When introducing the Verve Security Center (VSC) to others, we are often asked one particular question: “We have seen OT Network Intrusion Detection Systems (NIDS) that offer cyber security for industrial control systems (ICS) environments. Why would we use a solution like Verve rather than employ a NIDS tool that would seem to do all we need?”
One thing you should understand before we answer that question is that, when choosing a solution for your organization, the most important thing to do is choose the right tool at the right time for the job. That is why we designed the Verve Security Center to be an adaptable, scalable, effective platform for tying together your critical security tools and components in a manner that suits your security profile. The VSC enables clients to gain deep asset visibility, vulnerability information, and take remediation actions, but also integrates with multiple other technologies to add greater context to alerts and potential threat indicators.
Therefore, when customers ask what is the difference, we start with what is the Verve Security Center:
NIDS is an element of the Verve Security Center
Verve is a cyber security and reliability platform that brings together a range of underlying components such as patching, application whitelisting, backup & restore, configuration change management, and access control. One of these underlying components could be the OT NIDS solution.
The Verve platform is not something to be used “instead of” or “rather than” passive anomaly detection tools, instead it incorporates those tools and more as part of an integrated platform. Verve provides robust log, netflow, DCS alarm and other anomaly detection native from the platform. Customers can add additional data into our platform, such as alerts from IDS/IPS or OT passive anomaly detection tools, which can enrich the data we get natively to add further insights to security and reliability events.
Verve offers a rich asset inventory using unique agent-agentless architecture
Because it is a platform, Verve leverages a range of methodologies to gather threat and baseline information – from agent-based solutions on those devices where it is relevant and feasible, to agentless-based solutions on others.
A stand alone passive tool, on the other hand, only infers information based on what they can pick up from the traffic captured through their span and mirrored ports and taps. Therefore, if the NIDS solution does not have access to the traffic stream or if the devices are not transmitting asset specific details (many never do), the value and complexity of the asset data is limited to trending on transmitted data.
Verve defends and protects
One of the biggest differences in VSC vs. passive tools is that Verve enables the user to take action to remediate threats and vulnerabilities. This "closed-loop" process significantly reduces mean-time-to-remediation with integrated actions.
NIDS solutions are monitoring solutions. Their focus is on identifying threats once they are in the network or, if at the network perimeter via the Internet, attempts to get into the network. They then alert on those anomalies. The problem is that alerting tools have no ability to act or to take protective measures to prevent. So in order to give this monitoring solution even more power, Verve’s platform includes defensive measures to protect from these types of attacks.
Verve brings everything into a single database
Verve is an integrated user interface that brings all of your inventory, protection, defense, and monitoring information into a single database for analysis and reporting. Many NIDS solutions have good reporting of the data within their database, but in order to provide a full richness to the landscape, this data needs to be integrated with information from other sources. When this integration happens and data from different tools is cross-correlated, the number of false positives and “time-to-remediation” can be reduced significantly.
Why Verve First?
Once we have answered the initial question, we are often asked a second: “If Verve is an open platform, why not start with NIDS and add the other elements of the Verve platform later?”
The primary reason is because Verve gets to a faster security impact at lower cost by starting with other elements such as patch and vulnerability management (which requires a robust software and hardware inventory), configuration change management, and access management. All of these elements can be accomplished without adding or installing span ports or setting up mirrored ports or taps in the network. Further, these security gains can be accomplished almost instantly without long baselining periods. Therefore, the cost and time of set up and defense is much shorter.
The second reason is that these other defenses allow you to remediate baseline vulnerabilities and misconfigured assets prior to building a baseline for monitoring and to provide defensive actions against the collateral damage that is the most likely form of incident.
The Business Benefits of the Verve Platform Approach
The Verve platform approach begins with core fundamentals of patch or vulnerability management using rich asset and network inventory, backup & restore, and configuration management. We believe there are four major business benefits to choosing the implement the Verve platform as a starting point:
Lower cost & quicker to impact:
The Verve platform provides this rich asset information and defense without the time and cost of installing a robust network of span ports, mirrored ports and taps.
The illustration above shows the step change in security maturity one of our clients gained after implementing a comprehensive, multi-disciplined approach hosted and managed by our Verve Security Center Platform.
More complete security:
The Verve platform provides both defensive measures as well as monitoring capabilities to build a more robust fabric of security than any single tool.
The Verve platform allows a client to easily add modules over time of the best-in-breed cyber security solutions while continuing to bring that data into a single database and user interface for analysis and reporting.
Because it gathers a full range of data (including NIDS information over time), the Verve platform reduces the number of false-positives by correlating asset data across different security components.
Verve Platform Illustration
The diagram below depicts a powerful cross reference of data from a multitude of sources being used to build a focused and accurate response to truly important and emerging threats. The illustration shows how asset-based information (pulled from a combination of agent reporting, passive listening and user input/definition) paint a robust picture.
From the asset name and type on the left, to its criticality to that facility/operation, to real time alerts like failed logins, and finally, filtered to a specific location we see the true value of an integrated platform.