NNCE Training Presentation 22.0.0 Ver 1

Nozomi Networks
Certified Engineer Training

Software Version: N2OS v22
Working agreements
• Mail and phone
• Time to start and breaks
• Speed and timing
• Classroom etiquette: questions from and to all
• Language
• Other?
© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 17

Introduction
Agenda
Day 1
• Nozomi OT and IoT Security

Day 2
• Solution Overview
• Tech Specs • Environment continued
• Lab Setup • Vulnerabilities
• Installation and Maintenance • Smart Polling
• Environment • Queries
© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com

Agenda
Day 3
• Alerts and Hybrid Threat

Day 4
Detection
• Time Machine • Remote Collector
• Integrations • Central Management
Console
• Vantage
• Support & Project Delivery
• Wrap-up

Introductions
Introduce yourself
• Name
• Company
• Why you chose Nozomi Networks
• One thing you hope to learn this week
• Anything interesting you want to share about yourself

NNCE - Exam scope and outcome
At the end of the course the participants are ready to take the final NNCE exam.
The scope of the exam is to evaluate the attendee on:

• Knowledge of the Nozomi components and their interaction
• Knowledge in navigating the menus
• Extract and elaborate information
• Understanding the Queries syntax
• Understanding basic security principles used by the solution
The exam can be taken online at the Nozomi Training Portal within 90 days.
• The questions are related to a preconfigured Guardian Exam-VM provided at the Training Portal to be
downloaded and installed in the attendee's environment.
The exam outcome is the Nozomi Networks Certified Engineer certificate (2 years validity)

NNCE - Recertification
Participants can renew their NNCE certification prior to its expiration
• Within 6 months before its expiration the Nozomi Training Department will invite you to
participate in a recertification self-paced on-demand online course to cover:
• New features added in the last major releases
• Additional content
• You must pass the re-certification exam to extend your certification

Training Portal registration
• Open https://training.nozominetworks.com
• Use your Nozomi Support Portal credentials in order to
login to the Training Portal.
• During the registration process insert your first name,
last name as you would like them to appear on the
NNCE certificate when completing the final exam.
• After registration, your teacher will enroll you into your
course before you can access the related resources.
• These include the NNCE slide deck and additional
training material, the feedback form, and access to the
final exam.

Who is Nozomi Networks?
FOUNDED IN SWITZERLAND
October 2013 ANDREA CARCANO
CPO and Co-Founder
PhD in Cybersecurity
GROUNDED IN RESEARCH SCADA Security Researcher & Expert
Founders conducted PhD research on SCADA
Security/Malware and Artificial Intelligence
INITIAL GLOBAL RECOGNITION

Received European Union Commission Award
to research SCADA Security Threat MORENO CARULLO
CTO and Co-Founder
WE CREATED OUR COMPANY OUT OF NEED PhD in Artificial intelligence
Founder worked in a large Oil & Gas Company, eXtreme Programming Expert
had no visibility or control over their ICS/OT

Environment, needed a solution

Continuous Innovation in OT and IoT Security
Guardian is the First single application First to offer a First container-based Customers rank
first AI-powered ICS for network visualization, asset powerful combination delivery model for Nozomi Networks #1 in
visibility and inventory, vulnerability assessment of active + passive embedded deployment Gartner Peer Insights
cybersecurity solution and ICS threat detection asset discovery and efficiency
September March August June May
2013 2017 2018 2019 2020
2015 2017 2018 2020 2020

February November October February October
First ICS visibility and First hybrid ICS threat First OT monitoring Guardian is the first product Vantage pioneers
security solution detection combining behavior- solution paired with a with highly accurate IoT SaaS-powered
implemented for a based anomaly detection with Threat Intelligence service network anomaly detection security and visibility
national power grid rules-based detection and Asset Intelligence solution for dynamic
service IoT and OT networks

Global Leadership Footprint
Global Customer Base

5.0K Installations
57.2M Devices Monitored

Across Converged OT/IoT
Scalable Deployments
Across 6 Continents
Global Expertise
Worldwide Network of Partners
and 1,200+ Certified Professionals

Securing the World’s Largest Organizations
9 of Top 20 Chemicals Building Automation

Oil & Gas
7 of Top 10 Manufacturing Food & Retail
Pharma
Automotive Logistics
5 of Top 10
Mining
Airports Smart Cities
5 of Top 10
Utilities Water Transportation

OT and IoT
Security
OT Terminology
Operational Technology (OT) is an umbrella term for the hardware and
software that detects or causes a change through the direct monitoring OT
and/or control of physical devices, processes and events in the industrial
environment. PRODUCTION
ICS
Industrial Control Systems (ICS) play a main role
in OT. They interface, control, supervise and monitor physical systems.
“a collection of personnel, hardware, and software that can affect or
influence the safe, secure, and reliable operation of an industrial
process.” DCS SCADA
ISA- 62443.01.01
Some examples of types of ICS include:
• SCADA (Supervisory Control and Data Acquisition)
• DCS (Distributed Control System)
• PCS (Process Control System)
• SIS (Safety Instrumented System)

ICS – main actors and their functions
• Main functions of an ICS: • Actors performing these functions Operator
• Measure (obtain values • Sensors (Inputs)

from sensors and read as • Actuators (Outputs)
input to process or provide
as output) • Controllers
• Compare (evaluate • HMIs
measured value to
process design value)
• Compute (calculate
current error, historic error,
future error)
• Correct ( from a Valve
computation or operator
initiated) Fan
Pump

The industrial controller
Real time operation means that the response to an
input event by setting the output occurs in a timely
manner determined by the requirements of the
process or machine under control. Examples:
• Nuclear reactor in a nuclear power plant – 10
milliseconds
• Amusement park roller coaster ride,
controlled by smart motors – 90 milliseconds
• Temperature control in a brewery: responses
in minutes or even hours
Read data
from
sensors
(inputs)
Write data Execute

to logic
actuators against
(outputs) data

Some examples of Industrial Controllers
IED RTU PLC
Control/protection functions Interface field data to a remote

Scope Control processes
for power systems’ equipment SCADA, protocol gateway
Input/Ouput rail Yes Optional Yes
Control/protection
Yes No Yes
logics
Comm. Interface Yes Yes Optional
Often works in A remote SCADA, PLCs to More PLCs

A local SCADA/DCS Server
combination with acquire signals Stand-alone, and/or RTUs
IEC 104, DNP3, Modbus,

Modbus, CIP (EthernetIP for
Typical protocols IEC 61850 server, proprietary proprietary, IEC 104 to IEC
example)
61850 client

ICS network topology example
• Communication among
controllers, HMIs and
other devices is
fundamental.
• Industrial network
protocols are used for
these communications.
• Some examples:
Modbus, EthernetIP,
DNP3, etc.
• Time sensitivity is also

a desing priority.
Reference: NIST 800-82

The IEC 62443 PURDUE network model
4-5: Enterprise IT, Site business and logistics: Email,
intranet, printers, etc.
-5
S i t e bu s i ne s s
[3.5: Upper DMZ]: Transfer network between IT/OT
and l o g i s t i cs
3: Operations (ICT/DMZ) Network: Systems providing IT
services (AV, Patch, DNS, AD) and collect historical data.
[2.5: Lower DMZ]: Optional
2: Supervisory Control/Process*: Systems using IT
services from L3 and control/acquire data from the Control
Network (i.e. HMI, SCADA Consumer, MTU, Engineering
workstation).
1: Control: Systems to collect and transmit data between
field devices (actuators/sensors) via I/O interfaces and
Process Network (i.e. RTU, PLC, Safety equipment).
0: Field/Process**: Actuators/sensors directly connected
to controllers by close network connections (i.e. hard
wired, serial cable, fiber ring, proprietary protocols).
*Different concept of Process than in Guardians Process View
**As in Process View

OT Systems Evolution
“Retrofitted” Newly Designed/
OT System
Fully Air-Gapped Cyber-Physical Engineered
Partially Connected
OT System System Through Cyber-Physical
to Each Other
IT/OT Convergence System
More Isolation More Connectivity
Examples of Traditional OT Systems Examples of OT-Related Cyber-Physical Systems

• Supervisory Control and Data Acquisition (SCADA) • Industrial Robots
• Industrial Control Systems (ICS) • Virtual Reality Manufacturing Simulation Systems
• Programmable Logic Control (PLC) • Self-Optimizing Press-Bending and Roll-Forming Machine
• Process Control Networks (PCN) – Including Safety • Adaptable Production Systems
Instrumented Systems (SIS), Engineer Workstation • Energy-Efficient Intralogistics Systems
and Human Machine Interface (HMI) • Connected 3D Printers
• Distributed Control Systems (DCS) • Smart Grids
• Computer Numerical Control (CNC)

IoT and OT
Industrial Controllers (OT) IoT devices
Scope Mission critical operations Complementary or expanded functions to the OT
systems, improving performance, quality,
lowering operating costs
System latency Low latency, real time deterministic systems Many network standards are non-deterministic
(such as LoRaWAN and WiFi)
Implementation Expensive. Vendor specific knowledge is In some cases, easier to install, with more
difficulty required, requires skilled personnel. Software standard and friendlier installation procedures.
licenses required.
Typical protocols Vendor proprietary, legacy protocols ”adapted” for Industry standard open communications.
TCP/IP networks, some open protocols Designed with Internet/Cloud communications in
mind
Vulnerabilities Lack of authentication, lack of encryption, Supply chain(many stakeholders)
backdoors, buffer overflows. Legacy code is not Targets of DDoS
secure by design and difficult to completely Internet/Cloud connectivity = bigger attack
eradicate over the years. surface

Multiple threat actors/sources
• Adversarial • Structural
• Outside Individual • IT equipment
• Inside Individual • Environmental controls
• Trusted Insider • Software
• Privileged insider
• Ad hoc group • Environmental
• Established group • Natural disaster
• Competitor • Man-made disaster
• Supplier • Infrastructure failure (e.g.
telecommunications,
• Partner electrical power)
• Customer
• Nation State
• Accidental
• User/Privileged
user/Administrator
• “Guide to Conducting Risk Assessments” Special Source: https://www.arcweb.com/industry-best-practices/what-

Publication 800-30, National Institute of Standards and industrial-cybersecurity-planning-maturity-model
Technology, September 2012

OT Threats - TRITON
• In 2018 a Middle Eastern oil and gas petrochemical facility
went into an automatic shutdown by a compromised safety
system (SIS) named Triconex.
• SIS, a special type of Controller, designed with predictability DC
IT
Corporate
Firewall
-E S
and reliability in mind including failure detection for inputs - O ngin
pe ee OT
rat rs
and outputs were conducting the shutdown: PL
C
ors
Co
Em rpor
ail ate
• The attack path went from the Internet through the IT SI
Sta S En
network using well-documented, easily to detect attack tio g
n
SIS
methods, into the OT area via systems providing access
to both environments.
• There, an altered and legitimate appearing .exe file was
used to be installed on an SIS Engineering Station to
infiltrate, access and reprogram the SIS.
• First ever witnessed cyber attack on a SIS.
• The SIS were reprogrammed causing them to enter a failed
state and resulting in an automatic shutdown of the
industrial process.
Nozomi Networks Black Hat Research Paper:
https://www.nozominetworks.com////downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf

Nozomi Networks
Through research Research Reports Tools

and collaboration with
industry and institutions,
we’re helping defend Projects Labs Blogs
the critical assets and
systems that support Threat Threat and
everyday life. Asset Intelligence
Advisories
90% of the time, vulnerabilities/threats

found within 24 hours of installation Dozens of responsible disclosures
and ICS-Cert Alerts
OT/IoT Security Report this link

Solution
Overview
Nozomi Networks Solution Portfolio/Architecture
SERVICE OFFERINGS
Certified
Engineer
Training
Professional
Services
Customer
Support

Guardian
• Industrial Strength OT and IoT Security and Visibility
Identify – Asset Discovery and Network Visualization

Automatically track your OT and IoT assets
Immediately visualize your OT networks
Assess – Vulnerability Assessment and Risk Monitoring

Rapidly identify your vulnerability risks
Continuously monitor your network and automation systems
Detect – Anomaly and Threat Detection

Quickly detect and disrupt threats and anomalous behavior
Effectively monitor mixed environments
Act – Time-Saving Dashboards and Forensic Tools

Significantly improve OT and IoT risk management
Greatly reduce troubleshooting and forensic efforts
Scale – Unified Security for Thousands of Distributed Sites

Readily scale with optimal performance
Easily integrate with SOC/IT environments

Management
• Vantage (Cloud based)
• and/or
• CMC (local Central Management Console)
Consolidate – Unified OT, IoT and IT Security

Centrally monitor distributed sites
Easily streamline SOC/IT workflows
Visualize – Enterprise-wide Visibility

Instantly visualize OT networks, assets and risks
Respond – Threat summaries and Forensic Tools

Rapidly respond to OT and IoT risks
Optimize troubleshooting and forensic efforts
Scale – Unified Security for All Sites

Attain high performance for multinational deployments
Realize rapid time to value

Remote Collector (RC)
Extend Your Reach
Remote Collectors act as "remote

interfaces” for Guardian broadening it´s
capture capabilities thus allowing
installations to be applied in simple to
highly distributed scenarios.
Small form factor
Low resource usage
Cost-effective

Nozomi Networks Deployment
Guardian can be connected to
• SPAN/Mirror ports of existing network
equipment
• Native switches
• Routers
• Network TAPs
• Or installed into devices’ internal modules
allowing virtualization and internal routing
These deployment options guarantee a complete

isolation of the appliances from the producing network,
thus enabling a hot deploy with no interference on
active communications suitable for OT.

World-Class Go-To-Market Ecosystem
Optimizing OT and IoT with IT Security Solutions
Global Network of SI, VAR and

Distribution Partners 1,200+ Trained and Certified
Professionals

Technology Alliance Ecosystem
Integrations and Interoperability with Controls, Security, Network & Cloud Architectures
SIEM, SOAR and OT / ICS Other Network / IT and Cloud Services

Data Integrations Interoperability Security Technologies Platforms

Supported Protocols
Nozomi provides extensive support for OT/IoT and IT protocols and is frequently adding more
protocols to this list. See our dedicated webpage for the full list: Protocol List
What can I do if the protocol I am looking for is not

listed?
1. Open a Support ticket with the Nozomi Support Team

(providing all the available info incl. a corresponding
pcap file) requesting the implementation of the
protocol.
2. Use the Protocol SDK capability of Guardian if you

would like to build it yourself.
Protocol list on the Nozomi website

Nozomi Networks Applications
Perform Security Find Devices Find Network misconfigurations

assessments misconfigurations (segregation, data on wrong switches, …)
Operational monitoring
Asset
Asset inventory
inventory Network monitoring
on links and the process

Tech Specs
One Solution. Multiple Deployment Options to
Meet Your Needs.
Physical Appliances Virtual Appliances Embedded / Containers

Guardian Appliances
for the Large Enterprise
NSG-HS Series NSG-H Series
NSG-HS 3500 NSG-HS 3000 NSG-H 2500 NSG-H 2000
Max. Protected Nodes 500,000 300,000 200,000 100,000
Max. Protected Network

2,000,000 1,500,000 1,200,000 1,000,000
Elements
Max. Throughput 6 Gbps 6 Gbps 3 Gbps 3 Gbps
Max. Remote Collectors* 50 50 50 50
Monitoring Ports Modular up to 16+1 Modular up to 16+1 Modular up to 8+1 Modular up to 8+1
4 slots available 4 slots available 2 slots available 2 slots available

Expansion Slots (empty by
4x1000BaseT I 4x1000BaseT I 4x1000BaseT I 4x1000BaseT I
default)
4xSFP I 4xSFP+ 4xSFP I 4xSFP+ 4xSFP I 4xSFP+ 4xSFP I 4xSFP+
* See Remote Collector tech specs for more details.

Guardian Appliances
for the Mid-Enterprise
NSG-M Series NSG-L Series
NSG-M 1000 NSG-M 750 NSG-L 250 NSG-L 100

600,000 200,000 90,000 20,000
Elements
Max. Throughput 1 Gbps 1 Gbps 500 Mbps 250 Mbps
Max. Remote Collectors* 50 50 20 20
Monitoring Ports 7x1000BASE-T + 4xSFP 7x1000BASE-T + 4xSFP 5x1000BASE-T 5x1000BASE-T
1 slot available 1 slot tavailable

1 slot available 1 slot available
Expansion Slots 4x1000Base-T | 4xSFP | 4x1000Base-T | 4xSFP |
4x1000Base-T | 4xSFP 4x1000Base-T | 4xSFP
4xSFP+ 4xSFP+

Guardian Appliances
Ruggedized series Portable
for Ruggedized or
Portable Scenarios
NG-500R NSG-R 50 Portable P550
Max. Protected Nodes 5,000 500 2,500
Max. Protected Network Elements 80,000 10,000 50,000
Max. Throughput 800 Mbps 100 Mbps 200 Mbps
Max. Remote Collectors* 30 10 Not available
Monitoring Ports 3x1000BASE-T 4x1000BASE-T 5x1000BASE-T
2 slots available
Expansion Slots Not available Not available
2x1000Base-T | 2xSFP
Form Factor 3 rack unit DIN mountable Desktop with wall mount kit
100-240V AC
100-240V AC 90-240V AC
Power Supply Type 16.6-160 DC
12-36V DC 12-30V DC
DUAL
-40º / +70º C
Temperature Range -40º C / +75º C 0 / +60º C
(Max.40º when using SFP NIC)

Guardian Appliances V Series
for Virtual Environments
V1000 V750 V250 V100
Max. Protected Network Elements 400,000 200,000 100,000 20,000
Max. Throughput 1 Gbps 1 Gbps 1 Gbps 1 Gbps
Scenarios Enterprise Large Medium Small
Hyper-V 2012+, KVM 1.2+, Hyper-V 2012+, KVM 1.2+, Hyper-V 2012+, KVM 1.2+, Hyper-V 2012+, KVM 1.2+,
Deployment Options VMware ESX 5.x+, XEN 4.4+, VMware ESX 5.x+, XEN VMware ESX 5.x+, XEN VMware ESX 5.x+, XEN
AWS* 4.4+, AWS * 4.4+, AWS * 4.4+, AWS *
Max. Remote Collectors** 50 50 20 20
* Guardian in AWS will analyze only traffic coming from RC

** See Remote Collector tech specs for more details.

Guardian Appliances
Embedded / Container
Embedded / Container Embedded / Container

• Available for Guardian with the Cisco Catalyst
Smart Polling add-on module only Embedded Offerings Gatewatcher
Siemens RUGGEDCOM
• Cisco Catalyst 9300
Smart Polling module: included
• Siemens Ruggedcom RX1500, Add-ons
Threat Intelligence and Asset Intelligence subscriptions: can be added
installed on bare metal APE module
• Gatewatcher IDS Remote Collector Support Not available

Remote Collector
for Remote Locations
NRC-5 Virtual Remote Collector

Max. Throughput Up to 15 Mbps Max. Throughput Up to 15 Mbps
Remote Collector
Not available
Support Hyper-V 2012+, KVM 1.2+,
Deployment Options
VMware ESX 5.x+, XEN 4.4+
2x1000BASE-T
Monitoring Ports
1xSFP
Storage 10 Gb
Expansion slots Not available
Form Factor DIN mountable
Temperature Ranges -40 / +70º C

CMC Appliances
in the Cloud or at the Edge Cloud or Virtual Central Management Console
Deployment Options -
Amazon AWS and Microsoft Azure
Cloud
Deployment Options -
Hyper-V 2012+, KVM 1.2+, VMware ESX 5.x+, XEN 4.4+
Virtual
Max. Managed Appliances 400

1,200,000
Elements
Storage 100+ Gb
NCMC-100
Max. Managed Appliances 50
Max. Protected Networks
200,000
Elements
Max. Throughput 1 Gbps
Management Ports 5x1000BASE-T
Expansion Slots Not available
Storage 256 Gb

Installing appliances - step 1/3
Corporate Corporate SIEM Security
Add GuardianA to Core switches Workstations Servers Operation Center
L5
Asset Inventory: DNS, AV, DC,

Site IT Site IT L4
• Minimal extraction of device vendors, Historian, Patch
Remote Access
Servers Workstations
MAC vendors, hostnames, firmware GuardianA

Servers
DMZ Switches
Firewall Site Production
Control
L3
versions, device types. Core Switches Systems
Vulnerability Assessment:
• Minimal identification of firmwares,
OS, and CPEs: Line Operator
/Engineering L2
Workstations
Network Visibility:
• Minimal
Threat Detection:
• Basic detection of threats coming PLCs
/RTUs L1
from higher levels, mainly via Sensors
signatures. Actuators L0
OT Traffic: variables and commands

between PLCs, and PLCs and HMIs.
IT Traffic: NTP, DNS, SNMP, etc.
Diagnostics, configuration commands
from Engineering workstations and
PLCs
Installing appliances - step 2/3 Nozomi SaaS VANTAGE
Add GuardianB to Control switches

Operation Center
Workstations Servers
L5
Asset Inventory:
• Excellent extraction of device vendors, Local
MAC vendors, hostnames, firmware
DNS, AV, DC,
Historian, Patch Nozomi CMC Site IT Site IT
Workstations
L4
(optional) Servers
Remote Access
versions, device types. (if all switches Servers
DMZ Switches Control
L3
covered GuardianA Core Switches Systems
Vulnerability Assessment:
• Excellent identification of firmwares, GuardianB
OS, and CPEs Line Operator
/Engineering L2
Network Visibility: Workstations
• Good network visibility.

• Partial variable extraction
Threat Detection: PLCs
/RTUs L1
• Good detection of all threats via
Sensors
signatures and via anomaly detection Actuators L0
A local CMC or Vantage can be added to

aggregate data from different Guardian OT Traffic: variables and commands
IT Traffic: NTP, DNS, SNMP, etc.
PLCs
Installing appliances - step 3/3 Nozomi SaaS VANTAGE
Add GuardianC to Process switches: Global

Nozomi CMC
Operation Center
Workstations Servers
(optional) L5
Asset Inventory:
• Best extraction of device vendors, MAC Local
vendors, hostnames, firmware versions,
DNS, AV, DC,
Historian, Patch Nozomi CMC Site IT Site IT
Workstations
L4
(optional) Servers
Remote Access
device types. (if all switches covered Servers
DMZ Switches Control
L3
Vulnerability Assessment: GuardianA Core Switches Systems
• Best identification of firmwares, OS,

and CPEs GuardianB
Network Visibility: Line Operator

/Engineering L2
• Total network visibility. Workstations
• Total variable extraction GuardianC

Threat Detection:
• Best detection of all threats PLCs
/RTUs L1
via signatures and
Sensors
via anomaly detection Actuators L0
A global CMC or Vantage can be added

in case the customer wants to aggregate OT Traffic: variables and commands
the data from different plants IT Traffic: NTP, DNS, SNMP, etc.
PLCs
Lab Setup
Virtual Lab environment
• Guardian machines for the training are available in the cloud.
• Each student is assigned to a Guardian machine to connect to and to use during the course.
• The initial machine setup has already been done by Nozomi Training:
• The management IP has been configured
• Licenses have been installed
• The Web UI password setup has been done
• The shell access has been configured to use ssh to the Guardian IP address
Access Type Username Password
Shell console* admin olWm2968Qa!
Web UI admin Nozominetworks1

* Alternatively, the password authentication can be skipped by using the provided private key to connect

#cetonline
Lab login information
• “Cred Spread” provided by Instructor

• Locate your Name and Student Number
• Memorize / write down your Student Number
• Hide all the other rows.
• Notice your Guardian IP, and Login details
• Follow instructions exactly as they are
written in the lab slide

Installation and
Maintenance
Initial Installation and Configuration
• Web UI: The default admin password is ”nozominetworks”, after login the user is forced
to change it.
• Shell console: The admin user’s password is not set per default on VM´s, to set it:
• login as admin without password
• get root privileges by running enable-me
• run setup and when being prompted, set the password
• The enable-me command on the Shell elevates the admin user to root
• root elevation requires the admin password to be re-entered as a security measure
• ssh login using root is only possible using ssh keys; the public key can be installed
onto the appliance by using the Web UI.
Default Settings Physical Appliances Virtual Appliances

IP Address 192.168.1.254 NONE
Web UI: user / password admin / nozominetworks admin / nozominetworks
Shell console: user / password admin / nozominetworks admin / NONE

Initial Connection to Lab-Guardian - Shell console
Objective Network setup & config
1. Connect via ssh as user admin and gain root

privileges by using the enable-me command.
2. Check the network settings:

Activities • Run setup and navigate through the menu
• Check the IP address, netmask, gateway and dns
setting being used.
Network config via shell • Also, the command ifconfig and the file /etc/rc.conf
reveal network information.
• The management interface config is

available via shell access only. User Manual Chapter 2 - Installation - Setup Phase 1

#cetonline
Web UI header - Information
Product Software Time Warnings Installed Web UI error

version license message
Disable Disk status Update status Web UI

Enable Appliance services language
‘Eye’ Web UI timeout hostname
Status of the virtual image, being

LIVE or a loaded snapshot

Web UI header - Navigation
1 2 3 4 5 6
1. Users’ Dashboard 3. Alerts table 5. Analysis tools

2. Managed Appliances 4. Monitored network information 6. Smart Polling information

System - Web UI timeout
Objective Fine tune on Web UI timeout
In Settings > CLI:

• Copy/Paste the following command to increase
the inactivity timeout from 10 min (default) to 30
min:
conf.user configure users
max_idle_minutes 30
CLI - access from Web UI Activities • The parameters will be applied automatically
Some CLI commands will require a manual restart

of the process (all commands and services are
available in the User Guide)
CLI SHELL CONSOLE

Chapter 15 - Configuration - Basic configuration
User Manual
rules
SHELL CONSOLE - used via SSH or CONSOLE

System - General information, Date & Time
• The Hostname of the Guardian
• The Login banner is being displayed while using both,
Web UI or Shell console
• Description and Site will be used in CMC/Vantage Objective Set basic system parameters
• Date/Time: The managing CMC is providing date & time 1. In System > General:
in most installations, a manual config is also possible • Set a uniq Hostname (your name.local will be
• The local Time zone setting will adjust the visualization perfect)
• Set a warning Login banner
Activities • Enter a Description and a Site name
2a
2. In System > Date and Time:
a. Set your Time zone & Save, then
b. Enable the NTP checkmark & Save
User Manual Chapter 2 - Installation - Setup Phase 1

2b
Date & Time

System - Licenses
• License types:
• Base (+/- Smart Polling)
• Subscription based: Threat Intel and Asset Intel Objective Check licenses and update service
• Licenses are being provided two ways possible:
• Online via Act.-Code & Machine-ID when purchased
• Using the Machine-ID for Nozomi to create an eval 1. In System > Updates & Licenses:
license • Check the License status of each license
• Locate the Machine-ID under Set new license
Threat Intelligence:
Activities
BASE License: Subscription 2. In Update service configuration make sure to use
incl. expiry date for updates the Update Service and verify the connection:
Mandatory • Click Update now to force the update
incl. expiry date and max.
Asset Intelligence: • Skip Manual upload
number of monitored nodes
Subscription
incl. expiry date for updates
User Manual Chapter 2 - Installation - Setup Phase 1
Smart Polling License:
Optional Add-On
incl. the expiry date
Licenses on Guardian

Monitoring Interfaces & Traffic Validation
• The visualized traffic is measured after packets
being dropped or filtered
Objective Validate the monitored network traffic
1. In System > Network interfaces, verify that traffic

is transmitted to the Monitoring Interface & verify
the settings:
• Enable == true
• Throughput saturates the interface
Interfaces - throughput & settings • Is Mirror == true
Activities • Mgmt Filter == on
2. In Environment > Network View > Traffic tab verify

the traffic type and amount is matching the
expectation.
• Which protocol is used by most of the network
packets in the monitored environment?
User Manual Chapter 5 - User Interface Reference - System
Overall traffic - protocols & types

Network Interfaces - Configuration
1. Label change the name of the
monitoring interface
1
2. Enable/Disable monitoring interface
3. NAT should be configured to mask the 2
original IP subnet monitored using translated 3
IP addresses.
Suitable, when duplicate address schemes
are being used in the monitored environment
4. BPF filter should be applied to include/exclude
monitored traffic on a network packet basis:
4
• BPF syntax Guide: https://<GuardianIP>/#/bpf_guide
• E.g. vlan and net 172.20.61.0/24
5
5. Denylist should be applied to filter out single/multiple IPs (supporting wildcards)
• Invalid lines are being ignored
• Example:
#DESCRIPTION: denylist_test
- 175.23.44.10
- 44.34.29.*

System - Health
System à Health
• Adjust the time window accordingly from default 1 Minute

• Besides Disk-, CPU- and RAM-usage visualization additional valuable information is available in the Services part
• The Health Log is an exportable table including all Health-related warning messages

Features Control Panel
Available under Settings à Features Control Panel
General tab
Retention tab
*Link events and Captured URLs are disabled by default

#cet
System - WEB UI Users
Objective Configure a local user with different privileges
Settings > Users

1. Under Groups create the new “training_group”
• Keep is admin unchecked
• On Allowed sections enable Asset view
• Restrict the visibility to subnet 192.168.1.0/24
(Filters tab -> Node filters)
2. Under Users
• Click on +Add
Activities
• Source = Local
• Username = test_user
General permissions • Group = training_group
• Unckeck Must update password
• Click on New user to create
3. Logout the admin user and login as “test_user”

to observe the effect; afterwards, login as admin
again
User Manual Chapter 3 - Users Management - Managing Users

Filters
#cet
System - Audit
• Any configuration change, login and data operation
is stored in the Audit section
• Device security entries based on HIDS Objective Identify user login´s and configuration changes
• E.g., the log entry created when the formerly created
test_user logged in.
Go to the Audit Section in System > Audit
Use filters to answer the following questions:
1. Which users besides the admin user logged in
Activities in the past as well?
2. When was the CMC management for this
Guardian terminated and what was the IP
address of the CMC?
User Manual Chapter 5 - User Interface Reference

Audit table
#cet
System - Upload traces
System à Upload traces
• Traces recorded elsewhere can be analyzed by

Guardian ‘offline’.
• The functionality is not designed to be combined
with LIVE traffic.
• Multiple trace files can be uploaded at the same
time.
• Upload traces settings:
• Use traces timestamps: If enabled (default), the
original timestamps are used, otherwise instant
timestamps are assigned.
• Delete data before play (deletes also snapshots).
• Auto play when uploaded.
Upload traces menu

System - Operations
• Operations are including the Shutdown, Reboot or N2OS Update
of the appliance
• The N2OS update can be performed via Web UI or via SHELL

• The update bundle is available in the Nozomi Support Portal
• All Nozomi appliances, CMC and Guardian and RC are using
the same N2OS update bundle file
Documentation
• The extension of the update file for CMC/Guardian/RC is .bundle
• Two versions of update files are available (where XX.Y.Z is the

N2OS version, for example 20.0.7):
• XX.Y.Z-standard-update.bundle à is the standard update file
• XX.Y.Z-advanced-update.bundle à is the standard update file
including the Smart Polling Add-on software
Update bundle file

System - Operations - Update
Objective Perform an N2OS version update
1. Go to System > Operations

• choose ‘Software Update’
• select the provided ‘22.0.X.xxxx-advanced-
update.bundle’ file to upload
• after the upload is finished press Proceed.
Activities 2. After an automatic reboot verify the new version

is installed and ready to use.
1 - Operations menu The Smart Polling menu will become available.
[Optional] Rollback: Execute rollback from the

shell as root and press [y] to proceed (no Web UI
yet).
User Manual Chapter 10 - Maintenance - Software Update
2 - Proceed 3 - Automatic
Reboot

System - Backup & Restore
Full backup archives can be created/scheduled or restores can be
performed under System > Backup/Restore, or via Shell console
• Full backups contain the /data folder incl. environments, alerts, db´s,
log files, network settings and (optional) traces
• Download button creates a backup archive on the fly which can be
saved to the administrator´s workstation
• Schedule backup allows to configure recurring backups to be created
and to be stored not only locally but remotely using the SSH/SCP,
FTP or SAMBA protocol
• Restore a Backup allows to choose from a locally stored backup
archive or to upload such an archive. The max. file size to be
uploaded is 2Gb (for a file > 2Gb use scp and the shell command)
• The Backup file name includes the hostname, date & time and N2OS
version of the Guardian, e.g.:
“backup_Guardian1.local_20211223102419_22.0.0-
12061235_00473.nozomi_backup”
Backup & Restore menu

#cet
Environment
Environment Content
• The Environment is the real time representation of the network monitored, providing a view of all
the assets, all the network nodes and the communication between them.
• The main information processed from the monitored networks is stored within this section:
Asset inventory
Network discovery and visualization:

Nodes, Links, Sessions, Graph, Traffic statistics
Process variables
and supervision

Environment Tables - General Controls
• These controls are applied to all tables available in: Asset, Network and Process View
Live or manual refresh

Export selection
Bulk actions (apply to selection) into xls or csv
Enable/disable
Field name (click to apply sorting)
visibility of fields
Live Filter textbox,
operators: >,<,==,!=

Network View

Network View - Menu
• The Network View contains the tables related to information extracted from the monitored networks
1 2 3 4 5
1. Nodes: network participants related to the traffic that Guardian is monitoring

2. Links: communication data between two nodes using a specific protocol over time in total
3. Sessions: actual state of the interactive information exchange between two nodes in the environment
4. Graph: graphical visualization of the monitored networks
5. Traffic: traffic statistics about the monitored networks

Network View - Nodes
• The Nodes table contains all the network participants within the monitored network
Same Mac address but

different values in the Node
ADDRESS column
• A Node ADDRESS can be:

• a MAC address (when L2 communication is detected)
• an IP address (when L3 or higher communication is detected)

Network View - Sessions
• The Sessions contain the actual state of the interactive information exchange between two nodes in the environment
Source Node:Source Port Destination Node: Destination Port
192.168.10.1:34563 Session1 192.168.10.16:502
192.168.10.1:22763 Session2 192.168.10.16:502
Protocol: Modbus
• A Session is the combination of:

• Source Node:Source Port
• Destination Node:Destination Port
• Protocol (Layer 2, 5 or 7; using DPI or default port)
• The Session status entries include TCP-SYN, SYN-ACK, ACTIVE, CLOSED
• Old, closed sessions are deleted (refer to "Clean up old sessions" in the User Guide)

Network View - Links
• A Link represents the communication between two nodes using a specific protocol over time in total
• Entries in the links table are persistent.
Source Node Destination Node

Protocol: Modbus
• A Link is the combination of:

• Source Node
• Destination Node
• Protocol (Layer 2, 5 or 7; identified by DPI or default port)
• Link Events are recorded for computing availability: TCP-SYN, UP, DOWN
• A link is populated from a session when the direction is known

Network View Tables - Controls
NODE
Configurations, Alerts related Download Request Events, Captured Manage Navigate to Trigger Smart
custom alerts to the entry trace trace Availability URLs Learning related tables Polling
LINK
SESSION

Network View - Graph
1. PDF: download the current graph visualization 1 2 3 4 5 6 7 8 9 10 11 12
2. ?: colour-code legend used for nodes and links
3. Filters: by name, IP, zone etc.
4. Reset: clear any filter
5. Live: refresh manually or automatically
6. Time Frame: visualization over the selected time frame (def. 15 min)
7. Magic Wand: tweaking the graph rendering, useful for
large environments
8. Nodes: change node perspectives, apply filters, etc.

9. Links: change link perspectives, apply filters, etc.
10. Layout: select between Standard, Purdue, and Grouped (in
combination with Group by function)
11. Pause: pauses the dynamic behaviour of the graph

12. Increase/decrease: adjust the icon size

Graph - Node Perspective examples
Roles (default view) Zones
• IT/OT function or purpose • Nodes belonging to a
common network
• Independent from the device Type
Public nodes
• Non RFC-1918 IP addresses

Graph - Link Perspective examples
Transferred bytes
• Measuring transferred bytes values to TCP retransmitted bytes
display within links, instantaneous and • According to percentage of retransmitted
continuously updated bytes in relation to the other links

Graph - Zones and Topology
Zones: Display zones and interzone connections providing
172.16.0.0/16 a high-level zones overview:
• Standard zones (locked)
• Automatically created zones based on discovered
networks (use the „plus” icon to add these)
• User defined zones, editable.
• A Node is part of one zone only, the more specific one.
172.16.0.0/24 Example, node 172.16.0.1 would be member of the
172.16.0.0/24 zone instead of zone 172.16.0.0/16.
By default, zones are managed by the Guardian. The CMC
can be configured to manage zones on a global level.
Topology: Display the network topology

• Network devices such as switches and routers
• Networks and inter-network connections (high
level network overview)

Graph - Zones
2 1
Objective Configure Zones
1. Under Settings > Zone configuration > Add create

manually one custom network zone:
• Matching segment: 10.2.0.0/16
• Name: Corporate
• Level: 4
2. Upload the zone information of the remaining

zones via Import button, using the file
Activities
zone_configurations.cfg under Import_zone folder on
Folder for participants
3. In Environment > Network View > Graph:

• set the Nodes perspective to Zones (Nodes button
> Perspective) to visualize nodes within zones
• change the graph´s Layout to Purdue Model and
observe the settings effect.
User Manual Chapter 5 - User Interface Reference - Settings

Zone Definition

Create Traces
• Request a custom trace:
• Admin > Other actions > Request custom trace
• Packet Filter needed
• One or more traces in parallel possible
• Default settings: 5000 packets or 60sec, configurable
• Request a continuous trace:

• Admin > Other actions > Continuous trace
• In general, or by applying a Packet Filter
• One or more traces in parallel possible
• Chopped in 100MB slices
• Download and delete traces via WEB UI, or direct on Shell

console:
- /data/continuous_traces
- /data/traces
• Creating a trace is a background process not affecting other

functionalities

Network View - Activities
Objective Use table options within Network View Links table
Environment > Network View > Links

1. Create a trace of the vnc link between
172.16.0.200 and 172.16.0.101:
1
• Filter on vnc in the protocol field
• Filter on the IP addresses
• Request a trace via the lightning button
• Download and open the trace
2
2. Create a custom Alert in case the link from
172.16.4.89 to 192.168.1.100 using protocol cotp
Links Table: Trace and Alert configuration Activities is not persistent:
• Filter on cotp in the protocol field
• Filter on the IP addresses
• Configure link > check the Is persistent flag
3
• Check the Alerts panel
3. Disabling the Is persistent flag:

• Go to Links table
Links Table: Disable the active checks • Enable the column Active checks
• Use this column to filter out the link where the
check was enabled
User Manual Chapter 5 - User Interface Reference - Network View

Asset View

Asset View - General Concept
• Environment > Asset View
• Assets represent a local, physical system to care about, a resource with a switch WAP
value for the company, it can be composed of one or more Nodes router IOT_device
printer light_bridge
• Nodes can only become part of an asset when the node: group firewall
• is not public OT_device RTU
computer teleprotection
• is confirmed (it has communicated) cctv_camera active_scanner
• is not a group address or broadcast PLC radio_transmitter
HMI UPS
• Scope examples: barcode_reader data_concentrator
• Depict devices according to a logical networks segregation (PURDUE) sensor gateway
• Assemble multiple MAC Addresses into 1 Asset when applicable digital_io AVR
inverter DSL_modem
• When created, an Asset Name is assigned, accordingly to information in controller IO_module
other fields, such as node label or vendor subnet media_converter
historian NTP_appliance
• The Asset Type is assigned at the Asset level on the Guardian by default IED PDU
using predefined Asset Types, see table on the right, VOIP_phone power_line_carrier
• More Asset Types can now be imported (System > Import) and be mobile_phone power_quality_meter
managed on a global level using the CMC tablet protection_relay
• Example of an import file, the first row should contain name: mobile_device other…
name
asset_type1 Asset types
asset_type2
Asset View - Details
Asset Config
Asset Info and Options
Asset Tabs
Nodes Node(s) Config

belonging and Options
to the Asset
Nodes details,
e.g. network info Vulnerability
Status
Learning and
AI status
Host performance
details by SmartPolling

Asset View - Activity
Objective Learn the Asset View forms
Environment > Asset View:

Using the List or Diagram view:
• Filter out the Asset
plc151.ACME0.corporationnet.com with ip
192.168.1.28
Activities • Generate the PDF (do not check “Include installed
Asset View - Diagram (PURDUE Model) software found with Smart Polling”)
• Go under Analysis > Reports and click on
Generated tab to download the asset report
• Why is the ‘MAC_Vendor’ different from the
‘Vendor’ field?
User Manual Chapter 5 - User Interface Reference - Asset View
Asset example: Control Logix 1756

Process View

Process View
“The part of the industrial system
primarily concerned with producing
the output is referred to as the
process”
The Process View:

• contains Variables exchanged by OT
protocols
• Variables (aka tags, objects) are
representing field information
• Guardian’s DPI capabilities and OT
knowledge are reflected here
An Oil and Gas process: from wells to refineries

Process View - What is a Variable?
Operator
The Consumer collects the data to
4 …and transmitted to 5 be shown in an HMI, it allows the
the Consumer Operator to control the process, or
it runs algorithms to control it
automatically
Each input is mapped by
3
the controller onto a Commands are sent back down to
6
variable/tag/object controllers again via the protocol…
according to the used
protocol… …and converted to controlling signals
7
addressed to the rail (outputs)
Hard wired signals are fed to to

Valve Finally, the controlling signals are
2 8 fed to the actuators to control the
the controller rail (inputs)
physical process
Fan
Each sensor/actuator converts

1 a physical magnitude into a Pump 9 And the cycle iterates…
signal for the controllers

Process View - Controls
PROCESS
VARIABLE
Configure entry Variable Mark Variable Navigate to

and custom alerts details as Favourite related tables

Process View - Details
• Each row in the table represents a variable extracted from the OT protocols
Variable
name
Value Value range

and Quality
Protocol and FC Historical data
Activity info
Flow control

Environment - Activity
Objective Use table options within Network View
Environment > Process View

Let's extract all the iec104 variables belonging to
host 192.168.21.12 with a max. value <= 0.6 into an
Excel sheet:
• Enable the Max value and Protocol fields
Activities
• Filter on:
• Max value <= 0.6
Variables table • Protocol iec104
• Host 192.168.21.12
• Export the result into an Excel file
User Manual Chapter 5 - User Interface Reference - Network View

Sizing Appliances

Sizing parameters
• Choosing the right model of Nozomi Appliances is based on the networks monitored:
• Environmental conditions, harsh or standard
• Throughput of the monitored networks
• Amount and Type of needed monitoring ports
• Number of monitored Network Elements

Network elements definition and calculation
Network Elements are the mathematical sum of:
• Nodes
• Links
• Variables
• Most of the customers don‘t have these numbers handy. After analyzing our pool of available support archives, we
discovered the following estimation does work for most of our clients.
• How to estimate the number of Networks Elements:
• Start with the number of Assets
• Estimate the number of Nodes: Equals Assets * 2 (worst case scenario considering L2 + L3 traffic)
• Estimate the number of Network elements: Equals Nodes * 20

Deployment: Sizing an installation - 1
Use Case 1
Find the best technical proposal for the following NSG-M 1000 NSG-M 750 NSG-L 250 NSG-L 100
scenario: Max. Protected
600,000 200,000 90,000 20,000
Network Elements
Scenario Max. Throughput 1 Gbps 1 Gbps 500 Mbps 250 Mbps
One site with 200 devices (ca. 400 nodes, each Max Remote
50 50 20 20
device consists of one MAC & IP-address) to Collectors
monitor 8 different switches, all located in the same Monitoring Ports

7x1000BASE-T + 7x1000BASE-T +
5x1000BASE-T 5x1000BASE-T
4xSFP 4xSFP
19’’ rack.
1 slot available 1 slot tavailable 1 slot available 1 slot available
Expansion Slots 4x1000Base-T | 4x1000Base-T | 4x1000Base-T | 4x1000Base-T |
• Use only physical appliances. 4xSFP | 4xSFP+ 4xSFP | 4xSFP+ 4xSFP 4xSFP
• Assume the traffic throughput is not an issue.
SOLUTION

Use Case 2
Find the best technical proposal for the following NSG-M

NSG-M 750 NSG-L 250 NSG-L 100 NRC-5
scenario: 1000
Max. Protected
Not
Scenario Network
Elements
600,000 200,000 90,000 20,000
applicable
One site to be monitored centrally, 3 buildings in 3

Max. Up to 15
separate locations: Throughput
1 Gbps 1 Gbps 500 Mbps 250 Mbps
Mbps
Building 1: Max Remote Not
50 50 20 20
• 1000 devices (ca. 2000 nodes, each device Collectors applicable
consists of one MAC & IP-address); Monitoring 7x1000BASE- 7x1000BASE- 5x1000BASE- 5x1000BASE-
2x1000BASE-
• 300 Mbps throughput over 5 switches. Ports T + 4xSFP T + 4xSFP T T
T
1xSFP
Building 2 and 3:
• 50 devices each (ca. 100 nodes, each device
consists of one MAC- & IP-address);
• 0.1 Mbps throughput over 2 switches each.
• Use only physical appliances.

SOLUTION
• Buildings are connected over the internet.

Use Case 3
Find the best technical proposal for the following NSG-HS 3500 NSG-HS 3000 NSG-H 2500 NSG-H 2000
scenario:
Max. Protected
2,000,000 1,500,000 1,200,000 1,000,000
Network Elements
Scenario Max. Throughput 6 Gbps 6 Gbps 3 Gbps 3 Gbps
A supervisory system monitors 100,000 devices
Max. Remote
(ca. 200,000 nodes, each device consists of one Collectors*
50 50 50 50
MAC & IP-address):

Modular up to Modular up to Modular up to
• Using a total throughput of 2.5 Gbps; Monitoring Ports
16+1 16+1
Modular up to 8+1
8+1
• Equally split into 2 core switches(fiber port), 4 slots available 4 slots available 2 slots available 2 slots available
installed in two separated locations; Expansion Slots 4x1000BaseT I 4x1000BaseT I 4x1000BaseT I 4x1000BaseT I
4xSFP I 4xSFP+ 4xSFP I 4xSFP+ 4xSFP I 4xSFP+ 4xSFP I 4xSFP+
The management platform should be able to cover
future expansion and monitor any number of
devices.
• Use only physical Guardian appliances.
SOLUTION

Vulnerabilities
Vulnerabilities
• The Vulnerabilities menu provides an overview of the security status of the monitored assets
• Guardian handles a vulnerability database within its Threat Intelligence content, matches vulnerabilities to assets in
the monitored environment and notifies about assets suffering from vulnerabilities.
• The information is stored within this section Analysis à Vulnerabilities:
1 2 3
1. Assets: display the vulnerabilities grouped per asset

2. List: display the list of all the vulnerabilities detected
3. Stats: display pie charts with Top CPEs, TOP CWEs and Top CVEs

How Guardian detects Vulnerabilities
Two steps should be performed by the Vulnerability Manager to display the information:
1. IDENTIFY
• Means that we should be able to detect the critical information needed to uniquely characterize the
device and provide a set of minimum information such as:
o Vendor of the device
o Device Name/Product Code
o Firmware/Software version
• The result of this step is a list of CPEs assigned for a specific node.
2. MATCHING
• Guardian will use the group of CPEs that were identified for a specific node (on step 1) to calculate its
vulnerabilities (CVEs)
• Nozomi curates the CPE - CVEs assignments, enhancing the NIST NVD with the most accurate data.

Device IDENTIFICATION - Phase 1
The device identification can be achieved using different methods by:
• Passively monitoring and analyzing the traffic
• Actively querying the device (Smart Polling)
• Importing Asset info manually into Guardian (using “Import configuration / project file” function)
The passive method is preferred as it does not require any human interaction
Passively
Smart Polling
Importing Asset info

Vulnerability MATCHING - Phase 2
• The matching mechanism is internal to Guardian and is the one that generates the CVE displayed in
the Vulnerability menu.
• This mechanism rely on Threat Intelligence DB(locally stored in Guardian):
• TI DB is synced with NIST NVD - National Vulnerability Database
• Nozomi is curating and enriching NVD information, in some cases, adding for example:
o fix-version
o fix-patch
o fix-description
Asset info
CVE to be MATCHING
displayed

Vulnerabilities - Outcome
CVE - Common Vulnerability Exposure
CWE - Common Affected Node by this vulnerability

Weakness Enumeration
CVSS - Common Vulnerability
Scoring System
CPE - Common
Platform Enumeration
Summary
and reference
Example: CVE-2020-6457
Info added by Nozomi
Info coming from NVD

Vulnerabilities - Change resolution

Smart Polling
Smart Polling
• The Smart Polling menu allows to configure and display the information collected
• To use this module, you need the following license “Guardian Base + Smart Polling”
• Patching levels (e.g., hotfixes) are not always detectable without querying the devices directly
• Smart Polling has been created therefor, using limited active communication to interact with the monitored network
• The menu is available under Smart Polling:
1 2
1. Summary: display the plans configured and allows to create a new plan
2. Polled node: display information polled from the nodes

Smart Polling - Configuration can be applied only
to a specific device
To deploy Guardian+Smart Polling the following info should be taken into consideration:
• The Guardian Management IP will be used by default to send Smart Polling requests.
• The Guardian Management IP and the target device should be allowed from a routing and Support specific
switch brand like:
security/firewall perspective to communicate with each other. - Hirschmann
Define the - Fortinet
Smart Polling à Plan tab: - Brocade
Strategy - N-Ton
Define devices
to poll
Select data to
be collected

Smart Polling - Execution mode
• Automatically: Enabled plans will be executed • On Demand: Regardless the status(enabled/disabled)
based on the interval time set: of the plan a node can be polled on demand:
• Enabled plan:
• Disabled plan:
Insert username and

password to override
• From the Nodes table a new node can be the configuration
added to the plan: within the plan
Toggle to execute
immediately

Smart Polling - Execution check
Time of each
executions
Detailed polling
info for a single
node

Smart Polling - Execution results
Under Smart Polling à Polled nodes tab the info of polled nodes are displayed:
Smart Polling results panel

Queries
Queries
• Queries boost Guardian’s flexibility and usability as they
can be used to:
• Extract, connect and show data in tabular or a
graphical way
• Create custom Dashboards
• Create custom Alerts (Assertions)
• Create custom Reports
• Setup Smart Polling strategies
• Configure Integration scope
• Create OpenAPI requests
• Queries are written in N2QL (Nozomi Networks Query

Language) defined in Guardian
Queries results example

Queries - Source tables and fields
Objective Get familiar with the N2OS data model
1. In the N2OS-UserManual-SDK, review under

Data Model the available source tables and
fields.
:
: 2. Which field in the nodes table provides
Activities information whether nodes are public or
private?
3. Which table provides details on tcp-

retransmitted packets within device
: communications?
:
Source tables and fields

in the User Manual SDK SDK User
Chapter 3 - Data model
Manual

Queries - Format
The menu is available under Analysis à Queries
“|” uses the output of the command can be a condition,

Table to use as
expression on the left to pass it as function, merging tables, or
data source
input to the expression on the right defining the output
6 1
Source | command1 | command2 | …
5 4 3 2
1. Expert/Standard: switch from Expert(default view) to Standard 4. Export: to export in CSV or Excel the query result
2. Save: save the query for future use 5. To assertion: to convert the query into an assertion
3. Live/Manual refresh: automatic or manual refresh of the result 6. History: to view all the previous, executed queries
7. Saved queries: to view the saved queries

Queries - Details 1
Source tables list
help //list of source tables with description
Select, Rename and Reorder table fields

links | select from to protocol
links | select protocol->Protocol from->Source to->Destination
Choose a field and filter the content: where - operators: ==, !=, >=, <= - field: is_empty()
nodes | where mac_vendor == Hewlett Packard
nodes | where mac_vendor != Hewlett Packard
nodes | where is_empty(mac_vendor) == false
Filtering using Wildcards: include? / exclude?

assets | where name include? hmi
captured_urls | where url exclude? ntp
Count
nodes | count

Queries - Details 2
Group_by
nodes | group_by mac_vendor
nodes | group_by mac_vendor,zone
Pie chart
nodes | group_by mac_vendor | pie mac_vendor count
Sort
nodes | group_by mac_vendor | sort count desc
nodes | group_by mac_vendor | sort mac_vendor
Head
nodes | group_by mac_vendor | sort count desc | head 5
Column chart
nodes | group_by mac_vendor | sort count desc | column mac_vendor count
Compare field values
nodes | where mac_vendor == $vendor

Queries - Details 3
Where/OR with equal
sessions | where status == ACTIVE | where to_port == 53
sessions | where status == ACTIVE | where to_port == 53 OR to_port == 2404
Seconds_ago(), minutes_ago(), hours_ago(), days_ago(), months_ago()

nodes | where hours_ago(last_activity_time) > 12 | select id last_activity_time
Expand function (to array fields: [x1,x2,..] )

nodes | select id protocols //the protocols field is an array. E.g. [“iec104”,”browser”]
nodes | select id protocols | expand protocols | where expanded_protocols == vnc
“.” Operator (to structured fields: {“value1”:”x1”, “value2”:”x2”,..} )

nodes | select id mac_address:info // the mac_address:info field is a structure
nodes | select id mac_address:info | where mac_address:info.likelihood > 0.9

Queries - Merge tables: join
When the data we are looking for is present in two or more tables, the join “Destination IP” “Type”
command is used to connect these tables. info in links info in nodes
Example: We want to display every link using a barcode_reader as destination.

1. The links table contains the info on destination IP´s while the info on the Match tables Match tables
using field: “to” using field: “ip”
device type being a barcode-reader is part of the nodes table.
2. To correctly merge these tables and match the rows accordingly we need to join
identify a corresponding field in both tables.

3. Here, we are using the “to” field in the links table and the “ip” field in the
nodes table, both containing IP addresses. Matching these fields allows to links | join nodes to ip
merge the nodes table data into the corresponding links table row:
table-1 | join table-2 table-1-field table-2-field links nodes
links | join nodes to ip
4. The nodes table data is now being added into one new field within the links
table named joined_node_to_ip.
Original links one additional field incl.
Solution: and
table fields all the nodes table data
links | join nodes to ip |
where joined_node_to_ip.type == barcode_reader
Queries - Use cases 1
1. Count how many variables were transmitted, using modbus protocol, on the monitored network.
2. Produce a column chart of assets running a Windows OS grouped by the Operating System
version. (The result will be used to plan patch installation).
3. Produce a tabular representation of HTTP links including the from, to, protocol,
first_activity_time and last_activity_time, sorted by transferred.bytes passing through the link.

Queries - Use cases 2 - Optional
4. Produce a table including nodes in the network that are inactive for the last 10 days, filtering out
ghost nodes (tip: ghost nodes never sent.bytes and inactive time can be checked on
last_activity_time column).
5. Produce a table reporting from, to, function_codes name, last_activity_time of every links using
iec104 protocol.
6. Produce a table showing links that are likely being blocked by firewall (tip: this can be modelled
by the tcp_connection_attempts.total and tcp_handshaked_connections.total).

7. Produce a table to show how many links are initiated from each zone (tip: in the links table there
are fields about zone information).
8. Produce a table showing from, to, protocol and tcp retransmission percentage of all links with
tcp retransmission percentage between 40 and 90 percent.
9. Produce a table showing the function codes seen on the monitored network for iec104 protocol
and sort them so to have the most used first (tip: work with the variables table).

10. Produce a column chart including the list of source IPs that opened iec104 links,
sorting them by number of links.
11. How many links in within the same zone (source and destination) are in the monitored network.
12. Produce a pie chart showing the percentage of every transport protocol used in the monitored
network.

Queries
Objective Generate Built-In Reports
Analysis > Queries
1. Run the query: nodes | group_by

mac_vendor | pie mac_vendor count
2. Save the query: use „Mac Vendors“ as
description, click on New Group, name it
„Training“ and Save the group. Then, Save the
Activities query within this group.
3. Run the query: links | group_by
from_zone | sort count desc | head
3
4. Save the query using „Top 3 Source Zones“ as
description within the „Training“ group.
5. Check the results under the tab Saved Queries
Review the saved Queries
User Manual Chapter 11 - Queries

Reports
• Menu available under Analysis à Reports
• Can be run On-demand or Scheduled
• Available formats are Excel, CSV and PDF
• Predefined layouts are:
• Empty
• Alerts
• Assets Inventory
• CIS Controls
• Vulnerability
• Predefined widgets and custom queries can be used
• Filters can be applied globally or per widget
• Reports stored in customizable Folders Report dashboard
• Report Schema can be Exported and Imported (Json
format)

Reports - Overview
Global Filters
Folder
structure

Reports - Use Case
Objective Generate Built-In Reports
Analysis > Reports
1. In Settings, upload a custom logo from the

Folder for Participants/Reports
2. Within the Report management tab, click on

New report… , enter a Name and choose the
layout Empty.
Activities 3. Add row, Add widget and choose:

• Table : Clients accessing SMB Shares
Create a new Empty report • Count : Evidences
• Query: Training/Mac Vendors
• Query: Training/Top 3 Source Zone
• How many SMB Shares are being monitored?
3 4. Save and use Generate Report to schedule a

1 PDF report to be created Daily at 7am.
2
User Manual Chapter 5 - User Interface Reference - Report
Add a row and choose widgets

Dashboards
• Two default dashboards are available: Overview and Stats
• The Configuration mode is available under Settings à Dashboards or by clicking directly on the Dashboard
• Creating the first new dashboard will remove the default ones
• Predefined widgets and custom queries are available to compose the Dashboard
• Dashboards can be exported and imported (Json format)
Dashboard configuration

Dashboards - Use Case
Objective Configure Dashboards
Settings à Dashboards
Dashboard templates
1. Create and Save a new Dashboard based on
the Stats template.
• Add on top of the Stats Dashboard via +Add
row and +Add widget the previously saved
Activities
queries: [query] Mac Vendors and [query] Top 3
Source Zone
2. [Optional] Import the JSON based dashboards

provided within the Folder for participants.
Explore them and choose your favorite.
User Manual Chapter 5 - User Interface Reference - Dashboard
Dashboard - Stats based customized

Alerts and
Hybrid Threat
Detection
Alerts and Hybrid Threat Detection
Finding threats and anomalies
• Alerts and Incidents
• Asset Intelligence
• Built-In checks: Threat detection
• Custom checks: Assertions
• Security Control Panel:
• Virtual Image (Learning Modes)
• Security Profiles
• Zone Configurations
• Alert Tuning
• Alert Closing Options
• Alert Operations
• Mitre ATT&CK Framework

Alerts and Incidents

Alert Categories
Custom Checks Protocol Validation
• Assertions • Protocol Knowledge
• Links and Variables • Undesired Protocol Behaviours
Configuration
Alerts
Alerts
Virtual Image Threat Intelligence &
• Behavioural Anomaly Built-in Checks
Detection
• Most alerts in protecting • Known Security Attacks Patterns
mode (Learned Behaviour) • Signatures
• Asset Intelligence
• Device fingerprinting
• Baseline strengthening

NET RST-FROM-PRODUCER
Alerts
WRONG-TIME
PROC
SYNC-ASKED-AGAIN
Protocol Validation
ARP-DUP
DDOS
DHCP-OPERATION
ILLEGAL-PARAMETERS
INVALID-IP
MAC-FLOOD
MALICIOUS-PROTOCOL
MULTIPLE-ACCESS-DENIED
MULTIPLE-OT_DEVICE- RESERVATIONS
MULTIPLE-UNSUCCESSFUL-LOGIN
NETWORK-MALFORMED
Protocol
Alerts
Alerts Validation
NETWORK-SCAN
PROC-MISSING-VAR
PROC-UNKNOWN-RTU
SIGN PROTOCOL-ERROR
PROTOCOL-FLOOD
SCADA-INJECTION
SCADA-MALFORMED
Alert type examples: TCP-SYN-FLOOD
§ PROC:WRONG-TIME UDP-FLOOD NEW
§ SIGN:TCP-SYN-FLOOD TCP-MALFORMED
UNSUPPORTED-FUNC

#advancedcet-alerts
Alerts CLEARTEXT-PASSWORD
Threat Intelligence & Built-in Checks CONFIGURATION- CHANGE

CPE CHANGE
DEV-STATE-CHANGE
FIRMWARE-CHANGE
MALICIOUS-DOMAIN
MALICIOUS-IP
MALICIOUS-URL
MALWARE-DETECTED
MITM
NEW
Built-in OUTBOUND-CONNECTIONS
Alerts SIGN
Checks PUA-DETECTED
OT_DEVICE-REBOOT
OT_DEVICE-START
OT_DEVICE-STOP
PACKET-RULE
Alert type examples: PASSWORD WEAK
§ SIGN:MALWARE-DETECTED PROGRAM DOWNLOAD

§ SIGN:OT_DEVICE-STOP SUSP-TIME UPLOAD
WEAK-ENCRYPTION CHANGE
#advancedcet-alerts
Alerts
Custom Checks
NEW
GENERIC EVENT
ASRT FAILED
INACTIVE-PROTOCOL
NET LINK-RECONNECTION
Custom
Alerts TCP-SYN
Checks CRITICAL-STATE-OFF
CRITICAL-STATE-ON
PROC INVALID-VARIABLE-QUALITY
NOT-ALLOWED-INVALID-VARABLE
STALE-VARIABLE
Alert type examples:
§ ASRT:FAILED
§ PROC:STALE-VARIABLE

Alerts KB
UNKNOWN-FUNC-CODE
UNKNOWN-PROTOCOL
Learned Behaviour Asset Intelligence NEW-FUNC-CODE
GLOBAL * NEW-MAC-VENDOR
NEW-VAR-PRODUCER
CONF-MISMATCH * Using Adaptive Learning
NEW-ARP
NEW-FUNC-CODE
NEW-LINK
NEW-MAC
Virtual NEW-NET-DEV
Alerts VI
Image NEW-NODE
TARGET
NEW-NODE
MALICIOUS-IP
NEW-PROTOCOL
APPLICATION
NEW-PROTOCOL
CONFIRMED
Alert type examples: NEW-SCADA-NODE
§ VI:NEW-NODE PROC
NEW-VALUE
§ VI:PROC:NEW-VALUE NEW-VAR
PROTOCOL-FLOW-ANOMALY
VARIABLE-FLOW-ANOMALY
#advancedcet-alerts
Incidents BRUTE-FORCE-ATTACK
ENG-OPERATIONS
FUNCTION-CODE-SCAN
Built-in ILLEGAL-PARAMETER-SCAN
INCIDENT
Checks MALICIOUS-FILE
SUSPICIOUS-ACTIVITY
WEAK-PASSWORDS
PORT-SCAN
Hybrid Threat NEW- COMMUNICATIONS
INCIDENT
Detection NEW-NODE
PRODUCER
Incidents VARIABLES-FLOW-ANOMALY
CONSUMER
VARIABLES-FLOW-ANOMALY
Alerts
Alerts
Alerts
Learned INCIDENT
INTERNET-NAVIGATION
PRODUCER
Behaviour VARIABLES-NEW-VARS
CONSUMER
VARIABLES-NEW-VARS
VARIABLES-NEW-VALUES
VARIABLES-SCAN
Protocol
INCIDENT ANOMALOUS-PACKETS
Validation
#advancedcet-alerts
Alert types descriptions
Objective Get familiar with the Alert types
In the N2OS-UserManual check out the Alerts

Dictionary section.
Activities
In case needed you will find addtional info in the
alerts- or incidents description list.
Alerts list and descriptions
User Manual Chapter 6 - Security features

Asset Intelligence

Asset
Asset Intelligence (AI) - Service Intelligence
Asset Model Asset Model with Device images/desc

Asset
with protocols end-of-life cycle
Intelligence (only in Vantage)
and function information
codes
= + +
• By detecting the asset´s details (e.g. product name and
vendor), further features of these devices are fed into
Guardian’s asset inventory and creating a more solid
baseline.
• The service is Subscription based (License is required).
• Updates can be installed manually or automatically.
• The content is created/curated by Nozomi Networks Labs.
System à Updates & Licenses

Enriched Asset Information
The Asset inventory benefits from the Asset Intelligence (AI) subscription:
• More detailed and precise info about the assets (when Vendor or Product Name is detected)
Added information about

- “End of sale”
- “End of support”
• 3 different states:
(a) enriched asset: asset benefits from AI database info (b) asset not matched: asset is not part of the AI database
(c) not active: no active AI license on this Guardian

Enriched Asset Information
• Adding information like: picture, protocols and function codes being supported by the assets
Device picture added by AI

(only on Vantage)
Once the device is correctly identified, AI is

adding the info about supported function
codes and protocols into Guardian without
Vantage: Detailed Asset view the need of analyzing the network traffic.

Asset Intelligence
Objective Use Asset Intelligence information
Environment > Assets

1. How many assets were enriched
2. What are the types of equipment having an end
of sale date?
3. Open details of Asset having IP 192.168.1.110.
Activities
What fields are filled using AI?
4. Open now details of Asset having IP
172.16.0.150 (this asset has multiple IP). What is
the main difference under Overview tab with the
previous asset?
Chapter 10 – Asset Intelligence – Enriched

User Manual
Asset Details for Enriched Device Information

Built-in Checks

Built-in
Threat Intelligence (TI) - Service Checks
Threat
Intelligence
Packet Yara STIX Vulnerability
Rules Rules indicators DB
= + + +
• The service is Subscription based (License is required).
• Updates can be installed manually or automatically.
• The Rules and DB´s are created by Nozomi Networks Labs or obtained
by the infosec community, each verified by Nozomi Networks.
Guardian is providing a Hybrid intrusion/anomaly detection system which is

based on:
• Behavioral anomaly detection: Learning/Protecting and
• Signature-based anomaly detection: Threat Intelligence signatures and
additional Built-in Checks.
System à Updates & Licenses

Built-in
Packet Rules - Overview Checks
Packet Rules are available under Settings à Threat Intelligence
• Executed on every packet sent over the network, related Alerts are using the type-id SIGN:PACKET-RULE.
• Supporting the SNORT syntax allows users to easily add or import new rules using a well-known standard.
• Based on the engine written by Nozomi Networks.

Built-in
Packet Rules - Structure Checks
Objective Discover installed Rules and create a new one
Settings > Threat Intelligence > Packet Rules
Create a custom rule named ”Ban SMB”

Add a custom packet rule
• Click on “+ Add”
• Use the rule format:
<action> <transport> <src_addr>
<src_ports> -> <dst_addr> <dst_ports>
(<options>;)
Activities • Enter the Name and Rule:
alert tcp any any -> any 445 (msg:"SMB test";)
• Search for the rule previously created and verify

that you can click ON/OFF and leave it in ON
status
• View Alerts related to this rule.
SNORT syntax used for Packet Rules User Manual Chapter 6 - Security Profile - Packet Rules

#advancedcet
Built-in
Packet Rules - Search for content Checks
The SNORT Packet Rules syntax allows to search for specific content within the packet's payload.
The content keyword specifies string(s) or binary data inside a packet to search for. Example:
alert tcp any any -> any any (content:"GET";) à searches for "GET" within tcp packets payload.
The following modifiers are available to influence the search:
• offset specifies where to start searching for a pattern within a packet:
alert tcp any any → any any (content:"GET"; offset:4;) à skips the first 4 bytes in the packet's payload, then
starts searching for ”GET”.
G E T
4 bytes
• depth specifies how far into a packet should be searched for a pattern:
alert tcp any any → any any (content:"GET"; depth:3;) à searches for the "GET" string within the first three
bytes of the tcp payload only.
G E T
3 bytes
#cet
Built-in
Packet Rules - Search for content Checks
• distance specifies how many bytes to ignore before starting to search for a pattern relative to the end of the previous
match (minimum distance between the end of pattern-1 and start of searching for pattern-2):
alert tcp any any → any any (content:"GET"; content:"ONE"; distance:1;) à searches for the "GET" pattern,
skips one byte and looks for the "ONE" pattern within all following bytes, "GET ONE" or "GET-123-ONE" would
match.
G E T
Search for “ONE”
• within specifies how distant at most in relation to a previous pattern, a new pattern should be searched for (search
from the end of pattern-1 within the number of bytes specified for pattern-2):
alert tcp any any → any any (content:"GET"; content:"ONE"; within:10;) à searches for the "GET" string in
the packet and looks for the "ONE" string within the following 10 bytes.
G E T
Search for “ONE”

#cet
Built-in
Packet Rules - Exercise Checks
Objective Analyse Packet Rules
1.
When monitoring TCP segments with destination port 21 having the ”MENDRISIO" string as its payload, which
of the following rules would produce an alert:
A. alert udp any any → any 21 (content:"MENDRISIO";)
B. alert tcp any any → any 22 (content:"MENDRISIO";)
C. alert tcp any any → any any (content:”MEN";)
D. alert tcp any any → any any (content:”MEN"; content:”DRISIO"; distance:1;)
Activities
2.
When monitoring TCP segments with destination port 80 having the “Nozomi-Training” or “Nozomi_-_Training”
string as its payload, which of the following rules would produce an alert:
A. alert tcp any any → any any (content:”Nozomi"; content:”Training"; distance:7;)
B. alert tcp any any → any 80 (content:”Nozomi"; content:”T"; within:1;)
C. alert tcp any any → any 80 (content:”Training"; content:”Noz"; distance:1; content:”omi"; distance:1;)
D. alert tcp any any → any 80 (content:”Nozomi"; content:”Training"; distance:1;)
User Manual Chapter 6 - Security Features - Packet Rules

#cet
Built-in
Yara Rules - Overview Checks
Yara Rules are available under Settings à Threat Intelligence
• Executed on every file transferred, also on .zip/.tar archives, via smb, ftp, http, and using the alert type-id
SIGN:MALWARE-DETECTED.
• Detecting malicious artifacts (e.g., executables or exploits), searching for specific patterns inside the files.
• Using the original YARA engine.

Built-in
Yara Rules - Structure Checks
Rule metadata (not used by the engine)
Checked Strings to feed the conditions logics
Conditions logics
A Yara rule describing Stuxnet

#cet
Built-in
Yara Rules - Conditions Checks
Different conditions are checked on reconstructed files: if the logical statement made by the condition matches
(returns true), the rule triggers the alert.
• Conditions on strings:
all of them 2 of them 3 of ($s*)
• Conditions on raw bytes:

• Searching for the first two bytes of a file being set to 0x5a4d à uint16(0) == 0x5a4d //it is the
magic number for a Windows executable file (.exe or .dll or .sys), decoded as “MZ” in ascii
• Conditions on file size:

• The file size is e.g. smaller than 150KB à filesize <150KB

#cet
Built-in
Yara Rules - Exercise Checks
Objective Practice with Yara rules
Settings > Threat Intelligence > Yara Rules
1. Explore the Yara rule:

OT_TROJAN_(ELECTRUM)CrashOverride_Portsca
n-3.yar
2. Answer the following questions:

Activities a. Being a Windows executable (0x5a4d) file is a
necessary condition to trigger the rule?
b. Matching 2 string variables starting with '$d' is a
c. Matching a filesize below 500KB is a sufficient
APT Industroyer related condition to trigger the rule?
Yara rule d. If there are no 2 string variables starting with '$d’,
matching all of those starting with ‘$s*' is a
User Manual Chapter 6 - Security Features

#cet
Built-in
STIX Indicators Checks
STIX (Structured Threat Information Expression) are available under Settings à Threat Intelligence
• Language and serialization format used to exchange cyber threat intelligence (CTI)
• Executed on every IP, URL, and domain detected in the network, and connected to alert types:
• SIGN:MALICIOUS-IP
• SIGN:MALICIOUS-URL
• SIGN:MALICIOUS-DOMAIN
• SIGN:MALWARE-DETECTED
• Available in two versions: V1 (XML-based) and V2 (JSON-based)

Custom Checks

Custom
Custom checks - Links Checks
Environment > Network View > Links
NET:LINK-
RECONNECTION
NET:TCP-SYN
NET:INACTIVE-
PROTOCOL
• Per link entry configuration

• Default risk is 3, included in LOW security profile
• A “Active checks” field is available to identify configured links

Custom
Custom checks - Variables Checks
Environment > Process View
PROC:STALE-
VARIABLE
PROC:INVALID-
VARIABLE-QUALITY
PROC:NOT-
ALLOWED-INVALID-
VARIABLE
• Per variable entry configuration

• Default risk is 3, included in LOW security profile
• A “Active checks” field is available to identify configured variables

Custom
Custom checks - Assertions Checks
This function is available under Analysis à Assertions
• An Assertion is a query with a special command appended that converts the query into a logical statement
to be satisfied (become TRUE).
• The moment the logical statement is not satisfied, the Assertion fails.
• If configured, a failed Assertion generates an Alert and creates a PCAP file.
The assertion
gives a TRUE
YES result
Is assertion
satisfied? The assertion If configured,
NO gives a FALSE generate an
result alert / pcap

Custom
Assertions Checks
• The Assertion fails when the logical statement results in a FALSE output.
E.g.: we want to make sure not one session`s status using protocol iec104 is closed:
sessions | where protocol == iec104 | where status == CLOSED | assert_empty
This appendix checks if the outcome of

the query is indeed empty
if empty if not empty
The assertion is satisfied, and nothing will happen The assertion has failed, the failure will be logged
and, if configured, an alert/trace is created
• Assertion options:
1. assert_empty - The assertion will be satisfied when the query returns an empty result
2. assert_not_empty - The assertion will be satisfied when the query returns a non-empty result
3. assert_all - The assertion will be satisfied when each element in the query result matches the
<field> <op> <value> given condition
4. assert_any - The assertion will be satisfied when at least one element in the query result
<field> <op> <value> matches the given condition

Custom
Assertions - Use Cases 1 Checks
1. Produce an alert when a Node is down for at least one day, excluding nodes representing
broadcast addresses.
2. Produce an alert when an ACTIVE vnc session is present in the monitored network.

Custom
Assertions - Use Cases 2 - Optional Checks
3. In order to upgrade critical equipment produce an alert when PLC´s are suffering critical vulnerabilities
(assuming critical means a CVE score of 9 or higher, and a likelihood of 0.8 or higher).
4. Produce an alert when the minimum value of at least one variable named ioa-2-2 belonging to
192.168.231.107 is less than 0.2 - (try not to use the ‘assert_empty’ keyword).

Security Control Panel

Security Control Panel
Settings à Security Control Panel
Set global
Security profiles Manage Learning Map
managing Alert Set specific
visibility Alert rules
1 2 3 4 5
Set global
Configure zone- Custom Reason
Learning
based controls for closing
parameters

Virtual Image
Learning Modes

Virtual
Learning and Protecting Image
• Event (E ): Any activity in the monitored network possible that can

be detected by Guardian, this includes for example: 𝑬
• A new node, link, protocol, or variable appearing
• A new variable value appearing
• A variable changing its update cycle
𝑽𝑰
• Virtual Image (VI ): All events in the monitored network
𝑩
• Baseline (𝑩): Learned or added Events in the monitored network
#cet
Virtual
Learning and Protecting Image
Guardian is running in two modes to create the baseline and protect the network:
Learning mode Protecting mode
When learning is applied, every new Guardian switched Every new event that was not included in 𝑩 is
event is included into 𝑩 to Protecting mode considered to be an anomaly and added to 𝑽𝑰
𝑽𝑰
E E
NodeA VI New VI
Node
Node C
NodeA
B B
S7
Link
New
Link S7
Link
NodeB
NodeB
Event (E ): Any activity possible that can be detected
e.g.:
• A new node, link, protocol, or variable appearing
• A new variable value appearing
Virtual Image (VI ): All events in the monitored network
Baseline (𝑩): Learned or added Events in the monitored
network © 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 203
#cet
1 Learning
Set global
Learning
parameters

Virtual
1 Detection approach Image
Adaptive Learning (Default)

Rationale:
• Addressing a dynamic environment where devices
are exchanged frequently and using cloud services,
e.g., networks with IoT components.
How it works:
• Learning is applied at site (network) level, events are
considered to be good or malicious depending on the
installed infrastructure.
• New Event alerts are:
• VI:GLOBAL:NEW-FUNC-CODE
• VI:GLOBAL:NEW-MAC-VENDOR
• VI:KB:UNKNOWN-FUNC-CODE Anomaly Detection: Adaptive
• VI:KB:UNKNOWN-PROTOCOL

Virtual
1 Detection approach Image
Strict Learning
Rationale:
• Addressing a stable (classic) OT network where users
know in detail the network and want to operate the
Learning with maximum granularity.
How it works:
• Learning is applied to single nodes, so events are
considered to be good or malicious at a node (device)
level.
• Any new event is being alerted on, for example:
• VI:NEW-FUNC-CODE
• VI:NEW-MAC
• VI:NEW-LINK Anomaly Detection: Strict
• …..

1 Detection approach - Use cases Virtual
Image + Asset
Intelligence
Adaptive + Asset Intelligence
in Protecting mode Strict in Protecting mode
NO ALERT Case 1: After an update, the existing PLCs support the new protocol DNP3 VI:NEW-COMMUNICATION
PLC 1 PLC 1
Vendor A Vendor A
Modbus Modbus
DNP3 DNP3
Modbus PLC 2 Modbus PLC 2
Vendor A DNP3 Vendor A
DNP3
Modbus Modbus
PLC 3 DNP3 PLC 3
DNP3
Vendor A Vendor A
VI:NEW-NODE
NO ALERT Case 2: An additional PLC of the existing make (Vendor A) is introduced VI:NEW-COMMUNICATION
Modbus PLC 4 Modbus PLC 4

Vendor A Vendor A
VI:NEW-NODE
VI:GLOBAL:NEW-MAC-VENDOR Case 3: An additional PLC of the new Vendor X is introduced VI:NEW-COMMUNICATION
Modbus PLC Modbus PLC

Vendor X Vendor X

Virtual
1 Phase switching Image
Two Phase (Default)

Rationale:
• For static/simple OT environments with knowledgeable
onsite OT personnel covering the OT life-cycle operating
the Learning with maximum granularity.
How it works:
• Learning: a global learning is applied to all events in the
environment.
• Protecting: After the Learning is evaluated to be finished,
the Protecting phase is set manually to start, all Events
not covered by the baseline are now alerted on.
• Learning and Protecting are two completely separated Two phase switching
states.

Virtual
1 Phase switching Image
Dynamic
Rationale:
• Make the management easier
• Decrease false positives
How it works:
• The Learning window is defined upfront (Default 1m).
• Learning: the dedicated learning periods are applied per
nodes.
• Protecting: Applied automatically accordingly the
chosen learning window.
• Learning and Protecting happen together during
multiple states Dynamic switching

Virtual
1 Phase switching - Dynamic Image
Example: Learning window set to 1 month (default)
During this interval events related to the

new node are included into B
1 month
1 month
Day 0: Day 25:

The Learning starts, New node
any event is included into B added
After the 1-month learning window, new

events are considered to be an anomaly

Virtual
1 Manage Learning - Adding Items Image
False positives - Events detected as anomalies can manually be added into 𝑩 (three ways):
Option 1 Option 2 Option 3
From the Environment table From the Manage Network Learning Closing the related alert

Virtual
1 Manage Learning - Removing Items Image
True positives - Events added to 𝑩 considered as anomalies can be deleted from the VI by:
Option 1 Option 2
From the Environment table From the Manage Network Learning

Asset Built-in Virtual
Threat & Asset Intelligence Intelligence + Checks + Image
added value
Behavioural Anomaly Detection
Case Threat Intelligence Adaptive Learning
Strict
with Asset Intelligence
Known malwares and other signature-
Alert Possible Alert Possible Alert
related events transmitted
New Node of an existing Vendor (while
n/a Alert No Alert
in Protecting)
New event deviating from a known
n/a Alert Alert (confirmed, higher precision)
device profile* (while in Protecting)
New event compliant to a known,

n/a Alert (false positive) No Alert (higher precision)
device profile* (while in Protecting)
• *Device profile: Type, Manufacturer, Behaviour, Configuration (installed software), Protocols in use
• For each case, the cell related to the most important engine is in green

Virtual
1 Manage Learning Image
Objective Manage Learning on single and bulk events
From tables
Go to the Nodes table:
Manage Learning from tables • Select a set of Nodes free to choose
• Delete the selected nodes using Bulk Learning
Go to the Links table:
• Select a set of links free to choose
Activities • Delete the selected links using Bulk Learning
From graph (equivalent)

Settings > Security Control Panel > Manage
Networks Learning:
• Delete a node
• Delete a link
Chapter 6 - Security Profile - Manage Network

User Manual
Learning
Manage Learning from Graph

Virtual
Objective Practice with Learning settings
• Settings > Security Control Panel > [1] Learning
• In Phase switching choose Two phase and

select Protecting
• On Overview tab verify that the Current mode is

Activities Two-Phase - Protecting
• Inject new traffic (either by the teacher or

running the local base_training_verX.pcap, not
using PCAP timestamps)
Manage Learning Overview • See the changes in the environment.
User Manual Chapter 6 - Security Profile - Learned Behavior

#cet
Virtual
Objective Practice with Learning settings
Add the just deleted nodes and links back to the

Search all the nodes and links with Is learned = false baseline:
• Nodes table: Enable the Is Learned field, filter

Activities nodes where this field is set to false and use
Bulk learning to add these to the baseline.
• Links: Follow the above steps for non learned

links accordingly.
Learn in bulk the unlearned nodes and

links in one click

#cet
Virtual
Objective Practice with Data Reset
Let’s cleanup the Guardian from the test that we

did following this steps:
• Delete all the data generated by this exercise

under System à Data à All, uncheck:
• Time machine
• Queries
Activities
• Assertions
• Press Reset
• Guardian will clean up alerts, nodes, links,

process view and switch back to Learning
mode.
Data Reset menu

#cet
2 Security Profiles
Set global
Security profiles
managing Alert
visibility
Set global
Learning
parameters

2 Security Profiles
• Alert types are clustered into profiles managing the visibility within the
Alerts menu, despite the fact that all alerts are being created.
• The following Security Profiles are available: Paranoid
Alerts
All Alerts
• Low (including custom checks, security related alerts)
• Medium High
• High (default settings) Default setting
• Paranoid (including all alerts) Medium
• Incidents: all Alerts composing an Incident are shown within its details for Low
completeness reasons, independently from the single Alert´s visibility. Most important
• Profile changes are not retroactive. Alerts
• The CMC synchronisation includes all Alerts, but can be limited to the
ones following the Security Profile chosen.
• To query the hidden alerts, use: alerts | where sec_profile_visible == false

3 Zone Configurations
Set global
Security profiles
managing Alert
visibility
Set global
Configure zone-
Learning
based controls
parameters

3 Zone Configurations
Zone specific settings

4 Alert Tuning
Set global
Security profiles
Set global
Configure zone-
Learning
based controls
parameters

4 Alert Tuning - Configure options
Option 1 (configure from scratch) Option 2 (configure from Alerts panel)
Settings > Security Control Panel Alerts > Configure Alert function
Logics (AND-
related)
Notes
Actions
• Muting actions takes precedence over other configured actions.

• Settings are not retroactive.
• Alert rules can be Imported and Exported

4 Alert Tuning - Exercise
Objective Changing Alerts risk level
1. Tune Alerts in Settings > Security Control Panel

> Alert Tuning > Add:
(a) Change the Risk for a specific alert type:
• Type ID: VI:NEW-FUNC-CODE
• Execute action: Change risk 10 (default is 6)
(b) Change the Risk for a specific alert type and a
specific ip source and protocol:
• Source IP: 172.16.0.1
• Type ID: SIGN:MALWARE-DETECTED
Activities
• Protocol: http
• Execute action: Change risk to 6 (default is 9)
2. Under System > Upload traces:

• Make sure to uncheck Use trace timestamps
• Play 1_DarkSide_ransomware.pcap
• Verify on the Alerts panel that the risk level
of SIGN:MALWARE-DETECTED alert is set to
Alert configuration menu 6 instead of 9
User Manual Chapter 6 - Security Profile
Nozomi Networks Blogpost - Revealing Darkside:

https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/

5 Alert Closing Options
Set global
Security profiles
Set global
Configure zone- Custom Reason
Learning
based controls for closing
parameters

5 Alert Closing Options
These options allow the customization of closure details for alerts and incidents.
Custom Reasons for closing can be configured, e.g.:

• Confirmed Cyber Incident - Treat as incident
• Legitimate Change - Learn
• Configuration Error - Treat as incident
• False Positive - Learn
• Legitimate intervention - Learn

Alert Operations

Alert Panel - Standard view
1 2 3 4 5
1. Export: Export the alert in csv or xls

2. Group by incident: Group or ungroup Alerts by Incident
3. Filter: Hide/Unhide Ack’ed or Closed Alerts
4. Live: Manual or automatic refresh
5. Standard/Expert: Switch between Standard and Expert view
Alert Operations - Standard view
Action for a
single alert
Few Filtering
options
Alert details

#cet
Alert Operations - Expert view
Group alerts by Select columns to Expert
different parameters be displayed view
Extended Filtering options

#cet
Alert Operations - Details
Details (static)
Description (dynamic)
Risk is weighted based Audit alert operation
on several logics
MITRE ATT&CK
Alerted Link

#cet
Alert Operations - Incident Details
All Alerts within the

Incident are listed
Risk is weighted based

on highest Alert

Virtual
Alert Operations Image
Objective Manage Alerts and Learning settings
1. Set the scene:

• Enable Protecting by Two-Phase switching
• Verify that Security Profile is set to High
• Go to Upload traces menu
• Uncheck Use trace timestamps
• Play 2_Reprogram_modbus_plc.pcap
2. Analyse the alert(s):

Enable Protecting mode
Activities • How many alerts are being created?
• What's the reason for the alerts?
• Did the Tuning on the New-Func-Code work?
• Which FC was asked for and which FC is the
producer supporting?
3. In Settings > Security Control Panel > Manage

Network Learning:
• Learn and Save the new link
Chapter 6 - Security Profile - Manage Network

Learning the modbus link User Manual
Learning

#cet
Built-in Virtual
Alert Operations Checks + Image
Objective Manage Alerts & Learning settings
1. Set the scene:

• Verify, that Learning is set to Protecting mode
• Uncheck Use traces timestamps
• Play 3_S7_start_stop_and_upload.pcapng
2. Analyse the alert(s):

• What is the reason for the alerts being created;
who initiated the connection?
Activities
• How many new links are created using how
Manage Network Learning graph many FC´s?
• Under which Incident is the OT_DEVICE-STOP
Alert subsumed?
• What is the default Risk of the Alert
OT_DEVICE-STOP and why is it different here?
3. Use Settings > Security Control Panel > Manage

Network Learning to:
• Learn and Save all new links and nodes
SIGN:OT_DEVICE-STOP default risk value
User Manual Chapter 6 - Security Profiles

#cet
Built-in
Alert Operations Checks
Objective Operate specific Alerts
1. Set the scene:

• Verify, that Learning is set to Protecting mode
• Play 4_Unity_Upload_Two_Different_Projects.pcap
2. Check for new Alerts
Activities 3. Open the Alert’s details:

• Disable ‘Group by Incident’
• Filter the Alert type:
“Program change” (Standard mode) or
“SIGN:PROGRAM-CHANGE” (Expert mode)
• From the available options (“3 dots”), choose Show
Programs Differences
• Check the code!
Show program differences on PLC code User Manual Chapter 6 - Security Profiles - Alerts

#cet
Built-in Virtual
Alert Operations - Review Checks + Image
Objective Manage Alerts and Learning settings
Review the outcome of the Learning Operations:
1. Let’s play again a trace previously played:

• Play 2_Reprogram_modbus_plc.pcap
2. Let’s play again a trace previously played:

Activities • Go to Upload traces menu
• Play 3_S7_start_stop_and_upload.pcapng
3. Analysis:
• How many alerts are showing up?
• Which type of Alerts are displayed?
Run previous traces
• Is the Risk of OT_DEVICE-STOP alert now
different than before and why is that the case?
User Manual Chapter 6 - Security Profile - Alerts

#cet
MITRE ATT&CK®
Framework

MITRE ATT&CK® Framework
Knowledge base of Threat models and Accurate ontology

adversary tactics and methodologies
• All the techniques are
techniques • Classify events with precisely mapped with
• Based on real-world a malicious intent a specific ID
observations • Easily usable to enrich
• Easy to share information
between organizations Threat Intelligence
using the framework signatures
Reference: https://attack.mitre.org/matrices/enterprise

ATT&CK® Framework in Action

Time Machine
Time Machine
• Time Machine is an analysis tool allowing to record, review and compare snapshots of the monitored network,
supporting e.g., forensic analyses.
• Typical use case: “Is my network back to its original state after a maintenance intervention?”
• The menu is available under Analysis à Time Machine

Time Machine - Settings
Default settings of Time Machine:
• A Snapshot is taken every hour, the interval can be changed via CLI (for more details please refer to the
User Guide searching for “tm snap”)
• Snapshot Space retention level is set to 500Mb
• Snapshot Retention level is set to 50 items
In order to change the default settings see Settings > Feature Control Panel on the Retention tab:
• The default number of snapshot retained is up to 50 items, it could

be less in fact because space retention is taking precedence

Time Machine - Overview
The Time machine menu is available under Analysis
1. Loading a Snapshot 3
1
2. Choose a snapshot or LIVE
2 3. Create a Diff
Diff: Compare 2 snapshots or a

Snapshot and the LIVE situation
• Added, Removed and
Changed nodes, links and
variables are visible
Back to live: allow to go exit from the

snapshot and go back to live view

Time Machine - Activity
Objective Learn Time Machine features
Analysis > Time Machine
1.
1. Go back in time by clicking the Load Snapshot
icon of an entry in the past:
2.
• Revert back to the LIVE environment by clicking
Load snapshot / create Diff the arrow icon right to the timestamp entry in
Activities
the top bar:
2. Create a Diff: Investigate the difference of two

snapshots by clicking on + (or press LIVE to
compare to the current situation), then press
Diff.
Chapter 5 - User Interface Reference - Time

User Manual
Machine
Diff: display changes

Integrations
Integrations
User information
Firewall configuration
Data exchange

User Integration

User Integration with Active Directory / LDAP
• Guardian support the import a set of groups available in an
Active Directory or other LDAP server, the configuration is
done in Settings > Users > Active Directory or LDAP tab.
• Privileges on Guardian for each imported AD group are set
from the Guardians Users > Groups menu
• Seamless integration (no need to edit/change any
configuration on Active Directory/LDAP)
• Local users created directly on Guardian coexist with the
Active Directory/LDAP users
AD configuration
#cet
User Integration with SAML
• Multi-layer supported: a Guardian does not need a direct connection to the
SAML server as long as it is connected to a CMC that does have it
Guardian own
address Schema to match
roles
XML containing
the Single Sign
On configuration
#cet
Firewall Integration

Firewall Integration
1 Monitor
A threat is detected by Guardian
and an alert is generated.
2 Detect
2
User-defined policies are rapidly
examined, and the appropriate
3
corresponding action is triggered.
3 Protect
Firewall responds according to the
user-configured action (Node
Blocking, Link Blocking, or Kill
1 Session) and mitigates the issue.

Firewall Integration - Configuration
Settings > Firewall Integration

#advancedcet
Firewall Integration - Use cases
1. Nodes blocking
• Guardian detects a New Node that does not belong to its baseline
• Guardian raises an alert
• Guardian sends a filter rule to the Firewall in order to block all activities initiated by this New Node
2. Links blocking
• Guardian detects a New Connection that does not belong to its baseline
• Guardian sends a filter rule to the Firewall in order to block this connection
3. Session kill
• Guardian detects a New Function-Code not being learned before within a session
• Guardian sends a command to the Firewall in order to kill only this specific session, no rule is added.
See the illustration below:
192.168.10.1:34563 Modbus FC=3 192.168.20.16:502
192.168.10.1:22763 Modbus FC=3 192.168.20.16:502
192.168.10.1:43763 Modbus FC=6

nly this session 192.168.20.16:502
Firewall kills o
#advancedcet
Firewall Integration - Vendor support
Firewall Integration allows Guardian to automatically connect to a firewall and control it`s actions
• Guardian supports various firewalls vendors
• The interaction capabilities vary depending on the firewall Vendor & Type/Firmware:
Fortinet Check PaloAlto PaloAlto PaloAlto Storm TX One Cisco Cisco Cisco
Fortigate Point v8.0+ v9.0+ V10.0+ shield OT ASA FTD ISE
v6 Gateway Defence
Console
Enable nodes
OK OK OK OK OK OK OK OK N/A OK
blocking
Enable links
OK OK OK OK OK OK OK OK N/A N/A
blocking
Enable session
OK N/A N/A OK OK N/A N/A OK OK N/A
kill
Enable logging
(on Firewall filter OK OK N/A N/A N/A N/A N/A N/A N/A N/A
rule)
#cet
Data Integration

SIEM Integration
A SIEM collects standard logs and
1
security events from different
systems. This requires the
deployment of parser and correlation
rules to give the data meaning.
Guardian deeply understands ICS

2 protocols, variables and function
codes. It generates security events
that are relevant and specific to the
OT environment.
Guardian can send native logs to

3 SIEMs, extending its scope and
enriching the data collected.

Data Integration - Supported vendor
• Providing/retrieve data to/from external devices can be configured using different kind of protocols to endpoints.
The menu is available under Settings > Data Integration
PUSH:
• FireEye CloudCollector à Alerts, Health Logs, DNS Logs, HTTP Logs, File transfer Logs, Connection Logs
• IBM QRadar (LEEF) à Alerts, Health Logs, Asset information
• ServiceNow à Alerts (bidirectional), Asset information
• Tanium à Asset data

• Splunk - Common Information Model (JSON) à Alerts, Health Logs, Audit Logs
• Kafka à Custom queries
• Cisco ISE à Asset Data
PULL:
• Microsoft Endpoint Configuration Manager à Asset Data
#cet
Data Integration - Generic
• Generic integration
PUSH:
• Common Event Format (CEF) à Alerts, Health Logs, Audit Logs

• SMTP forwarding à Alerts, Health Logs, Reports
• SNMP Trap à Alerts
• Syslog Forwarder à to forward to a server the syslog traffic captured from the monitored network
• Custom JSON à Alerts

• Custom CSV à Custom queries
• External Storage à uploads trace to an external machine.

PULL:
• DNS Reverse Lookups à retrieves node names
• As an SNMP daemon à Health Logs (the SNMP manager needs to query the daemon)
#cet
Custom Fields and Nodes
Information

Input formats - separate from SmartPolling
Guardian allows to add nodes from scratch or to enrich fields of

existing ones using:
• CSV files (via Web UI or OpenAPI)
• JSON files (via OpenAPI)
• Importing brand-specific project files (via Web UI):
• Rockwell Harmony (.conf)
• Yokogawa CENTUM VP (.gz, .zip)
• Siemens Configuration (.cfg, .aml)
• IEC 61850 SCL/SCD (.scd)
• Triconex (.pt2)
• Allen-Bradley (.l5x)
• Honeywell TDS (.txt, .zip)
• Profinet IOCM (.xml)
#cet
Create Nodes’ custom fields
Objective Add custom fields to your assets/nodes tables
Settings > Data model
1. Create new custom fields “owner” (string),

Create new custom fields “location” (string) and “maintenance” (string-list).
Activities 2. Open the nodes table and observe the newly

created fileds. The field’s content can be entered
manually or by importing a csv file.
3. Use the configure button of node 192.168.1.1 to

enter information free to choose manually.

Manually enter information into the
new fields

Import Nodes’ custom information with CSV
• Imported data is associated to Nodes
• Only specific fields can be written Objective Import information via csv file
• Priority of the information sources:
User input > Smart Polling > Passive module System > Import
1.
1. Upload the custom_info.csv file provided in the
folder Import_custom_Info.
2. Configure the matching criterion using ip as

reference field and check Create non-existent
Activities
nodes.
3. Map one by one the fields included in the csv

2. file to known, internal fields.
4. Import! And check the updated information in

the assets/nodes’ tables.
3.
Import nodes data

OpenAPI - Scope
• API stands for "Application Programming Interface"
An API is a set of commands, functions, that programmers can use to create software or interact
with an external system.
• Guardian and CMC include an API that allows to:

• Perform queries
• Import CSV endpoints*
• Import JSON endpoints*
• Configure the monitored networks data through the CLI*
• Manage Alerts: filter, Ack/Unack, close
• Request Trace files*
• Manage users: create
• Open API is used by third party applications to pull data from Guardian automatically:
• Service Graph Connector for Nozomi Networks available on Service Now Store
• Nozomi Networks Sensor Add-on available on Splunk App
* Only available on Guardian and not on the CMC

#advancedcet
OpenAPI - Examples
• To connect and test the API, use a standard browser with Json parser addon.
• OpenAPI reference is available under User SDK Manual
• Guardian and CMC OpenAPI use the following URL syntax:

• Perform a query, place it after ‘=’:
https://Guardian_IP/api/open/query/do?query=
e.g.: https://Guardian_IP/api/open/query/do?query=nodes | where id == 172.16.0.1
• Import nodes via .csv or JSON file (limited fields available)*:
a. https://Guardian_IP/api/open/nodes/import
b. https://Guardian_IP/api/open/nodes/import_from_json
• Configure the data (same as Web UI or CLI)*
https://Guardian_IP/api/open/cli
• Manage Alerts: e.g. Acknowledge:
https://Guardian_IP/api/open/alerts/ack
• Request trace files, filter by query*:
https://Guardian_IP/api/open/traces/all?operation=
download& query=
• Manage Users:
https://Guardian_IP/api/open/users
* Only available on Guardian and not on the CMC
#advancedcet
Remote
Collector
Remote Collector (RC) - Scope and security
• Remote Collectors act as "remote interfaces",

broadening Guardian´s capture capabilities and
thus allowing installations to be applied from
simple to highly distributed scenarios
• Small form factor
• Low resource usage
• Cost-effective
• No Web UI, initial configuration through shell,
further configuration and the monitored data are
visible on the Guardian`s WebUI
• N2OS software upgrades managed by Guardian
• Communication via TLS encrypted tunnels:
• from RC (client)
• to Guardian (server)

Remote Collector - Guardian network flow
Remote
Guardian
Collector
TCP port 443 (TLS)
• Sending RC status data to Guardian
• From RC to the Guardian management IP
TCP port 6000 (TLS)

• Forwarding mirrored traffic for analysis
• From RC to the Guardian management IP Mirror
traffic
TCP port 22 (SSH)

• ONLY needed for configuration purposes
• From workstation (or Guardian) to the RC
management IP

Remote Collector - Deployment
The Remote Collector communicates to the management IP address of the
Guardian using ports tcp 6000 and 443 (TLS).
On the Guardian:
• Enable the management interface to accept the connection on port 6000
(running n2os-enable-rc).
• Connection to port 443 is already allowed.
• Copy the Sync token (Setting > Synchronization settings).
On the Remote Collector:

• Connect to Remote Collector´s cli per console or ssh.
• Use enable-me to get root privileges.
• Run setup to configure the management IP of the RC.
• Run n2os-tui to configure the connection between RC and Guardian (enter the IP
address and the previously copied Sync token of the Guardian).

Remote Collector - Finalizing Installation
RC´s list
• RC´s are managed under the WebUI Appliances menu, listing all
connected RC´s incl. its status and configuration settings.
• Choosing one RC to open and verify its details on the right: 1
1. RC Info & Traffic sync: General info and forwarded traffic statistics.
Pressing the Arrows starts the initial traffic synchronization:
Verify the Last seen packet and Dropped packets entries. 2
2. RC Status sync: Stale/Last sync and Uptime info

3
3. RC Health: CPU, Disk and Ram information

Remote Collector - Configuration
Controls: Are available Controls
on the top of the details Delete RC
section to place the RC
in a map, to manage Place in map Force update
N2OS upgrades or to Toggle version lock
delete the RC
RC will not automatically
update the software
RC will automatically
update the software (default)
Each Monitoring Monitoring

Interface provides: Interface em1
• Filter possibilities
using BPF or Denylist
• Status information on
Throughput and
Dropped packets of
the monitored data

Central
Management
Console
Central Management Console - CMC
• Centralized OT and IoT Security and Visibility for Distributed Sites
Consolidate - Unified OT, IoT and IT Security

Centrally monitor your distributed sites, easily streamline SOC/IT workflows
Visualize - Enterprise-wide Visibility

Instantly see your OT networks, quickly know your assets and their risks
Respond - Time-Saving Threat Summaries and Forensic Tools

Rapidly respond to OT and IoT risks, optimize troubleshooting and forensic efforts
Scale - Unified Security for Thousands of Distributed Sites

Attain high performance for multinational deployments, realize rapid time to value

CMC - Scope and Security
• Scalability
• Data aggregation
• Centralized control
• Define areas of responsibility
• Position appliances on a map
• Update propagation
• N2OS
• Threat/Asset Intelligence
• Authentication/Connection:
Guardian(client) and CMC(server)
• Server: authenticates by TLS
certificate
• Client: authenticates by token
• Guardian connects to CMC using
TLS tunnel

CMC - Context concepts
• Multicontext • All-in-one
• Separating appliances data • Merging all appliances data
• Examples: When facing duplicated IP addresses • Besides Alerts and Assets view data providing
or being used as MSSP also common Network and Process view data
• Limited view to Alerts and Assets view

CMC - Remote connection
In order to be able to see all the data available on Guardian from the CMC we can use Go To Appliance function.
VPN TUNNEL In the VPN tunnel only

the connection to the ip
address of Global CMC,
using https, is allowed
CMC
Web UI
Connection using
reverse proxy
from Global CMC
to Guardian

CMC - Connection details
The IP of the CMC will be provided by the trainer

#cetonline
CMC - Connect Guardian
Objective Configure the CMC connection
• Make always sure CMC and Guardian have the
same software version to grant synchronization
1. On the CMC
In Settings > Synchronization settings:
• Copy the Sync token.
2. On your Guardian
In Settings > Synchronization Settings > Upstream
Activities Connection configure the connection to the CMC:
• Turn the connection to ON and choose Optional
use of the TLS Certificate
• Enter the CMC IP as host
• Paste the copied Sync token
• Use Check CMC connection to verify and Save
the config
On Guardian: Setup the CMC connection User Manual Chapter 11 - CMC - Settings

#cet
CMC - Appliances menu
Number of connected RCs (to

Guardian) or Guardians (to CMC)

#cet
CMC - Appliances Details and Controls
Appliance type Controls
CMC
Allow/Disallow Go To Delete the
Guardian appliance Appliance Force appliance
Guardian + SP update
Remote Collector Place in

a map Clear data to
restart the sync
Health section Focus on
Toggle version lock
appliance will not automatically
update the software
Parameters appliance will automatically

update the software

CMC - Default General settings
Settings > Synchronization settings > General Settings
Select the Context to be used:
• Multi-context, the user can focus on a single
Guardian to access their data in their separate
contexts.
• All-in-one, the CMC creates a merged, single
Environment section containing all appliances’
data.
Determines whether the appliances connected

to the CMC will automatically receive the
firmware update package when a new version is
available.
Local Guardian User on the connected appliance

will be able to trigger the update installation.
Enables/disables the icon Go To Appliance

Default config
CMC - Connect Guardian continued
Objective Finish the CMC connection config
On the CMC
Appliances > List tab

• Click the “Allow” button to enable
synchronization.
Activities
• Click the ”Place in map” button to position
Guardian on the dashboard map.
• Connect to your Appliance using Go to

appliance from the CMC using the reverse
proxy connection.
Central Management Console Dashboard
User Manual Chapter 11 - CMC configuration

#cet
CMC - Providing Updates
Threat Asset
N2OS Software
Intelligence TI Intelligence AI
Manually to Guardian Yes Yes Yes
Manually to CMC Yes (1) Yes (1) Yes (1)
Online download to Guardian No Yes Yes
Online download to CMC No Yes (1) Yes (1)
(1) The data is then propagated to the connected appliances by the CMC

CMC - Default Sync with Guardian
Data type Guardian >> CMC* Guardian << CMC
Assets Yes n/a
Asset Types Yes Yes
Nodes Yes n/a
Links Yes n/a
Sessions, Live Traffic No n/a
Variables Yes n/a
Zones Yes Yes
Assertions No Yes
Alerts Yes n/a
Alert's status (open/close, ack/unack) Yes Yes
Alert tuning (creating rules) No Yes

*implies each propagated configuration is supported by the CMC

CMC - Tuning synchronization settings
Settings > Synchronization settings > Tuning tab
• By default the synchronization for the above data-sets is enabled

• The sync settings will be applied to the appliances directly connected to the CMC only
• If the CMC is running in HA the config needs to be done on both CMC
• Disabling synchronization results in the deletion of the existing data received

CMC - Policy synchronization settings
Settings > Synchronization settings > Policy tab
Asset Types definition policy
• Local only: Asset types are controlled by Guardian.
Asset Types received from upstream will be ignored.
• Upstream only : Asset types are controlled by top CMC or
Vantage. Asset Types configured local will be ignored.
Zone configuration policy

• Local only: Zone configurations are controlled by Guardian. Zone
received from upstream will be ignored.
• Upstream only : Zone configurations are controlled by top CMC
or Vantage. Local zones will be ignored.
Alert Tuning execution policy *

• Upstream only: alert rules are managed in the top CMC or
Vantage. Creation and modification are disabled in the lower-
level appliances. Only the rules received from upstream are
executed.
* Special case for MUTE action • Upstream prevails: in case of conflicts, rules coming from
The execution policy is Local prevails and a mute rule is received by upstream are executed;
Guardian from an upstream connection. • Local prevails: in case of conflicts, rules created locally are
This rule will be ignored if at least one local rule matches the alert executed.

HIGH
AVAILABILITY

CMC - High Availability function
Bidirectional
• The HA feature provides both, better availability and better link
load distribution for very large, dispersed installations:
• Guardian sends data to one of the CMC, which takes care Data sync
to synchronize all the data with the other CMC; Main CMC Replica CMC
Asymmetrical
• In case that one CMC is not available, Guardian sends it´s link
data directly to the other CMC, until the situation come back
to normal status
Data sync Data sync
(main link) (backup link)
• Both CMC are accessible and are constantly being sync’d
to provide both the same set of data;
• The sync load can be balanced by connecting some

Guardian to the Replica CMC instead to the Main CMC.
Guardian

#cet
CMC - Managing Guardians in HA
CMC
• Guardian HA mode enabling two Guardians monitoring the

same traffic and being managed by the same CMC.
• During normal operation:

Data sync Data sync
• only the primary Guardian sync’d with the CMC,
(main link) (backup link)
• both Guardian are receiving traffic from the mirror ports of
the switch
• if the synchronisation comes to a halt, the secondary
Guardian will start synchronizing the records from the last
primary Guardian update. Primary Secondary
Guardian Guardian
• The configuration is being done via Shell access by editing Mirror
the n2os.conf.user file of the Secondary Guardian. traffic
Switch

#cet
CMC - Managing Guardians in HA with RC
CMC
• Guardians in HA can receive traffic from one Remote
Collector
• For redundancy purpose the RC will send the traffic to both
Guardians
• Two commands need to be executed on the Remote Primary Secondary
Collector to enable it to send mirrored traffic to both Guardian Guardian
Guardians
• For more details about the commands please refer to the
Enable Multiplexing section of the Remote Collector chapter
in the User Guide.
Remote
Collector
Mirror
traffic
Switch

#cet
Vantage
Vantage
Delivers Unmatched Visibility, Security and Scalability
• Expanding your visibility across all assets for

better security
• Delivering the Nozomi Networks Security &
Visibility customers' trust
• Using the same Guardian Sensors in
customer networks
• Solving the same customer challenges
• New Scalable SaaS platform

Vantage - Platform
Delivers Unmatched Visibility, Security and Scalability
• New Approach: • New Design:

• Monitor any number of assets • Speeds Response
• Protect any number of locations • Improves Operational Resilience
• With a single platform
• Anywhere
SaaS - What Does It Mean?
• Nozomi takes care of the Operation:
• Scaling the load
• Fixing problems as they arise
• Utilizing Kubernetes, Automation, etc.:
Architecture:
• Frontend: API calls designed to be as fast as possible, and frontend
API workers scaled to fasten queue processing
• Backend: the work is broken in little tasks that can be queued, and
background service workers are scaled to fasten queue processing
Site Reliability Engineering:
• Identify and Solve Issues Quickly
• Monitoring performance and errors
• Customer Data Protection:

• Each Customer uses its Data Tier in the region that best suits
his Data Governance needs
• State-of-the-art product security:
• End-to-end encryption in transit and at-rest, 3rd party VA/PT, scans, etc.
• Compliance and Certifications (ISO 9001 and 27001)

Vantage - Architecture
• Cloud Analytics & Reporting
• Global view of all assets, sensors and locations
Vantage
• Central Cloud Management
• Configure and operationalize any number
of sensors in any number of locations
Guardian
Central
Management
Console
• Local Sensors
• Monitor physical and logical assets
• Detect threats and operational anomalies
• identify and mitigate threats
Remote
Collectors Guardian Guardian

Goodbye to All-In-One vs. MultiContext
Welcome Network Domains & Organization
• MultiContext was introduced to:

Vantage
• Addressing overlapping IPs address spaces from different Guardians
• Boosting performance (limited featureset in MultiContext mode)
• Vantage is introducing Network Domains

Organization: Company A Organization: Company B
• Performance is not a problem
• An IP is unique inside a Network Domain
• Network Domain “own” Assets
Guardian Guardian Central
• Vantage is introducing Organization Management
• Allow System Integrator and MSSP Console
to manage different customer from one single platform

Remote Remote
• Easy way to provide visibility to a customer Collectors Collectors
Network domain: Network domain:
Guardian Guardian
Area A Area B

Vantage - Navigation
Organization - List’s
users organizations to
Graph - Display the network switch between them
graph of the organizations
Profile - List’s users name

and profile settings
Query - Use Queries for

information provided by
connected appliances
World Map - Change

between 3D or 2D image

Vantage - Navigation continued
Menu Arrow -
Hide’s/Show’s menu bar Table - Shows
Sites - List’s sites
‘Sensors’ in
configured Main Page - Shows
tabular format
‘Sensors’ main page
Sensors - List's
sensors configured
Assets - List’s assets

identified at sites
Alerts - List’s alerts

generated by appliances Vulnerabilities -
Lists Vulnerabilities Shortcut #2 - Click to
identified Shortcut #1 - Click to shortcut to a table filter,
shortcut to a table filter, here: Sensors being ‘Stale’
here: Sensors ‘At Risk’
Reports - Lists
locally or remotely
generated reports Traffic –
Lists of Links

Vantage - Main Page Example
Count - List’s total
count for specific page
Visual – Provides
visual summary based
on geographical
location
Summary – Provides
summary for specific
page

Vantage - Queries
New Query Functionality
Autocomplete queries
Multiline
queries
Auto-refresh
data
Sort Group by
Output of
the query
Auto filter

Vantage - Alerts
Improved Alert Information
Visual – Provides
visual summary based
on geographical
location

Vantage - Alerts
Number of alerts within the incident
Incident Alert Timeline

Vantage - Alerts

Vantage - Playbooks
Create Alert Playbooks
Add comments

Vantage - Vulnerabilities
New Vulnerabilities Workbooks
Recommended
actions to lower risk

Vantage - Backups

Support
Support Portal
Support Portal* access enables to:
• Open and manage tickets
• Receive news and updates
• Download software versions
• Read Guides (Knowledge Base)
* support@nozominetworks.com and Support Portal are available for partners and users with an active SLA

Support Portal - Opt-In Subscription Feature
Allow notifications@nozominetworks.com email address into
your inbox or it might end up in your spam folder.
1
3 4

Nozomi Networks Global Customer Support
CustomerCare Premium Support Portal

support.nozominetworks.com
24 x 7
Phone Support
365 Days
Hardware Replacement 2 Business Days RMA* Email

support@nozominetworks.com
Software Updates
Online Support Portal Phone

+1 877 282 5858 (International)
For regional support numbers, please
Email Support visit: nozominetworks.com/support
* Subject to regional Customs regulations
For more info please refer to the Global Customer Support brochure
Ask support
• When a support ticket needs to be opened, the support department will need to be provided enough data to understand the
problem:
• A detailed description of the problem
• The compressed Support archive provided by Guardian.
The archive can be generated in 2 ways:
• from the Web UI System > Support, downloaded via Browser
• from the Shell console executing the n2os-asksupport command with root privileges then download it via scp from
/data/tmp/
*
*If you want to run the command using the Anonymize option
please use n2os-asksupport --anonymize
Web UI interface Shell console

Project Delivery
Typical Schedule for a Site Activation
PLAN
PLAN DURATION Project Week Project Week Project Week Project Week Project Week
START (ELAPSED) 1 2 3 4 5
Project Phase (Day) (Days) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Site Kickoff Call 1 1
Information Gathering 2 3
Solution Design 5 1
Confirmation of the HW delivery and site preparation 2 9
Installation and initial configuration of appliance(s) (onsite) 11 2
Traffic Data Acquisition and Baseline Period 13 10
Remote Fine Tuning 23 3
Main Deliverables per site
1 Site Acceptance Test

2 User Acceptance Test

A low impact and high value-added process
Review, Tuning and Operations, Maintenance
Installation
Optimization and Evolution
Nozomi Guardian from installation The second stage consists of tuning After the go-live, Nozomi Networks’
increases the visibility of the network, the Guardian baseline and defining Guardian permits:
enabling the opportunity to observe security rules to check the • Real-time industrial operations and
and act, securing network zones, compliance to the company security monitoring
which had until that moment standards or to find the gaps with
• Control over the remediation
remained unknown or uncontrolled. security best practices
activities in place to enforce
The Activation phase consist of 4 security
different sub-phases: • Impact analysis of the planned and
unplanned changes in the ICS
Information Gathering Fine Tuning environment
Solution Design Go-Live
Site Preparation
Installation and Basic Configuration
Continuous Feedback Loop

Nozomi Delivery & Project Management Nozomi Support team

Project Workflow
Installation
Information Solution Site
and Basic Fine Tuning Go-Live
Gathering Design Preparation
Config
ICS network Identification of the Commitment of Activation and Alert Tuning, Close-out
information and best device resources and commissioning of customizations meeting and
documentation deployment access the Nozomi and configuration transfer of the
gathering in order topology and permissions Guardian of integrations installation
to define and to configuration required for the appliances documentation
characterize activities required appliance (virtual or to end users
project activities for installation implementation physical)

Lessons Learned
Not Planning in Advance for
Issues with Configuration of Under-sizing Monitoring
Integrations, Central Monitoring,
Traffic Mirroring Hardware
Training
• Who is responsible for enabling • Traffic throughput estimates typically • Who will be monitoring alerts? Will
traffic mirroring? Network team? used – have they been verified? different groups handle operational
OEM? • If using embedded / containerized vs security alerts?
• How will mirrored traffic for version within another tool (i.e. the • Have the proper teams (firewalls,
monitoring be set up? Necessary switch or FW) has the device been ticketing systems, SIEM, etc., been
approvals and change control scoped to include monitoring? notified)
happen? • Does the vendor offer ruggedized • Network flows: Will policy allow for
• Can mirrored traffic be aggregated appliances where required? If not (or data to exit secure zones to reach
or will monitoring devices need to be if software only), has appropriate DMZ / SOC / MSSP?
able to connect to each switch hardware been acquired? • Have all stakeholders been trained
• Any devices hidden? in how to use the solution?

Solution Design (HLD): Network flows
SITE A NOZOM CLOUD
HEADQUARTER
https, ssh
(tcp-443,-22)
Workstation https (tcp-443)
REGION Vantage
Guardian
Workstation Operator
https, ssh
(tcp-443,-22)
Workstation
Threat Asset
SITE B https, ssh TLS tunnel (tcp-443) Intelligence Intelligence
(tcp-443,-22)
Time Server
ntp (udp-123)
TLS tunnel TLS tunnel
(tcp-443) CMC HQ
(tcp-443)
AD/LDAP Nozomi Appliances Network connections
TLS tunnel ldap(s) (tcp/udp-389,tcp--636)
Guardian (tcp-443)
tcp-443
CMC regional Secure TLS tunnel from
SIEM Guardian/CMC to Management
CMC local ldap(s)
ntp syslog, cef, leef (tcp/udp-514)
(tcp/udp-389, tcp-443/-6000
(udp-123) Central Management
tcp-636)
Console (CMC) Secure TLS tunnel
Mail Relay from RC to Guardian
Guardian
smtp (tcp-25)
tcp-443/-22
TLS tunnel
tcp-22
(tcp-443,-6000)
Other Integrations Admin access to Web UI (https)
SITE B e.g. snmp, api and to Shell console (ssh)
Remote location Guardian
AD / LDAP NTP
Dashed lines indicating
optional network connections
ssh (tcp--22)
Mirrored network
traffic to monitor
Remote
Collector
Solution communication: Remote Collector (RC)
Ports and Protocols

Wrap up
Key Differentiators
See • Comprehensive OT and IoT security

What’s on your network and visibility (protocol support)
and how it’s behaving • Advanced threat detection
• Accurate anomaly alerts
Detect • Proven scalability across thousands
Cyber threats, risks and of sites
anomalies for faster response
• Easy IT/OT integration
• Global partner ecosystem
Unify • Exceptional customer engagement
Security, visibility and monitoring and support
across all your assets
• Performance

Nozomi Networks Certified Engineer Community
Join our NNCE Community on Linkedin
https://www.linkedin.com/groups/9013276/

Thank You!
Nozomi Networks is the leader in OT and IoT security and visibility. We accelerate
digital transformation by unifying cybersecurity visibility for the largest critical
infrastructure, energy, manufacturing, mining, transportation, building automation and
other OT sites around the world. Our innovation and research make it possible to tackle
escalating cyber risks through exceptional network visibility, threat detection and
operational insight.
nozominetworks.com
Solutions
Asset View - Activity
plc151.ACME0.corporationnet.com
Interface1 192.168.1.28
SCADA
CONSUMER 192.168.162.1/24
192.168.162.22 Mac: 00:0a:dc:85:11:01
switch
switch
RUGGEDCOM
Router
Interface2
192.168.1.1/24
Mac: 00:0a:dc:85:11:05

Solutions - Sizing
Scenario 1
Option 1:
- 1x NSG-L 100 plus an expansion slot reaching 8
monitoring ports
Option 2:
- Add a core switch to merge the traffic from 8 switches
- 1x NSG-L 100
- Assumption: Possibility to add switch (often not viable)
Scenario 2
- Building 1 - NSG-L 250
- Building 2 - NRC-5 connected over internet to NSG-L 250 (TLS)
- Building 3 - NRC-5 connected over internet to NSG-L 250 (TLS)
- Central management: by the NSG-L 250
Scenario 3
- Switch 1 - NSG-HS 3500 + 1 Expansion slot 4xSFP+
- Switch 2 - NSG-HS 3500 + 1 Expansion slot 4xSFP+
- Central management: Vantage

Solutions - Queries
1. Count how many modbus variables were transmitted on the network.
variables | where protocol == modbus | count
2. Produce a visual representation of the assets having a Windows operating system grouped by the Operating System version. (The result will be used to plan patches
installation).
assets | where os include? Win | group_by os | column os count
3. Produce a tabular representation of HTTP links showing the from, to, protocol and times of first and last activity, sorted by the amount of traffic passing through the link.
links | where protocol == http | select first_activity_time last_activity_time from to protocol transferred.bytes | sort transferred_bytes
4. Produce a table to show nodes in the network that are inactive in the last 10 days, filtering out ghost nodes (tip: ghost nodes never sent bytes).
nodes | where days_ago(last_activity_time) > 10 | where sent.bytes > 0
5. Produce a table reporting source, destination ip, function code name, last activity time of every iec104 link.
links | where protocol == iec104 | expand function_codes | select from to expanded_function_codes.name last_activity_time
6. Produce a table showing connections that are likely blocked by firewall (tip: this can be modelled by the number of attempted and handshaked connections).
links | where tcp_connection_attempts.total > 0 | where tcp_handshaked_connections.total == 0
7. Produce a table to show how many links are initiated from each zone (tip: in the links table there are fields about zone information).
links | group_by from_zone
8. Produce a table showing from, to, protocol and tcp retransmission percentage of all links with tcp retransmission percentage between 40 and 90 percent.
links | where tcp_retransmission.percent > 40 | where tcp_retransmission.percent < 90 | select from to protocol tcp_retransmission.percent
9. Produce a table showing the function codes seen on the monitored network for iec104 protocol and sort them so to have the most used first (tip: work with the variables
table).
variables | where protocol == iec104 | group_by last_function_code | sort count desc
10. Produce a column chart showing the list of source IPs that opened iec104 links, sorting them by number of links.
links | where protocol == iec104 | group_by from | sort count desc | column from count
11. How many links in within the same zone (source and destination) are in the monitored network.
links | where from_zone == $to_zone | count
12. Produce a pie chart showing the percentage of every transport protocol used in the monitored network.
links | expand transport_protocols | group_by expanded_transport_protocols | pie expanded_transport_protocols count

Solutions - Packet and Yara Rule
Packet Rule:
• Question1: Answer: C /// alert tcp any any → any any (content:”MEN";) /// >> A: udp - B: 22. - D: "distance:1" needs to
be exact
• Question2: Answer: D /// alert tcp any any → any 80 (content:”Nozomi"; content:”Training"; distance:1;)
Yara Rule:
• Question1: No
• Question2: Yes
• Question3: No
• Question4: Yes

Solutions - Assertions
1. Produce an alert when a Node is down for at least one day, excluding nodes representing broadcast addresses.
nodes | where type != broadcast | where days_ago(last_activity_time) > 1 | assert_empty
2. Produce an alert when an ACTIVE vnc session is present in the monitoring network.
sessions |where status == ACTIVE | where protocol == vnc | assert_empty
3. In order to upgrade critical equipment produce an alert when PLC´s are suffering critical vulnerabilities
(assuming critical means a CVE score of 7 or higher, and a likelihood of 0.8 or higher).
node_cves | where cve_score >= 7 | where likelihood >= 0.8 | where node_type == PLC | assert_empty
4. Produce an alert when the minimum value of at least one variable named ioa-2-2 belonging to 192.168.231.107 is less than 0.2 -
(try not to use the ‘assert_empty’ keyword).
variables | where host == 192.168.231.107 | where name == ioa-2-2 | assert_all min_value > 0.2

Thank You!
Nozomi Networks is the leader in OT and IoT security and visibility. We accelerate
digital transformation by unifying cybersecurity visibility for the largest critical
infrastructure, energy, manufacturing, mining, transportation, building automation and
other OT sites around the world. Our innovation and research make it possible to tackle
escalating cyber risks through exceptional network visibility, threat detection and
operational insight.
nozominetworks.com

NNCE Training Presentation 22.0.0 Ver 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NNCE Training Presentation 22.0.0 Ver 1

Uploaded by

Copyright:

Available Formats

Nozomi Networks

Certified Engineer Training

• Mail and phone

• Time to start and breaks

• Speed and timing

• Classroom etiquette: questions from and to all

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 17

• Nozomi OT and IoT Security

• Tech Specs • Environment continued

• Lab Setup • Vulnerabilities

• Installation and Maintenance • Smart Polling

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com

• Alerts and Hybrid Threat

• Time Machine • Remote Collector

• Integrations • Central Management

• Support & Project Delivery

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 24

The scope of the exam is to evaluate the attendee on:

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 25

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 26

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 27

INITIAL GLOBAL RECOGNITION

had no visibility or control over their ICS/OT

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 28

2015 2017 2018 2020 2020

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 29

Global Customer Base

57.2M Devices Monitored

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 30

9 of Top 20 Chemicals Building Automation

7 of Top 10 Manufacturing Food & Retail

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 31

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 33

• Measure (obtain values • Sensors (Inputs)

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 34

Write data Execute

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 35

IED RTU PLC

Control/protection functions Interface field data to a remote

Input/Ouput rail Yes Optional Yes

Comm. Interface Yes Yes Optional

Often works in A remote SCADA, PLCs to More PLCs

IEC 104, DNP3, Modbus,

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 36

• Time sensitivity is also

Reference: NIST 800-82

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 37

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 38

More Isolation More Connectivity

Examples of Traditional OT Systems Examples of OT-Related Cyber-Physical Systems

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 39

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 40

• “Guide to Conducting Risk Assessments” Special Source: https://www.arcweb.com/industry-best-practices/what-

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 41

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 42

Through research Research Reports Tools

90% of the time, vulnerabilities/threats

OT/IoT Security Report this link

© 2022 Nozomi Networks. All rights reserved. | www.nozominetworks.com 45

Identify – Asset Discovery and Network Visualization

Assess – Vulnerability Assessment and Risk Monitoring

Detect – Anomaly and Threat Detection

Act – Time-Saving Dashboards and Forensic Tools