- Designed for industry needs
At the start of the project, Positive Technologies experts perform a top-to-bottom audit of client systems. This tailored approach takes into account all industry-specific needs (such as system protocols, architecture, and hardware) and allows pre-loading the system with information about typical attacks in order to start detecting threats right away.
- Data collection that doesn't interrupt operations
PT ISIM collects data passively and seamlessly in the background mode by using a copy of network traffic. Critical operations and processes are not affected or interrupted. Recertification of industrial equipment is not required after system installation.
Unlike other solutions, which display cryptic commands without context, PT ISIM parses network traffic to generate a simple list of events that can be easily understood without additional interpretation.
- Visualization of attacks on business logic
Powerful incident visualization capabilities map the vector of a potential attack, illustrating the attack in the context of operations and site layout.
PT ISIM relates and connects separate events into attack chains based on typical attack vectors. As an attack progresses, the chain grows longer, so specialists can see the whole picture and quickly react in case of a threat.
- Up-to-the-minute information at every level
Reacting to a threat is remarkably simple. Operator tablets are equipped with instructions and user-friendly interface. In case of an incident, operators are alerted, and security specialists can access full incident information and start investigation.
- Protection from external and internal threats
PT ISIM thwarts external intruders and insider misuse by identifying potentially dangerous staff actions and configuration errors.
Benefits for Large-Scale Enterprises
Rapid investigation at remote sites
The distributed architecture of PT ISIM is perfect for critical infrastructure with remote facilities spanning multiple countries, continents, and time zones. The sites map, viewable remotely in the administration console, shows where everything is located.
The system centrally publishes templates for detecting specific incident types and updates the software running at each site. PT ISIM makes it impossible for incidents to be overlooked—only security specialists can close incidents at remote sites, ensuring that nothing slips by their attention.
Incidents at remote sites are investigated efficiently and thoroughly with the help of Remote Forensic capabilities, which do not require an Internet connection, good connection quality, or on-site staff presence or training.
Incident investigation at a network-connected remote site
- A specialist in the Security Operations Center connects to PT ISIM at the remote site and investigates the incident. Physical presence at the site is not required.
- If connection quality is poor, incident information is assembled on-site and sent to the Forensic Server at the Security Operations Center, where specialists unpack the information and conduct the investigation.
PT Industrial Security Incident Manager
Incident investigation at a non-connected/air-gapped remote site
- A security specialist arrives at the site after an incident and investigates it on-site using a connected tablet or laptop.
- A company employee regularly comes to the site, saves PT ISIM logs to a disk, and delivers the disk to the Security Operations Center. At the Security Operations Center, a specialist investigates the incident using a full copy of the PT ISIM logs as of the time of the incident. A copy of events before and after the incident is available for analysis as well.
By analyzing network traffic from every angle, PT ISIM keeps your mission-critical industrial infrastructure and processes safe from cybersecurity threats. Visualization of attacks on business logic makes incident response more intuitive and efficient than ever before. With PT ISIM, securing industrial control systems is transparent and convenient—and reactions become more timely and targeted.