OT Security Add-on for Splunk: Technical Guide and Documentation¶
Splunk for OT Security enables organizations that operate assets, networks, and facilities across both traditional IT and industrial (OT) environments to better apply the globally proven SIEM, Splunk Enterprise Security, to improve threat detection, incident investigation, and response. The Splunk for OT Security add-on expands the capabilities of Splunk’s platform to monitor for threats and attacks, compliance, incident investigation, forensics, and incident response across the broad spectrum of assets and topologies that define modern manufacturing, energy, and public sector organizations.
The solution, comprised of an app and related documentation, provides the following features:
- Expanded Asset Framework and Asset Center: Ability to store and analyze additional asset attributes including facility/site id, asset criticality, asset types, classification, vlan, zone, and other data alongside traditional IT asset elements. Assets can be segmented by site or into multiple entity zones when attributes like IP Addresses and Host Names may be reused among different sites.
- Integration with leading OT Security partner technologies: Ingest asset inventory, vulnerabilities, and alerts from leading OT-ready systems.
- Making using OT Data easier: Prebuilt dashboards, reports, and other content related to perimeter monitoring, infrastructure monitoring, and centralized monitoring of multiple OT Security solutions. This content is in direct response to customers wanting quicker time to value from their OT data.
- Prioritized vulnerability matching: Evaluate, filter, and score matching vulnerabilities using iteratively executing correlation queries and dynamically calculated Asset Risk scores.
- Integrated OT Asset Behavior Profiling: Monitor asset behavior profiles to detect activity changes on critical assets that may represent increased threat risk.
- Constructing and evaluating asset baselines: Create baseline groups and baselines to verify assets follow a consistent hardened setup. Baselines can be created from data and extended to customer baseline types.
- OT ready Correlation Searches: Extend the deep bench of existing Enterprise Security correlation searches that monitor identity, endpoint, network and access in Splunk with OT-specific searches including mapping to common security frameworks including the MITRE ATT&CK for ICS.
- Support for key elements of NERC CIP: Dashboards and associated reports reviewed by trusted practitioners and NERC CIP auditors to help clients focus on NERC CIP requirements where Splunk can be assistive in compliance monitoring and audit support.