Capabilities for CIP cyber compliance
Several core capabilities help organizations to effectively comply with the cyber security requirements of CIP 5. These capabilities enable a full life-cycle approach to the required monitoring and management of cyber security tasks.
Click on the following capabilities to learn more.
Visibility across all systems and software
Knowing all of the devices, systems, and networks that comprise the infrastructure is an important first step in security. A crucial second step is having real-time visibility into what is happening on those devices, systems, and networks. Yet recent research reports that only 25% of utility security personnel think they have effective visibility across infrastructure.
Deploying anti-virus (AV) software has been the standard approach to protecting endpoints, but AV was designed to operate at scale to counter the opportunistic attacker as opposed to the advanced threat. Because of this, AV relies on infrequent scans, often missing pockets of time, while also relying exclusively on signatures. In contrast, advanced attackers compromise only a small, targeted set of computers, staying below the noise threshold and avoiding the development of a signature leaving blind spots on endpoints. This approach to endpoint security is unsustainable. An effective solution to close these gaps entails always-on, real-time visibility so that security personnel are informed of attacks as they happen.
Detection of potential and definite attacks
Traditional methods of detecting attacks, such as intrusion detection and prevention systems (IDPS) or anti-virus (AV), leverage signatures. Signature-based detection presents two problems: (1) signatures are effective at detecting only certain types of attack; (2) signatures often generate more alerts than security staff can effectively research and respond to, many of them false positives.
In the first case, signatures are effective at detecting opportunistic threats that find value in scale of access and deploy their malware widely. However, for the advanced attacker, the goal is to remain inconspicuous by avoiding the development of a signature. Attackers who possess advanced knowledge and sophisticated skills, such as nation-state hackers, can easily avoid signature-based detection. To combat this type of attacker, detection must leverage more advanced methods, such as indicators of compromise, reputation services, and threat intelligence.
In the second case, effective detection should provide some level of attack classification. This allows security staff, who often must operate with limited resources, to prioritize which potential incidents to investigate in more depth.
Prevention of attacks in real time
Signature-based security solutions are not sufficient to protect from advanced and targeted attacks. An alternative is policy-driven prevention techniques. Such prevention methods do not operate on a bottom-up basis, as is the case with signatures. Rather, policy-driven prevention is top down. Ideal policy-driven prevention provides security administrators with the flexibility to adjust prevention based on more or less lenient policies. This helps adjust the security level on an asset-by-asset and even file-by-file basis, depending on factors such as exposure, desirability (to attackers), and vulnerability.
Response to attacks
Traditional incident response (IR) is tedious, time consuming, and imperfect. Traditional IR uses log file analysis and file system forensics as the primary data to analyze. Unfortunately, these data points are incomplete and analyzing them is expensive. An ideal solution would start by automatically correlating events and end by providing a complete picture of the security incident, without log file or file system analysis, including answers without guesswork to key questions such as:
- How did it start?
- Where did it spread?
- What did it do?
- What do I do now?
Integration with other layers of security
No single security solution or technology can address all threats and attacks. Every organization should implement the best practice of “defense in depth,” which entails using many layers of security solutions and technologies across networks, systems, and devices. However, for these disparate solutions and technologies to function optimally, the systems must be integrated effectively and configured optimally. Ideally, security personnel have access to central management dashboards and reports in order to monitor and coordinate these disparate systems.