Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chad_Becker
Employee Alumnus
Employee Alumnus

White Paper - Securing Industrial Control Systems - Check Point AAD

Securing Industrial Control Systems Check Point AAD (Anomaly and Asset Detection) Mapped to NISTIR 8219 Behavioural Anomaly

Author

@Mark_Barnes 

Abstract:

The US National Institute of Standards and Technology (NIST), National Cybersecurity Center of Excellence (NCCoE), in conjunction with NIST’s Engineering Laboratory (EL) recently released a draft paper, Interagency Report 8219 - named: “Securing Manufacturing Industrial Control Systems: Behavioural Anomaly Detection (BAD)”, putting forth the idea that anomaly detection is an essential tool for owners of Industrial Control Systems (ICS) to identify, mitigate and remediate Cyber threats to Operational Technology (OT) environments.

The goal of this document is to raise awareness of a Check Point tool, Asset and Anomaly Detection (AAD), available to ICS owners, both government and commercial and to compare the Check Point solution to the ideas put forth in the NIST paper.

 

For the full list of White Papers, go here

7 Replies
Vladimir
Champion
Champion

Well, I am not sure if this approach will be any less convoluted, but it may be worth looking into.

According to:

You should be able to define SNMP traps for OSPF, which (again) should include state transition trap.

It could be piped into SmartEvent and subsequently to Cplog2Syslog utility running on management server and then to SIEM.

0 Kudos
Jian_Wu
Employee Alumnus
Employee Alumnus

Hi Vladimir, I did some testing in R77.30 and R80.10, but didn't get the specific alerts for OSPF up/down events.  If you found something built into the Gaia portal or CLI options then we would love to hear what the magic trick is.

0 Kudos
Vladimir
Champion
Champion

You didn't really expect to simply chose the preconfigured trap? Smiley Happy

Look in to 

(IV-2) Advanced SNMP configuration - Custom SNMP traps

in sk90860

You may have to load OSPF mibs yourself and reference appropriate OIDs

0 Kudos
Jian_Wu
Employee Alumnus
Employee Alumnus

Thanks Vladimir.  The custom SNMP trap looks like a good idea.  However, I am having trouble finding OID information related to routing/OSPF.  Maybe someone on this forum can point us in the right direction. 

I did find some useful sites that might help others with Check Point MIB:
-MIB Depot-
http://www.mibdepot.com/cgi-bin/getmib3.cgi?win=mib_a&i=1&n=CHECKPOINT-MIB&r=checkpoint&f=CHECKPOINT...

-Check Point MIB files-

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

It looks like someone in the community found the OID for routeD, but I am not sure where they got it from:
https://community.checkpoint.com/thread/6920-routed-process-util-checkmonitor

0 Kudos
Vladimir
Champion
Champion

I suspect that you may actually have a better luck with a TAC ticket. They should know where to route this query.

Some of the heavy hitters are at Bangkok now and it may take them a while to get back to you.

Vladimir Yakovlev

973.558.2738

vlad@eversecgroup.com

0 Kudos
VENKAT_S_P
Collaborator

Try this OID to get the Neighbor state
.1.3.6.1.2.1.14.10.1.6

 

MIB location:
/usr/share/snmp/mibs


##########

ospfNbrState OBJECT-TYPE
SYNTAX INTEGER {
down (1),
attempt (2),
init (3),
twoWay (4),
exchangeStart (5),
exchange (6),
loading (7),
full (8)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The state of the relationship with this neighbor."
REFERENCE
"OSPF Version 2, Section 10.1 Neighbor States"
DEFVAL { down }
::= { ospfNbrEntry 6 }
##########

0 Kudos
PhoneBoy
Admin
Admin

Reminds me of the old way we used to send firewall logs to syslog Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events