The Verve Platform and Passive Anomaly Detection

Rick Kaun

When we speak with people about the Verve Security Center, we often asked one particular question: “We have seen OT Network Intrusion Detection Systems (NIDS) that offer cybersecurity for industrial controls environments. Why would we use a solution like Verve rather than employ a NIDS tool that would seem to do all we need?”

Passive Anomaly Detection

One aspect we make sure everyone understands before we answer that question is that, when choosing a solution for your organization, the most important thing to do is choose the right tool at the right time for the job. That is why we designed the Verve Security Center to be an adaptable, scalable, effective platform for tying together your critical security tools and components in a manner that suits your security profile.  When we understand that Verve is the platform into which other tools are effectively deployed, managed and, most importantly, monitored and cross-referenced you will see that the two offerings couldn’t be more different 

When it comes to making the decision to choose the Verve product, the answer to the above question has several parts.

  1. NIDS is an element of the Verve Security Center

Verve is a cybersecurity and reliability platform that brings together a range of underlying components such as patching, application whitelisting, backup & restore, configuration change management, access control, etc. One of these underlying components could be the OT NIDS solution.

Verve NIDS blog image1

The Verve platform is not something to be used “instead of” or “rather than” other passive anomaly detection (ad) tools, instead it incorporates those tools and more as part of an integrated platform.

  1. Verve builds a richer and more certain asset inventory

Because it is a platform, Verve leverages a range of methodologies to gather threat and baseline information – from agent-based solutions on those devices where it is relevant and feasible, to admin-service-based solutions on others, and finally to passive traffic analysis where that is relevant. 

Verve NIDS blog image2

Alternatively, the NIDS solutions only infer information based on what they can pick up from the traffic that they can capture through their span & mirrored ports and taps. Therefore if the NIDS solution does not have access to the traffic stream or if the devices are not transmitting asset specific details (many never do) the value and complexity of the asset data is limited to trending on transmitted data.

  1. Verve will defend and protect

The most likely threats to OT networks are not the targeted attacks, but instead the more general cyber attacks where OT networks become collateral damage. Wannacry, Petya, NotPetya, etc. were not intentional attacks on OT networks, but still had significant impact on unpatched OT devices.

Verve NIDS blog image3

"Greatest Volume of Threats comes from Non-Targeted Collateral Damage"

NIDS solutions are monitoring solutions. Their focus is on identifying threats once they are in the network or, if at the network perimeter via the Internet, attempts to get into the network. They then alert on those anomalies. The problem is that alerting tools have no ability to act or to take protective measures to prevent.  So in order to give this monitoring solution even more power, Verve’s platform includes defensive measures to protect from these types of attacks.

  1. Verve brings everything into a single database

Verve is an integrated user interface that brings all of your inventory, protection, defense, and monitoring information into a single database for analysis and reporting. Many NIDS solutions have good reporting of the data within their database, but in order to provide a full richness to the landscape, this data needs to be integrated with information from other sources. When this integration happens and data from different tools is cross-correlated, the number of false positives and “time-to-remediation” can be reduced significantly.

Verve NIDS blog image4

 Why Verve First? 

Once we have answered the initial question, we are often asked a second: “If Verve is an open platform, why not start with NIDS and add the other elements of the Verve platform later?” 

The primary reason is that we can get to faster security impact at lower cost by starting with other elements such as patch/vulnerability management (which requires a robust software & hardware inventory), configuration change management, and access management. All of these elements can be accomplished without adding/installing span ports or setting up mirrored ports or taps in the network. Further, these security gains can be accomplished almost instantly without long baselining periods. Therefore, the cost and time of set up and defense is much shorter.

The second reason is that these other defenses allow you to remediate baseline vulnerabilities and misconfigured assets prior to building a baseline for monitoring and to provide defensive actions against the collateral damage that is the most likely form of incident.

The Business Benefits of the Verve Platform Approach

 The Verve Platform approach begins with core fundamentals of patch/vulnerability management using rich asset and network inventory, backup & restore, and configuration management. We believe there are four major business benefits to choosing the implement the Verve platform as a starting point:

  1. Lower cost & quicker to impact:

The Verve platform can provide this rich asset information and defense without the time and cost of installing a robust network of span ports, mirrored ports and taps.

Verve NIDS blog image5

The illustration above shows the step change in security maturity one of our clients gained after implementing a comprehensive, multi-disciplined approach hosted and managed by our Verve Security Center Platform.

  1. More complete security:

The Verve platform provides both defensive measures as well as monitoring capabilities to build a more robust fabric of security than any single tool.

  1. Flexibility/future-proof:

The platform allows a client to easily add modules over time of the best-in-breed cybersecurity solutions while continuing to bring that data into a single database and user interface for analysis and reporting.

Verve NIDS blog image6

  1. Ease-of-use:

Because it gathers a full range of data (including NIDS information over time), it can reduce the number of false-positives by correlating asset data across different security components.

Verve Platform Illustration

The diagram below depicts a powerful cross reference of data from a multitude of sources being used to build a focused and accurate response to truly important and emerging threats. The illustration shows how asset-based information (pulled from a combination of agent reporting, passive listening and user input/definition) paint a robust picture.

From the asset name and type on the left, to its criticality to that facility/operation, to real time alerts like failed logins, and finally, filtered to a specific location we see the true value of an integrated platform.

Verve NIDS blog image7


If you are interested in learning more about how Verve integrated platform can benefit your organization, download our comprehensive brochure or request a demo with one of our cyber security experts. 

Join Verve at AEC, Edmonton

Verve's Industrial Security Solutions
Verve Security Center Brochure

More Posts

Subscribe to Email Updates