THE EDGE
Omar Al Barghouthi , Regional Director , Middle East at Dragos
A FORMAL
COLLECTION MANAGEMENT FRAMEWORK
( CMF ) IS CRITICAL TO THE IDENTIFICATION
OF AVAILABLE EVIDENCE
BECAUSE IT REDUCES
INVESTIGATION
TIME AND HIGHLIGHTS MONITORING
GAPS .
VPN authentication data . Documentation on configuration change management is also important , as are DNS query and response logs , DHCP , NetFlow and Web proxy logs . And don ’ t forget distributed control system ( DCS ) or supervisory control and data acquisition ( SCADA ) environments , where communication protocols are often proprietary .
Focus should be placed on chokepoints and perimeter log collection , as well as east-west network traffic ; and due attention should be paid to any third-party network connections , as they greatly broaden the definition of ‘ perimeter ’.
4 . Consider budgeting for an incident response retainer
All business stakeholders should be aware that not having an incident response service retainer has risk attached to it . While business cases against retainers may make sense at the time , their absence in a crisis can lead to escalating costs in terms of hourly rates for response services .
In the worst-case scenario , a lack of availability of response services may even occur , as security teams contact security firm after security firm to find one with qualified resources on standby . For those who still think it is worth taking the risk , it is advisable to look at the headlines and see the possible downsides . It is also worth noting that some security partners will allow unused retainer hours to be diverted to other services , such as proactive threat hunting or penetration testing .
5 . Perform due diligence on incident response analysts
It should come as no surprise that not all security firms are created equal . The regional skills gap in cybersecurity means many newly qualified or underqualified people are serving in the field . Even IT security is underresourced , but industrial environments can differ so wildly from data-centric IT that OT security specialists are even scarcer . And an ill-informed incident response team can often do more harm than good – inadvertently destroying evidence , scanning sensitive industrial devices without due care and failing to provide industry-standard reporting . The solution : vet every candidate thoroughly and establish that its employees have substantial familiarity with industrial safety measures and equipment .
Safety first
The range of costs associated with a lack of attention to OT security in data centres could be devastating . Fortunately , we now know how to protect ourselves . OTfocused threat actors think they are in for an easy ride . Let ’ s show them how wrong they are . �
78 www . intelligentdatacentres . com