Summary
Although it is a growing field, the market for industrial control system (ICS) security has one factor in common with IT security: a shortage of skills and experience. In the case of ICS security, there is high need for expertise in dealing with ICS-specific threats. The significance of this shortage is magnified by the increasing number and sophistication of threats to critical infrastructure. The recently discovered TRITON/TRISIS malware, for example, represents a paradigm shift in attacker behavior because it is the first ICS-specific malware to target safety instrumented systems within ICS designed to detect unsafe conditions. Interfering with this functionality paves the way for damaging attacks to be carried out with an increased likelihood of success.
The 451 Take
Context
Since then, Dragos' offerings have evolved beyond the initial scope of CyberLens to take a threat-intelligence-based approach to ICS security. Lee's two cofounders, CTO Jon Lavender and chief data scientist Justin Cavinee, both worked in the US intelligence community prior to starting Dragos. Lavender led both red and blue team operations, while Cavinee developed technologies to identify threats to ICS and SCADA systems.
Since its inception, Dragos has grown to 32 employees; four in sales and 15 in product development and support, with the remaining 13 devoted to threat intelligence and incident response. The company also raised a $10m series A round from Allegis Capital, Energy Impact Partners, DataTribe and BYU Cougar Capital, bringing total investment in Dragos to $11.2 m. The primary verticals that Dragos is targeting include manufacturing, petrochemical and energy.
Products
The Dragos portfolio currently incorporates Dragos Worldview, a set of ICS-specific threat intelligence services; the Dragos Platform for ICS security monitoring and situational awareness; and professional services to better equip organizations to handle and respond to ICS security threats. The Dragos Platform is the company's flagship technology product; its overarching goal is to bring the expertise of the Dragos team to each of its customers. This not only provides enhanced visibility and detection capabilities, but assists in incident response and threat hunting as well.The platform is deployed as a series of hardware sensors on the ICS network with a central aggregation point called Sitestore that can be deployed as a VM on-premises or in the cloud. These sensors passively identify all ICS network assets and inter-asset communications, granting greater visibility into network activities, and establishing behavioral baselines used in risk assessment. While network traffic is a primary source for Dragos, it is not the only one. The platform also has the ability to ingest host logs as well as logs from specific ICS technologies, such as controllers and data historians, to gain deeper insights into their activity and facilitate investigations.
Where Dragos differs from some offerings currently on the market is its emphasis on using ICS-specific threat intelligence to guide detection and aid in the incident response process. Rather than alerting to just behavioral anomalies, Dragos codifies threat data gathered by its intelligence analysts in a way that can be used to flag the tactics, techniques and procedures of known adversary groups and attack campaigns, with previously unrecognized activity prompting further investigation by its threat intelligence team.
Alerts are then accompanied with a playbook outlining a step-by-step process for how the organization should respond. Playbooks are developed by the Dragos incident response team, and represent a method of bringing the company's expertise to customers in need of experienced response to ICS-related threats – a definite need when these specific skills are in short supply.
In addition to leveraging threat intel for detection on the Dragos Platform, the company also offers Worldview as a separate threat intelligence product that provides customers with malware identification and analysis, disclosure of known vulnerabilities, indicators of compromise and analysis of adversary behavior. The company delivers weekly reports and monthly webinars on relevant events and threats to continue educating its customers on the evolution of the ICS threat landscape. Dragos' 13-person team focuses exclusively on threat intelligence, and incident response continuously investigates new and known threats to populate the platform with actionable data.
The final piece of the Dragos portfolio is its services segment. The company provides security assessments, incident response, table top exercises and training courses for existing clients, all of which aim to improve the effectiveness of security tools, procedures and personnel in defending against attacks on critical infrastructure.
Strategy
Although similar to other approaches in how its platform is deployed in customer environments, Dragos is seeking to differentiate on why customers should come to the company, with a model emphasizing threat intelligence for detection and providing guidance or hands-on assistance in driving response. This approach is betting that customers value the playbooks and contextual alerts for their usefulness in resolving threats, due to an industry-wide ICS security skills shortage that makes staffing teams that have relevant experience rather difficult.
Competition
Many of these are based on the ability to recognize anomalies from observed activity. Nozomi Networks, for instance, recently announced a hybrid threat detection model that leverages YARA rules for signature-based threat detection while conducting anomaly detection for unknown threats. Claroty is another competitor that offers vulnerability management and secure remote access control on top of its network behavior-based detection.
Other competitors include CyberX, PAS, Radiflow and Sentryo, all of which incorporate some level of network behavior-based anomaly detection in their offerings. Where Dragos differentiates from many of these plays is in the ICS-focused expertise of its team, reflected in its intelligence-centric approach, where its deep and detailed knowledge of the specifics of the ICS threat landscape are born out of experience.
As an Analyst in 451 Research’s Information Security Channel, Patrick Daly covers emerging technologies in
Scott Crawford is Research Director for the Information Security Channel at 451 Research, where he leads coverage of emerging trends, innovation
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation