This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chad_Becker
Employee Alumnus
Employee Alumnus
‎2018-02-22 05:18 PM

White Paper - Securing Industrial Control Systems - Check Point AAD

Securing Industrial Control Systems Check Point AAD (Anomaly and Asset Detection) Mapped to NISTIR 8219 Behavioural Anomaly

Author

@Mark_Barnes 

Abstract:

The US National Institute of Standards and Technology (NIST), National Cybersecurity Center of Excellence (NCCoE), in conjunction with NIST’s Engineering Laboratory (EL) recently released a draft paper, Interagency Report 8219 - named: “Securing Manufacturing Industrial Control Systems: Behavioural Anomaly Detection (BAD)”, putting forth the idea that anomaly detection is an essential tool for owners of Industrial Control Systems (ICS) to identify, mitigate and remediate Cyber threats to Operational Technology (OT) environments.

The goal of this document is to raise awareness of a Check Point tool, Asset and Anomaly Detection (AAD), available to ICS owners, both government and commercial and to compare the Check Point solution to the ideas put forth in the NIST paper.

 

For the full list of White Papers, go here

7 Replies
Vladimir
Champion
Champion
‎2018-02-22 06:28 PM

Well, I am not sure if this approach will be any less convoluted, but it may be worth looking into.

According to:

You should be able to define SNMP traps for OSPF, which (again) should include state transition trap.

It could be piped into SmartEvent and subsequently to Cplog2Syslog utility running on management server and then to SIEM.

0 Kudos
Jian_Wu
Employee Alumnus
Employee Alumnus
‎2018-02-23 02:25 PM
In response to Vladimir

Hi Vladimir, I did some testing in R77.30 and R80.10, but didn't get the specific alerts for OSPF up/down events.  If you found something built into the Gaia portal or CLI options then we would love to hear what the magic trick is.

0 Kudos
Vladimir
Champion
Champion
‎2018-02-23 02:43 PM
In response to Jian_Wu

You didn't really expect to simply chose the preconfigured trap? Smiley Happy

Look in to 

(IV-2) Advanced SNMP configuration - Custom SNMP traps

in sk90860

You may have to load OSPF mibs yourself and reference appropriate OIDs

0 Kudos
Jian_Wu
Employee Alumnus
Employee Alumnus
‎2018-02-27 03:23 PM
In response to Vladimir

Thanks Vladimir.  The custom SNMP trap looks like a good idea.  However, I am having trouble finding OID information related to routing/OSPF.  Maybe someone on this forum can point us in the right direction. 

I did find some useful sites that might help others with Check Point MIB:
-MIB Depot-
http://www.mibdepot.com/cgi-bin/getmib3.cgi?win=mib_a&i=1&n=CHECKPOINT-MIB&r=checkpoint&f=CHECKPOINT...

-Check Point MIB files-

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

It looks like someone in the community found the OID for routeD, but I am not sure where they got it from:
https://community.checkpoint.com/thread/6920-routed-process-util-checkmonitor

0 Kudos
Vladimir
Champion
Champion
‎2018-02-27 03:31 PM
In response to Jian_Wu

I suspect that you may actually have a better luck with a TAC ticket. They should know where to route this query.

Some of the heavy hitters are at Bangkok now and it may take them a while to get back to you.

Vladimir Yakovlev

973.558.2738

vlad@eversecgroup.com

0 Kudos
VENKAT_S_P
Collaborator
‎2018-02-28 01:32 PM
In response to Jian_Wu

Try this OID to get the Neighbor state
.1.3.6.1.2.1.14.10.1.6

 

MIB location:
/usr/share/snmp/mibs


##########

ospfNbrState OBJECT-TYPE
SYNTAX INTEGER {
down (1),
attempt (2),
init (3),
twoWay (4),
exchangeStart (5),
exchange (6),
loading (7),
full (8)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The state of the relationship with this neighbor."
REFERENCE
"OSPF Version 2, Section 10.1 Neighbor States"
DEFVAL { down }
::= { ospfNbrEntry 6 }
##########

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-23 11:12 AM

Reminds me of the old way we used to send firewall logs to syslog Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events