Preview Mode Links will not work in preview mode

Unsolicited Response Podcast

Sep 16, 2020

Most of the OT Detection and Asset Management solutions have developed 'integrations' with SIEMs, with Splunk and QRadar being the most common. I put integrations in quotes because they did little more than push alerts and events to the SIEMs with little context. This all changed with Splunk announcing their OT Security Add-On last month.

In this episode of the Unsolicited Response podcast I talk with Ed Albanese, the VP Internet of Things at Splunk about the OT Security Add-On.

This is a more detailed, technical episode as I try to dig into the features and benefits of the integration today and where it can be improved in the future. This includes:

  • The additional OT fields in the Splunk Asset Framework
  • The OT_Asset and OT_SW_Asset data models
  • How the 29 OT search queries will work with integrations likely using different terms (such as different names for asset types) and the types of search queries currently supported.
  • The value of having standardizations for some OT alerts/events sent to Splunk, such as "modify control logic". This support for standardized notables, as Splunk calls them, is not in the released Add-On but can be configured.
  • How Splunk is tracking vulnerability management (currently no OT integration)
  • And how Splunk is calculating the Risk Scores in the OT Security Posture Tab


Splunk OT Security Add-On Announcement

Splunk OT Security Add-On Software Download Page