Oct 29 Practice New Skills with 4 Months of Free Core NetWars Continuous - Special Offer Ends 11/4!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Achieving ICS Network Security Monitoring and Visibility with Flow Data

  • Wednesday, May 27, 2015 at 3:00 PM EDT (2015-05-27 19:00:00 UTC)
  • Chris Sanders, Robert M. Lee

You can now attend the webcast using your mobile device!



As organizations responsible for Industrial Control System (ICS) networks continue to acknowledge the current threat landscape, they are rapidly looking to instrument their networks for visibility. This visibility is key to helping identify nefarious activity and to investigate potential breaches. ICS and SCADA networks are often characterized by very rigid change control policies and diverse vendor-dependent systems. Often times installing agents on endpoint devices is not an option and the cost to implement a full packet capture solution puts it out of reach. This can put system and security administrators in a position that leaves them feeling helpless. Fortunately, there are options. In this presentation, Robert M. Lee and Chris Sanders will discuss solutions for instrumenting ICS networks for security visibility. This will begin with a high level discussion of network security monitoring (NSM) and asset identification, followed by an overview of network architecture and chokepoints relevant to capturing data. Next, we will introduce flow data and how it can be collected and analyzed to provide visibility in ICS networks with a minimal storage footprint. Finally, we will demonstrate SiLK, a flow collection and analysis suite, and FlowBAT, a graphical flow analysis tool that leverages SiLK.

Speaker Bios

Robert M. Lee

Robert M. Lee is the CEO and Founder of the critical infrastructure cyber security company Dragos Security LLC where he has a passion for control system traffic analysis, incident response, and threat intelligence research. He is a SANS Certified Instructor and the course author of SANS ICS515 - "Active Defense and Incident Response" and the co-author of SANS FOR578 - "Cyber Threat Intelligence." Robert is also a non-resident National Cyber Security Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure and a PhD candidate at Kings College London. For his research and focus areas, he was named one of Passcode's Influencers, awarded EnergySec's 2015 Cyber Security Professional of the Year, and named to the 2016 Forbes' 30 Under 30 list.

Robert obtained his start in cyber security in the U.S. Air Force where he served as a Cyber Warfare Operations Officer. He has performed defense, intelligence, and attack missions in various government organizations including the establishment of a first-of-its-kind ICS/SCADA cyber threat intelligence and intrusion analysis mission. Robert routinely writes articles in publications such as Control Engineering and the Christian Science Monitor's Passcode and speaks at conferences around the world. Lastly, Robert, is author of the book "SCADA and Me" and the weekly web-comic http://www.LittleBobbyComic.com.

"Rob is the best instructor I have seen. Real world examples, humor, time efficient, [and] effective."
- Toni Benson, Cyber Analyst

Chris Sanders

Chris Sanders is an information security consultant, author, and researcher originally from Mayfield, Kentucky, now living in Charleston, SC. Chris leads the detection and intelligence efforts for a product team FireEye, where he focuses on effectively using threat intelligence to catch adversaries. He has extensive experience supporting multiple government and military agencies in defense of the nation, as well as several Fortune 500 companies. Chris has authored several books and articles, including the international best seller "Practical Packet Analysis" from No Starch Press, currently in its second edition in seven languages, and "Applied Network Security Monitoring" from Syngress. Chris currently holds multiple industry certifications, including the SANS GSE and CISSP distinctions, as well as a BS in Telecommunications and an MS in Homeland Security. He is currently pursuing a PhD in cognitive psychology while conducting research to enhance the field of security investigative technique through a better understanding of the human thought and learning processes. Chris is also the founder and director of theRural Technology Fund, a non-profit that donates thousands of dollars in scholarships and equipment annually to further technical education in rural and high poverty areas.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.