Splunk OT Security Add-On

<p>Most of the OT Detection and Asset Management solutions have developed 'integrations' with SIEMs, with Splunk and QRadar being the most common. I put integrations in quotes because they did little more than push alerts and events to the SIEMs with little context. This all changed with Splunk announcing their OT Security Add-On last month.</p> <!-- /wp:paragraph --><!-- wp:paragraph --> <p>In this episode of the Unsolicited Response podcast I talk with Ed Albanese, the VP Internet of Things at Splunk about the OT Security Add-On.</p> <!-- /wp:paragraph --><!-- wp:paragraph --> <p>This is a more detailed, technical episode as I try to dig into the features and benefits of the integration today and where it can be improved in the future. This includes:</p> <!-- /wp:paragraph --><!-- wp:list --> <ul> <li>The additional OT fields in the Splunk Asset Framework</li> <li>The OT_Asset and OT_SW_Asset data models</li> <li>How the 29 OT search queries will work with integrations likely using different terms (such as different names for asset types) and the types of search queries currently supported.</li> <li>The value of having standardizations for some OT alerts/events sent to Splunk, such as "modify control logic". This support for standardized notables, as Splunk calls them, is not in the released Add-On but can be configured.</li> <li>How Splunk is tracking vulnerability management (currently no OT integration)</li> <li>And how Splunk is calculating the Risk Scores in the OT Security Posture Tab</li> </ul> <!-- /wp:list --><!-- wp:heading {"level":3} --> <h3>Links</h3> <!-- /wp:heading --><!-- wp:paragraph --> <p><a href= "https://www.splunk.com/en_us/blog/security/introducing-new-splunk-add-on-for-ot-security.html"> Splunk OT Security Add-On Announcement</a></p> <!-- /wp:paragraph --><!-- wp:paragraph --> <p><a href= "https://splunkbase.splunk.com/app/5151/#/overview">Splunk OT Security Add-On Software Download Page</a></p> <!-- /wp:paragraph -->