Intelligent CISO Issue 45 - Page 42

EXPERT OPINION which went after the safety systems in a petrochemical plant .
There are three or four groups that have gotten to that level , though they were working on those capabilities for four or five years beforehand . We see another 12 or so groups behind , exploring and attempting to access operations environments . They ' re trying to research industrial control systems and perform reconnaissance against companies . These groups are getting into operations environments but not yet capable of carrying out the types of attacks we worry about . But if we look at that trend , we need to be cognisant that OT security is more than a project for a quarter .
Usually , you ' re talking about a multi-year journey . We ' re kind of in this storm path where we ' re trying to advise people not to overhype the problem , but realise the trend is getting to a place that we need to get ahead of it if we hope to keep our people safe three to four years from now .
How can organisations best achieve the required level of asset visibility ?
It ' s a cliché , but it ' s true – it ' s impossible to protect what you don ' t know you have . Time and time again , when our incident response team gets called into cases ranging from targeted threat groups to ransomware cases , it ' s consistent that there ' s been a level of what we call ' prevention atrophy ' in those environments . In other words , there have been many good investments in preventative controls , firewalls , patching , passwords , robust access control , etc ., but they put all the focus into prevention to the detriment of visibility , detection and response . Without that consistency of visibility , they end up missing things .
We find that entities largely get that visibility by doing three things :
1 . Developing a good culture between the operations and the enterprise side . We need to educate people , but we also need to do it correctly .
2 . Start deploying technologies inside those environments to get consistent visibility .
3 . Developing staff , ensuring that they ' re putting people and processes in place with the expertise required .
How important is threat intelligence in detecting and responding to these types of attacks and how does your organisation approach this ?
It ' s extremely important to learn from adversaries , and that is all that threat intelligence is . What have we seen before ? What would we have done differently next time ?
Many organisations have focused heavily on indicators of compromise and are looking for an IP address or a piece of malware that they can find next time . While that ' s not bad , it ' s not scalable , especially when you think about attacks that may use the same methods but happen against different types of facilities or different equipment .
When we think about threat intelligence , we think about it in understanding adversaries ’ tactics and techniques and the methods they ' re accomplishing .
I want to know how somebody is modifying a safety system , not which one it is . Where intel shines are that it ' s not just creating another detection or alert , it ' s understanding the context and prioritising the things we see so that we take the right response when something happens .
How important is the Middle East market for your company and how do you work with partners to provide solutions and services to end-users ?
Our tagline is ' safeguarding civilisation ', and to us , that means something . I think this region specifically has some strategic adversaries and we ’ re
at an inflection point where they ' re taking advantage of the transformation happening to industries here . The Middle East was the first place we went outside of the US . Our first team on the ground here was based in Riyadh and then we built out our office in Dubai , and we ’ re starting to work in Kuwait and Oman .
We have found that this region , more than most places globally , is all about partnership . If we come as a seller of a box , demanding payment and saying we ' ll see you in three months , that ' s not going to work . We have no better partners in the world than the ones we ' ve developed here .
How does Dragos set itself apart from others in this market ?
First , we take that intelligent further approach . Dragos professionals have been part of the response to any significant industrial attack that ' s ever
42 www . intelligentciso . com