A CISO Explains: How Netography Defends Critical Infrastructure
By Netography Team
Inductive Automation provides industrial software to customers around the globe in critical infrastructure sectors – energy, food and beverage, life sciences, oil and gas, water and wastewater, to name a few. Safety and security are paramount, so they are advancing their defenses beyond traditional tools that detect “what’s bad” to an operational approach that looks at what’s normal and detects and alerts on what’s not.
Recently, Dan Ramaswami, Netography’s VP of Field Engineering, had the opportunity to sit down with Jason Waits, CISO at Inductive Automation, to discuss why they chose the Netography Fusion® Network Defense Platform (NDP) to provide comprehensive visibility from on-prem to cloud, and how they use the platform to improve security decisions and response. Here are some of the highlights of Jason’s comments during the webinar:
The Path to Netography:
Like many companies, during the pandemic, we started working from home and now that has turned into a remote-first approach. Not only did our employees scatter across the country and even worldwide, but our network and data center also became distributed. We increasingly utilize Amazon Web Services (AWS) and other cloud resources and were looking at ways to capture that network traffic with low overhead without deploying appliances everywhere.
Dealing with appliances and packet capture, in general, can be painful. Trying to “lift and shift” that method to the cloud erodes many of the fundamental security benefits of using the cloud, such as the liberal use of encryption. With Netography Fusion, we get tremendous value from capturing flow logs. And that metadata can serve as a nice source of record that’s low overhead and easy to store compared to full packet capture that doesn’t hold up at any scale, especially when you’re operating in a multi-cloud environment with multiple data centers across the globe.
Getting Started:
The onboarding process was super-fast and straightforward. For example, using a wizard and AWS or infrastructure-as-code, you can forward flow logs to the platform and start to visualize network traffic in minutes. Quick deployment provides immediate time to value. Another big perk is that the flow logs are normalized, so there’s no need to find the nuances and do the normalization yourself.
Integrating with the Existing Tech Stack:
Ease of integration is important when we select new tools. Since Netography Fusion integrates with Crowdstrike and Wiz out-of-the-box, we can immediately enrich data with context from those tools. Now, when we see an IP address, we get intelligence, including the hostname and the account it’s in – a developer testing account, a sales engineering testing account, etc. – that starts to paint a picture of what’s normal and what’s not. Data from these and other sources provide organizational context so we can filter out what’s known and look for anti-patterns and things that are happening that are anomalous.
Integration with Slack has also been valuable since we do a lot of SlackOps. And new integrations have been easy too. For example, we mentioned we’d like to see an integration with our asset management tool, and the team from Netography had an integration turned around within about three hours.
Building Custom Detections and Dashboards:
Being able to find anti-patterns allows us to write custom detections for anomalous behavior. We can quickly spin up a dashboard to visualize a data set, filter out what is known to find the outlier, fix the outlier, and then write detections to alert us for future outliers. By taking this operational approach, we can track drift in almost real-time across our entire environment and catch anomalous activity before a compromise.
Moving to Compromise Detection:
Anomalous behavior doesn’t trickle up in many tools because very often, if attackers get a foothold nowadays, they are executing normal IT tasks that aren’t inherently malicious, like making changes to certain servers. And when you have appliances all over the place and no way to easily centralize that data, you waste time logging into different consoles and poking around to determine potential causes.
By moving beyond traditional threat detection tools that just say “that’s bad,” to a model where you take the time upfront to understand and visualize normal patterns, you can rule things out quickly and avoid going down rabbit holes. Knowing our environment, the context of our organization, and what should be happening versus what shouldn’t, we can use that distinction to find things that shouldn’t be there and advance defenses to compromise detection. Netography gives us one place to go to ask, “Have we seen this before?” or “What’s the scope?” and know it’s our source of truth.
Using Netography to Assist in Threat Hunting:
We’ve embraced Zero Trust models and have strong endpoint and identity plays. So, we have a really strong posture and regularly conduct pen tests. But in any situation, as soon as an alert from any of those tools turns into something that looks shady, we pivot to the network telemetry in the Netography platform and start a threat hunt to understand the scope. For example, if the host actually installed malware, where they went next, and what else they talked to.
With that said, even with a strong Zero Trust approach, you can’t ignore the network either. We make SCADA and other industrial software. As a result, we have programmable logic controllers (PLCs) and other types of equipment in our building for testing and in production settings. You can’t install EDR on that equipment or on other appliances like printers and phones. So, you still have to monitor that traffic. The network is a great source of truth that’s immutable. Netography Fusion alerts us to anomalous activity on the network so we can quickly find things that don’t fit and investigate.
Saving Time and Cost of the SIEM:
A lot of people dump everything into a SIEM which is a logical place. But SIEMs aren’t tailor-built for every data type; they’re fairly generic. And not all SIEMs are created equal. They don’t make it really easy to build custom detections around this traffic or build custom dashboards. Having an NDP like Netography, that’s built specifically for network traffic, is really valuable and saves a lot of time and effort down the line building detections and dashboards and doing hunting.
Additionally, more than half of all the logs we were sending to our SIEM were from network sources, and the percentage of actionable data is fairly low because it’s hard to do real-time detection. So, all that data is often kept for posterity in case you need to look at it at some point for threat hunting or investigation. Depending on your ingestion model, bandwidth and costs can significantly decrease when you shift that network-based traffic to Netography.
Interested in learning more about Inductive Automation’s experience with Netography? Watch the replay now.