I am often asked by customers “what is the best way to protect my OT environment from cyber security threats?” There is no single answer or step which will deliver a robust operational environment. Defence strategies must be layered, delivered in depth and first and foremost, you must understand what you need to protect. If the question was re-phrased to say, “what is the most cost-effective tool to deploy to protect my OT environment?” then I would say Endpoint Protection.
Research by IDC concludes that 70% of all breaches start with the Endpoint, whilst TechRadar highlights that 90 percent of data breaches are caused by human error. The risk of an endpoint acting as a point of presence and the ‘accidental insider threat’ is one of the largest risk factors to consider for any operational environment.
In January 2020 Windows 7 and Server 2008R2 became end of support by Microsoft. While there was a large push within IT sectors to remove the legacy operating system, the same adoption within OT has been much slower. The need to upgrade is often driven by factors other than security, such as business efficiencies. We have discussed this in our recent blog “Are your industrial systems ready for today? It's time to evolve”
While there are security concerns with legacy operating systems, what is often overlooked is the support gap that is also present within Windows 10. In early 2018, Microsoft announced Windows Lifecycle which introduced a semi-annual refresh of products with a much shorter lifespan.
Customers who are running Windows 10 Professional versions 1507 through to 1803 (6 versions in total) are no longer receiving monthly security updates unless they upgrade to 1809 or greater. This change complicates OT operations, moving from a 10+ years lifecycle to 18 months has significant effects for OT stability as well as long term security.
As security and OT professionals, we need to take a step back, view how this affects our assets and make security decisions that are aligned to OT environments. The IT model of fast adoption and rapid upgrade is not a one size fits all.
Our attendance at CyberUK and Infosec highlighted a common challenge faced between Operators of Essential Services (OES) in addressing NIS-D compliance. The common pain points focused on 2 key principles of the directive:
The inability to effectively identify security incidents, identify system abnormalities for attack detection and be proactive in attack discovery was a systemic problem faced by many. SolutionsPT provide a solution to address this need for network monitoring through Claroty. Re-focusing on the endpoint, this sets us a challenge to address this need for our OT customers at the endpoint.
Endpoint protection is a wholly accepted practice within IT and broadly accepted within OT operations. Absolute security concludes that 28% of endpoints have missing AV or signatures that are out of date. Signatures assume that a threat has been seen before and someone has to be patient zero for the threat to be identified.
Deploying updates to the endpoint takes time, effort and creates micro changes to the operational environment which may introduce instability, especially if the update includes modifications to the core protection application.
At SolutionsPT we've been rigorously testing Artificial Intelligence (AI) security products from Blackberry Cylance which we believe address the security needs of the OT environment. These tools help achieve a robust level of security, reduce workloads for OT engineers and help deliver regulatory compliance within NIS-D and other OT/IT security frameworks.
CylancePROTECT is an integrated threat prevention solution that combines the power of AI to block malware infections with additional security controls that safeguard against script-based, fileless, memory, and external device-based attacks.
CylanceOPTICS is an endpoint detection and response (EDR) solution designed to extend the threat prevention delivered by CylancePROTECT by using AI to identify, report and prevent widespread security incidents.
While the security needs for IT and OT endpoints are broadly aligned, there are several key differences that need to be addressed to be highly effective on the plant floor. These have been identified by our customers as:
AI threat profiling gives a proven predictive advantage of up to 33 months over known, unknown, and zero-day malware. CylancePROTECT is capable of preventing threats that did not exist when the AI model was created.
In practical terms, this indicates that regular updates to CylancePROTECT are not always necessary which is ideal for OT environments. Updates to the AI model is ongoing and generally sees releases every 6 months which better suits planned downtime and maintenance windows.
Limited connected networks can also benefit from ‘Centoids’ (mathematical threat detection models) to an internally hosted ‘Hybrid Server’, this caches realtime micro changes to the AI model providing an always up to date security solution.
SE labs undertook an independent study of CylancePROTECT predictive advantage, the report is available here:
SolutionsPT security consultants obtained 101 malware samples, some which contained zero-day threats. The test was undertaken using a Windows 10 host on the 02/10/2019 using CylancePROTECT 2.0.1540.8 (Released in August 2019) and Windows Defender (1.303.659.0) which were both fully up to date. Cylance identified 101 samples as malicious and Windows Defender identified 37.
The same test was rerun on the 29/01/2020 on the same sample set, Cylance was removed from the test system and Windows Defender acted as the primary threat detection application. This time, some 4 months later, 44 samples were identified as malicious, an increase from the original 37 but still less than the 101 originally quarantined by Cylance.
During lockdown we did a final run on this VM, an update to Microsoft Defender on 10/11/2020 using definitions 1.327.691.0 to establish a baseline over a year later. This time the built in protection for Windows 10 managed to successfully identify 57 potential threats proving as signatures improve so does the detection rate. This is still far behind Cylance which identified all 101 of them 13 months ahead of other vendors.
Before I removed this lab I thought I was revisit this a final time, so I update to Microsoft Defender on 25/10/2022 to establish a baseline 3 years later. This time the built in protection for Windows 10 managed to successfully identify 51, so down from the 57 potential threats in 2020. This is still far behind Cylance which identified all 101 of them 36 months ahead of other vendor.
One customer on the 27/11/20 who was happy with their AV solution but dissatisfied with how much time and effort they needed to invest keep their solution up to date was surprised to see that their product had only identified 95 of the 101 malware samples we tested. Detonating the remaining payloads quickly identified that they had successfully installed, one attempted to communicate with C&C servers and CPU usage was at a consistent 100% with miners running in the background rendering the machine totally unusable. During the test we could also see Ransomware payload executing, however this never fully completed and crashed out.
Putting this into perspective, we took malware samples obtained throughout 2018, tested them in 2019 and then revisited in late 2020. Some of which payloads are still bypassing traditional signature based systems.
SolutionsPT would always advise you undertaken your own testing as mileage will vary but we are seeing similar results to those identified by SE labs independent report .
Cylance solutions are compatible with legacy AV products and can run on the same endpoint without conflict. Some organisations may choose to implement Cylance alongside their legacy AV to discover what their current endpoint protection is missing. This proof of concept often leads to them retiring their legacy solutions once they feel confident that Cylance can provide the protection their organisation requires.
CylanceOPTICS deploys trained threat behaviour models directly on the endpoint which are fully aligned to the MITRE ATT&CK framework. This empowers protected devices to function as self-contained security operations centres.
CylanceOPTICS includes a configurable context analysis engine (CAE) that monitors endpoint events in near real-time. This identifies suspicious behaviour according to the device policies and detection rules. For example, send alerts or engage an automated response based on how PowerShell was called and where it was invoked, i.e. if via a web browser then automatically terminate.
CylanceOPTICS works in conjunction with CylancePROTECT to provide prevention-based security, threat hunting as well as the tool sets often required for compliance frameworks such as NIS-D and IEC 62443.
Organisations are already investing in AI for security and this will only increase. Our attendance at Infosec indicated that 88% of people polled felt that AI has relevance for security for their business. Cylance support these findings by stating “60% of the IT decision makers surveyed say they already have AI-powered solutions in place and 40% said they are planning to invest in them in the next two years”.
At SolutionsPT we closely follow security trends, attending national events and share our experience with peers. We monitor industry challenges and review innovations within the IT market, selecting best in class solutions which are suitable for OT environments. Our solutions are tested to ensure they are compatible with all the core products we offer so you can be assured they can successfully co-exist, saving you time and effort.
Cylance AI is a mature and a proven technology deployed to over 14 million devices. If you are ready to see what your legacy protection products may be missing or just want to break free of the constant upgrade cycle associated with legacy antivirus, we can provide a no obligation 30-day proof of concept. Why not let the technology speak for itself?
#solutionspt #otsecurity #otcybersecurity