The building blocks of good detection and response services for the ICS environment

1

By:Søren Egede Knudsen

sorenegedeknudsen

3

Our objectives today are to give Gartner a better understanding of:

1. why do customers choose Ezenta MDR and what have we learned from our engagements• Sales cycle , in d u stry , cu sto m er size , d ecis io n m akers, im p lem en tatio n h o n eym o o n• R ecap – w h y d o cu sto m ers say yes

2. How is Ezenta sales organised and what are our sales strategy on MDR going forward

4

THE TEAM LeadershipNobody want managers we wants leaders!

Understanding the people’s value set is critical

The leader Team members

ValuesKnow

ledge Strategy

Values

InnovationInves

tmen

t

Practice as you preach!

5

Organisational priorities

1 101 101 10Casualties (H)

AvailabilityRemote control

Staff

Auditors

You Value Chain

Threats

6

TEAM Setting

Incident

Event

CrisisRecommended

Define the needed technical level of the team

7

TEAM Setting

Name Skills Personality

Manager People, Business and

Technical skills and

experience. IT and OT.

Transformational leader

Common purpose / goal

Value basedHonest

Security Network

specialist/Analyst

FW, IDS, OT, IT, SIEM,

Network

Team player

Follow a list

Communicative

OS Security

specialist/Analyst

Windows, Linux,

application, SIEM, OT

IR and forensicsanalyst

OS, Network, pen-test, forensics, OT

Plus: Analytic,Digger

SCADA specialist IT, OT, SCADA processes

and logic

Plus: Process

Analytic

Selecting “do’ers”

IT not OT focusedOnly technical knowledgeNot team player

Pitfalls in selecting people

Empower the team !

8

TEAM Structure

R=Responsible, A=Accountable, C=Consulted, I=Informed

Integrated team (in-house & consultants)

Horizontal vs hierarchical team

Plant level

Area level

9

Incident response plan

Regulation and rules

Agreements

Easy to understand

Proactive services

Priorities and stakeholders

Roles

Communication IR Plan

10

ICS visibility

11

ICS visibility

Asset Communication Profile(Assets, protocol, tags)

NSM + Asset + Segmentation = visibility

12

INCIDENT readinessAre you ready for an incident?

8 step for readiness

Stakeholders and priorities

Definition of IR types

Members of the IR team

Empowerment of the team

Model (RACI)

Network (segmentation)

AssetsDataflow

13

BUILDING blocks

Organisational priorities

leadership

Team members

Skills and experience

Visibility

THANK YOU!