Using a Collection Management Framework for ICS Security Operations and Incident Response

  • Webcast Aired Wednesday, 14 Nov 2018 3:30PM EST (14 Nov 2018 20:30 UTC)
  • Speakers: Tim Conway, Ben Miller, Mark Stacey

A collection management framework (CMF) is an essential way to extend the value of an asset inventory to make it more useful for use-cases in security operations and incident response. A CMF helps analysts understand not only what they have, but what data is available from their assets, how long they store it, and what they can do with that data. Pre-made investigation playbooks pared with an understanding of the threat and what your collection is a core way to have a repeatable and scalable approach to monitoring your industrial networks for threats and responding to them efficiently.

This webcast will present a new paper outlining how to build a CMF and then transition to showing examples of how to use it. Examples will educate attendees on incident response, threat hunting, and security operations use-cases in the industrial control system (ICS). At the end of the presentation a use-case will be demonstrated in the Dragos Platform to show attendees how you can leverage threat intelligence and an understanding of your own environment to quickly investigate malicious activity.