted. Instead you are trying things out as an early adopter with the expectation that there will be a change. This may also affect how quickly and broadly you want to deploy this technology.
As always I appreciate any questions, comments and differing opinions on this analysis.