Most of the OT Detection and Asset Management solutions have developed ‘integrations’ with SIEMs, with Splunk and QRadar being the most common. I put integrations in quotes because they did little more than push alerts and events to the SIEMs with little context. This all changed with Splunk announcing their OT Security Add-On last month.

In this episode of the Unsolicited Response podcast I talk with Ed Albanese, the VP Internet of Things at Splunk about the OT Security Add-On.

This is a more detailed, technical episode as I try to dig into the features and benefits of the integration today and where it can be improved in the future. This includes:

• The additional OT fields in the Splunk Asset Framework
• The OT_Asset and OT_SW_Asset data models
• How the 29 OT search queries will work with integrations likely using different terms (such as different names for asset types) and the types of search queries currently supported.
• The value of having standardizations for some OT alerts/events sent to Splunk, such as “modify control logic”. This support for standardized notables, as Splunk calls them, is not in the released Add On but can be configured.
• How Splunk is tracking vulnerability management (currently no OT integration)
• And how Splunk is calculating the Risk Scores in the OT Security Posture Tab

Links

Splunk OT Security Add-On Announcement

Splunk OT Security Add-On Software Download Page

The post Podcast: Splunk’s OT Security Add-On appeared first on Dale Peterson: ICS Security Catalyst.