Nozomi Networks

Certified Engineer
Lab Guide
Version 23.1.0

Nozomi Networks – 575 Market St., Ste. 3650, San Fran., CA 94105 – (800) 314-6114
[email protected] – academy.nozominetworks.com
© 2023 Nozomi Networks. All rights reserved.

Nozomi Networks Training Terms and Conditions

https://www.nozominetworks.com/legal/prof-services-training-agreement/

Nozomi Networks – 575 Market St., Ste. 3650, San Fran., CA 94105 – (800) 314-6114
[email protected] – academy.nozominetworks.com
NNCE Student Guide Version 23.1.0

Nozomi Networks
Certified Engineer
Training
Student Guide

Software Version: N2OS v23.1.0

@2023 Nozomi Networks All rights reserved. 3

NNCE Student Guide Version 23.1.0

Working Agreements

• Mail and phone

• Time to start and breaks

• Speed and timing

• All questions are welcome

• Language

• Other?

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 4

@2023 Nozomi Networks All rights reserved. 4

NNCE Student Guide Version 23.1.0

Introduction

@2023 Nozomi Networks All rights reserved. 5

NNCE Student Guide Version 23.1.0

Course Objectives
Upon successful completion of this course, learners should be able to:

• Describe the Nozomi Networks solution and platform

• Plan the scope of a Nozomi Networks installation including sizing, licensing, and
connections to the monitored network

• Install and maintain the Nozomi Guardian platform solution

• Configure security features and alert management

• Assess risks and analyze alerts

• Create basic information extraction, query requests, reports and dashboards
• Configure management via CMC and understand Vantage management capabilities
• Explain Nozomi Networks’ integration options

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 6

@2023 Nozomi Networks All rights reserved. 6

NNCE Student Guide Version 23.1.0

Agenda
Day 1 • Nozomi OT and IoT Security Day 2 • Environment (continued)

• Solution Overview • Vulnerabilities

• Tech Specs • Smart Polling

• Lab Setup • Arc

• Installation and Maintenance • Queries

• Environment • Reports

• Dashboards

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 7

@2023 Nozomi Networks All rights reserved. 7

NNCE Student Guide Version 23.1.0

Agenda
Day 3 • Alerts and Hybrid Threat Detection Day 4 • Integrations

• Built-In Checks • Remote Collector

• Custom Checks • Central Management Console

• Virtual Image • Vantage

• Security Control Panel • Vantage IQ

• Time Machine • Support & Project Delivery

• Wrap-up

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 8

@2023 Nozomi Networks All rights reserved. 8

NNCE Student Guide Version 23.1.0

Introductions

Introduce yourself

• Name

• Company

• Your experience with Nozomi Networks solutions

• One thing you hope to learn this week

• Anything interesting you want to share about yourself

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 9

@2023 Nozomi Networks All rights reserved. 9

NNCE Student Guide Version 23.1.0

Nozomi Networks Academy registration (1/2)

• Open https://academy.nozominetworks.com
and click Sign In
• Use your Nozomi Support Portal or Partner
Portal credentials in order to login to the
Academy.
• Choose the method of sign-in

• Choose your training option. Since you’re

already attending this ILT course, you would
have enrolled in ILT, so click there.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 10

@2023 Nozomi Networks All rights reserved. 10

NNCE Student Guide Version 23.1.0

Nozomi Networks Academy registration (2/2)

After registration, you will see a ribbon in Inside the dashboard, you will see your course
the upper right-hand corner of the progress. Here you can download the NNCE slide
course in which you’ve been enrolled. deck and additional training material, the feedback
Click that course. form, and access to the final exam.

Student Materials include:

• Student Guide PDF
• Lab Guide PDF
• Folder for Participants
• Using Cloudshare PDF

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 11

@2023 Nozomi Networks All rights reserved. 11

NNCE Student Guide Version 23.1.0

NNCE – Exam details Exam Key Takeaways

At the end of the course, the participants may choose to take 50 questions
the final NNCE exam in the Academy dashboard
180 minutes to complete
The scope of the exam is to evaluate the attendee on:
Available for 1 year after class
• Knowledge of the Nozomi components and their interaction
• Knowledge in navigating the menus Two attempts

• Extract and elaborate information Retakes will need to be

• Understanding the Queries syntax purchased

• Understanding basic security principles used by the solution Score of 70% or better to pass

Several questions are related to a preconfigured Guardian Exam VM environment in Cloudshare

• You should have received an enrollment code for the Exam upon successful registration for
this course**
• Exam is taken in a separate course in Academy (see next page)

Successfully passing grants the Nozomi Networks Certified Engineer certificate (2 years validity)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 12

**: Note: If you registered (or were registered by someone else) through the use of a Purchase Order (PO), you
should have received your enrollment code automatically.
However, if you used a credit card to purchase a seat for this class, then contact [email protected]
for your enrollment code if you don’t receive it by the completion of the course.

@2023 Nozomi Networks All rights reserved. 12

NNCE Student Guide Version 23.1.0

Taking the NNCE Exam

When you’re ready to take the NNCE Exam, go to Nozomi Networks Academy

3
Study Materials includes:
• Exam Study Guide
PDF
• Using Cloudshare
1 PDF

• Access the Study Materials

• When ready, launch the Lab Environment – First Attempt.
• Once Cloudshare is up and running, launch NNCE Exam
2 to begin. Good luck!

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 13

@2023 Nozomi Networks All rights reserved. 13

NNCE Student Guide Version 23.1.0

NNCE – Recertification
Participants can renew their NNCE certification prior to its expiration

• Before your NNCE certificate expires, the Nozomi Education Services Team will invite you
to participate in an online, self-paced Recertification course
• The Recertification course will cover:
• New features added in the last major releases
• Additional content

• There is no fee for the Recertification attempt

• Should you fail the exam, then you will have to pay for additional attempts

• You must pass the re-certification exam to extend your certification

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 14

@2023 Nozomi Networks All rights reserved. 14

NNCE Student Guide Version 23.1.0

Certification Training Path

• 4 different trainings with the related certification
• Badges sent upon completion of exam
• Live Credential Verification via Credly website
• Credly verification is Valuable and Portable
• Badge earners set up account with their personal email
• Badge becomes currency for earners

• Certification accomplishments to share on Social Media

• Automatic Renewal Reminders

| All rights reserved. | nozominetworks.com 15

To correctly configure , maintain and manage Nozomi solution we have created several certification course that
will allow you to earn a certification badge.

The benefits of the digital badge are:

• Learners can post it on social media
• The credential verification is live and automatic, makes it easier for customers and employers to check validity
• Credly sends badge recipients automatic reminders when it is time to renew

@2023 Nozomi Networks All rights reserved. 15

NNCE Student Guide Version 23.1.0

Training environment and materials

• The student training environment and all labs in this course are written using Version 23.1

• See all release notes, documentation and related files in the Support Portal
• https://nozominetworks.force.com/support/s/article/23-1-0-Release-Package

• If you only have access to the Partner Portal, you should also request access to the Support Portal using this link:
• https://nozominetworks.force.com/support/s/login1/SelfRegister

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 16

#cetonline

@2023 Nozomi Networks All rights reserved. 16

NNCE Student Guide Version 23.1.0

Who is Nozomi Networks?

FOUNDED IN SWITZERLAND
October 2013 ANDREA CARCANO
CPO and Co-Founder
GROUNDED IN RESEARCH PhD in Cybersecurity
SCADA Security Researcher & Expert
Founders conducted PhD research on
SCADA Security/Malware and Artificial
Intelligence

INITIAL GLOBAL RECOGNITION

Received European Union Commission
Award to research SCADA Security MORENO CARULLO
Threat CTO and Co-Founder
PhD in Artificial intelligence
WE CREATED OUR COMPANY OUT OF NEED eXtreme Programming Expert
Founder worked in a large Oil & Gas
Company; had no visibility or control over
their ICS/OT Environment & needed a
solution

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 17

Before we get into the company and solution, it’s worthwhile to highlight how we came to be. Nozomi Networks
is a company that was born out of research, evolved out of need and ultimately founded to meet unmet needs
of so many in the ICS and industrial space.

First, Nozomi Networks was born out of research: both founders (Andrea and Moreno) have an extensive
background in computer science and both have PhDs in related fields. Andrea devoting his PhD to the study
both offensive and defensive malware strategies, especially as they apply to industrial systems (SCADA / OT
networks) and Moreno devoting his PhD to artificial intelligence and system integration. It was at this time when
Andrea Carcano began to become a thought leader on the topic of ICS cyber intrusion, engaging in detailed
research in software development and publishing various scholarly articles.

After Andrea completed his PhD, he went to work for a large oil and gas company where he was challenged
with the lack of comprehensive OT visibility and intrusion detection. He started to develop some of the
technologies and methods that would later become part of Guardian, out of the need. There were no tools
available!

It was also this ‘need’ that spurred discussion between Andrea and Moreno to start a company that solve these
rising security and visibility challenges within industrial and ICS space. Both Andrea and Moreno understood
that in order to be effective in malware and threat identification with the OT domain, you need be process-
centric, and therefore Nozomi Networks is here. Together, Moreno and Andrea were able to combine
background in critical infrastructure security with bleeding edge AI and IT integration strategies to develop
Nozomi Networks in 2013.

From there, Nozomi Networks began to rapidly acquire global attention, winning funding from the European
Commission Power Plant Security Program and business with international customers.

@2023 Nozomi Networks All rights reserved. 17

NNCE Student Guide Version 23.1.0

Continuous Innovation in OT and IoT Security

Vantage pioneers
First to offer a First container-based SaaS-powered Nozomi Arc
Threat Intelligence launches, turning
First AI-powered powerful combination delivery model for security and visibility
ICS visibility and solution for dynamic Feed supports any endpoint into a
of active + passive embedded deployment
cybersecurity solution IoT and OT networks third-party platforms security sensor
asset discovery and efficiency

September August June October June 2023

2013 2018 2019 2020 2022 January

2017 2018 2020 2022 2022 2023

February March November May
November October
Nozomi Networks Vantage IQ
First hybrid ICS threat First OT monitoring Guardian is the first Nozomi Networks offers
announced, an
detection combining solution paired product with highly Content Packs as a introduces OnePass, a industry-first AI
single subscription to both rules-based analysis
behavior-based anomaly with a Threat accurate IoT network vehicle to share queries and query engine
detection with rules- Intelligence service anomaly detection and and dashboards with hardware and software
based detection Asset Intelligence service the community at large
for a common threat or
shared process

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 18

Here we have a timeline of Nozomi Networks’ innovation in OT and IoT security. As I mentioned, we were
founded in 2013 with our original AI-powered ICS visibility and security solution.

Since then, we’ve introduced multiple products and enhancements, including Threat Intelligence and Asset
Intelligence services, Vantage, a SaaS-based security solution, and more recently, Nozomi Arc, an endpoint
sensor.

@2023 Nozomi Networks All rights reserved. 18

NNCE Student Guide Version 23.1.0

Global Leadership Footprint

8.4K+
Worldwide Installations

89M+
Devices Monitored Across
Converged OT/IoT

6 Continents
Scalable Deployments
Across 6 Continents

Global Expertise
Worldwide Network of Partners
and 1,500+ Certified Professionals Headquarters Offices

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 19

Nozomi Networks was founded in 2013 in Europe by two experts in industrial

cybersecurity and artificial intelligence. They had the foresight to engage with a
global 100 company, energy producer Enel, to help them develop an enterprise
class product. After 3 years, with a very robust and scalable product, the team
moved the company to the US and it has since expanded into a global operation.

We have over 15 offices around the world, in addition to our European HQ in

Mendrisio Switzerland and our Global HQ in San Francisco.

We monitor and protect millions of devices in thousands of deployments in

converged OT and IoT networks.

Our solutions scale across 6 continents, and we have a very large global ecosystem of security
partners, including over 1,500 certified engineers to help our technology alliance partners and
resellers deploy our products across the globe.

@2023 Nozomi Networks All rights reserved. 19

NNCE Student Guide Version 23.1.0

Securing the World’s Largest Organizations

• Airports • Oil & Gas

• Building Automation • Pharma

9 of Top 20 7 of Top 10
Oil & Gas Pharma • Data Centers • Rail Systems

• Federal Government
• Retail

• Financial Services
• Smart Cities
• Healthcare
• Transportation
5 of Top 10 5 of Top 10 • Manufacturing
Utilities
Mining Utilities • Mining
•

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 20

Before we talk about the product, let me go into more detail about the industries that we serve.

Our customers span a wide range of industries. We have customers in every industry where OT and IoT is
fundamental to the business’ success.

There are four that I want to highlight where we achieved early leadership status and continue to earn the trust
of the largest and most successful companies in those industries:
• Oil & Gas
• Pharma
• Mining
• Utilities

Beyond those industries we also protect Water, Manufacturing, and Chemical production. Additionally, we focus
on industries where IoT networks play a very important role, such as Airports, Transportation, and Manufacturing

We also have several customers in Automotive, Smart Cities and so forth.

@2023 Nozomi Networks All rights reserved. 20

NNCE Student Guide Version 23.1.0

Security and Visibility for Any Device, Anywhere

• Accelerating digital transformation by protecting the world’s critical infrastructure,
industrial and government organizations from cyber threats.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 21

@2023 Nozomi Networks All rights reserved.

NNCE Student Guide Version 22.4

OT and IoT
Security

22

Nozomi Networks 2022. All rights reserved. 22

NNCE Student Guide Version 22.4

OT Terminology
Operational Technology (OT) is an umbrella term for the
hardware and software that detects or causes a change through
OT
the direct monitoring and/or control of physical devices,
processes and events in the industrial environment.
PRODUCTION
Industrial Control Systems (ICS) play a main role ICS
in OT. They interface, control, supervise and monitor physical
systems.
“a collection of personnel, hardware, and software that can
affect or influence the safe, secure, and reliable operation of an DCS SCADA
industrial process.”
ISA/IEC 62443-1-1
Some examples of types of ICS include:
• SCADA (Supervisory Control and Data Acquisition)
• DCS (Distributed Control System)
• PCS (Process Control System)
• SIS (Safety Instrumented System)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 23

It’s important to define exactly what OT refers to, especially for those new to the industry. It vastly differs from
traditional IT in that it refers to a lot of machinery and hardware and the controllers that manage and control
them. ICS are the primary systems that control, manage, and monitor those OT components.

There are many types and while this is not intended to be a deep dive into OT, it’s important to know some of
the common technologies and components.

SCADA: systems that are focused on collecting and understanding data (event driven)

DCS: system geared towards process control (process state driven); typically, geographically limited and focused
but very detailed

PCS: a broad category of equipment and monitoring technology, including SCADA, PLCs and DCS. Sometimes
interchanged with ICS.

SIS: the failsafe, parallel system that is installed in many OT environments to prevent catastrophic failure and/or
danger to human life

(OT definition according to Gartner)

Nozomi Networks 2022. All rights reserved. 23

NNCE Student Guide Version 22.4

ICS – main actors and their functions

• Main functions of an ICS: • Actors performing these
• Measure: obtain functions include: Operator

values from sensors • Sensors (Inputs)

and read as input to
• Actuators (Outputs)
process or provide as
output • Controllers

• Compare: evaluate • HMIs

measured value to
process design value
• Compute: calculate
current error, historic
error, future error
• Correct: from a Valve

computation or
operator initiated Fan

Pump

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 24

Components of an ICS broadly perform four main cyclical functions: measurement, comparison, computation
and correction.

Signals from a fan or pumps, for example, will be read, aka measured. That reading will be transmitted in either
analog or digital form to the controller.

The controller will transform the signal to a value and compare it to an expected value.

If that expected value needs to be higher or lower, then a computation will be performed that will determine
how to bring the value back to expected parameters.

Then the controller will send a signal to the pump or fan to correct the value. And then the new value will be
read (or measured) again and the process repeats.

In the above process, the values will be sent from the PLC (or some other type of controller) to an HMI (Human
Machine Interface), which is typically an engineering workstation or possibly the control room, which may be
the one that makes the computation and issues the correction in the above defined steps.

Nozomi Networks 2022. All rights reserved. 24

NNCE Student Guide Version 22.4

The industrial controller

• Real time operation means that the response to an input
event by setting the output occurs in a timely manner
determined by the requirements of the process or
machine under control.
Examples:
• Nuclear reactor in a nuclear power plant – 10
milliseconds
• Amusement park roller coaster ride, controlled by
smart motors – 90 milliseconds
• Temperature control in a brewery: responses in
minutes or even hours
Read data
from
sensors
(inputs)

Write Execute
data to logic
actuators against
(outputs) data

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 25

A priority of industrial controllers is that they are designed and programmed to operate in real-time in a reliable
way. Real-time OSes such as VxWorks and QNX are frequently used for industrial controllers. They operate very
differently as compared to personal computers or traditional IT servers.

This means that availability is a priority, far more important than integrity and confidentiality (often the focus in
IT systems). Since encryption would add delays and latency to an OT network, it is rarely used.

The image on this slide shows that the computer is tracking, monitoring, and administering multiple pieces of
hardware simultaneously. The speed at which this monitoring will need to occur is highly dependent on the
nature of the industry, such as nuclear reactors compared to amusement park rides or a brewery.

Nozomi Networks 2022. All rights reserved. 25

NNCE Student Guide Version 22.4

Some examples of Industrial Controllers

IED RTU PLC

Control/protection Interface field data to a
Scope functions for power remote SCADA, protocol Control processes
systems’ equipment gateway

Input/Ouput rail Yes Optional Yes

Control/protection
Yes No Yes
logics

Comm. Interface Yes Yes Optional

Often works in A remote SCADA, PLCs to More PLCs

A local SCADA/DCS Server
combination with acquire signals Stand-alone, and/or RTUs

IEC 104, DNP3, Modbus,

IEC 61850 server, Modbus, CIP (EthernetIP
Typical protocols proprietary, IEC 104 to IEC
proprietary for example)
61850 client

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 26

This slide is by no means an exhaustive list of the different kinds of ICS controllers available. However, the three
presented here are a large percentage of the categories of devices that you’ll find in the market.

IEDs: a main selling point for these devices is that they are integrated (hence the name) with the devices they
control and feature a level of standardization enabling easier configuration and less wiring required.

RTUs: typically used in conjunction with IEDs and/or PLCs, these devices collect device information and forward
it to the controller, often over large distances.

PLC: frequently used in OT environments to control local devices, such as assembly lines, amusement rides, etc.

Note that there are so many different protocols that these devices can potentially use to communicate, often
proprietary.

Nozomi Networks 2022. All rights reserved. 26

NNCE Student Guide Version 22.4

ICS network topology example

• Communication among
controllers, HMIs and other
devices is fundamental.

• Industrial network protocols

are used for these
communications.

• Some examples: Modbus,

EthernetIP, DNP3, etc.

• Time sensitivity is also a

design priority.

Reference: NIST 800-82

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 27

This slide reflects how a simple OT network might be set up. The important thing to note is how the
environments are sectioned off, such as how the machine controller in the bottom left communicates with the
Local Control Network. And similarly, for each of the other areas in the bottom section of the diagram.

At the top is the business network (or typical IT network), likely separated by a DMZ from the OT network below.

In the middle is the control network with the historians and HMIs in the main control room, the DNS server and
so on.

While at the bottom are the local networks that are communicating with the PLCs and other controllers, which
will gather the information from the machines and roll up the information to the control network above.

As with all OT networks, the communications that occur on this network will use various protocols, often
proprietary to the vendor that created the controllers and hardware. Keep in mind that the primary concern in
an OT network and with the protocols and how their written is that time sensitivity is king here.

Nozomi Networks 2022. All rights reserved. 27

NNCE Student Guide Version 22.4

The IEC 62443 PURDUE network model

4-5: Enterprise IT, Site business and logistics: Email,
intranet, printers, etc.

-5
[3.5: Upper DMZ]: Transfer network between IT/OT
Site busine ss 3: Operations (ICT/DMZ) Network: Systems providing IT
and lo g istics
services (AV, Patch, DNS, AD) and collect historical data.
[2.5: Lower DMZ]: Optional
2: Supervisory Control/Process*: Systems using IT
services from L3 and control/acquire data from the
Control Network (i.e. HMI, SCADA Consumer, MTU,
Engineering workstation).
1: Control: Systems to collect and transmit data
between field devices (actuators/sensors) via I/O
interfaces and Process Network (i.e. RTU, PLC, Safety
equipment).
0: Field/Process**: Actuators/sensors directly connected
to controllers by close network connections (i.e. hard
wired, serial cable, fiber ring, proprietary protocols).

*Different concept of Process than in Guardians Process View

**As in Process View

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 28

Here you see the levels of the Purdue model. Keep in mind a few very important points:
• This is a reference model, not a “law”. Much like the OSI model, it’s a recommendation but it isn’t necessarily
going to be followed by a customer
• One of the most critical things is that ideally no device should communicate more than 1 level away with
another device. For example, a server or workstation at Level 4 should not be able to communicate directly
with a PLC at Level 1. This enables efficient communications and helps maintain security.

Nozomi Networks 2022. All rights reserved. 28

NNCE Student Guide Version 22.4

OT Systems Evolution
“Retrofitted”
OT System Newly Designed/
Cyber-Physical
Fully Air-Gapped Partially Engineered
OT System System Through
Connected to Cyber-Physical
IT/OT
Each Other System
Convergence

More Isolation More Connectivity

Examples of Traditional OT Systems Examples of OT-Related Cyber-Physical

• Supervisory Control and Data Acquisition (SCADA) Systems
• Industrial Control Systems (ICS) • Industrial Robots
• Programmable Logic Control (PLC) • Virtual Reality Manufacturing Simulation Systems
• Process Control Networks (PCN) – Including • Self-Optimizing Press-Bending and Roll-Forming
Safety Instrumented Systems (SIS), Engineer Machine
Workstation and Human Machine Interface (HMI) • Adaptable Production Systems
• Distributed Control Systems (DCS) • Energy-Efficient Intralogistics Systems
• Computer Numerical Control (CNC) • Connected 3D Printers
• Smart Grids

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 29

It’s important to understand that OT systems used to be isolated systems with no communication to the outside
world (serial communication, no TCP/IP or Ethernet, and no connection to other networks). Network
modernization and convergence result in the exposure of OT systems to new threats, mostly as a result of the
rise of IoT devices. This is because IoT devices use well-known, commercial protocols (primarily TCP/IP) to
communicate. Exposure means now we need to care about the vulnerabilities of our OT networks.

As with anything, the greater the connectivity, the greater the risk.

Nozomi Networks 2022. All rights reserved. 29

NNCE Student Guide Version 22.4

IoT and OT
Industrial Controllers (OT) IoT devices
Scope Mission critical operations Complementary or expanded functions to
the OT systems, improving performance,
quality, lowering operating costs

System latency Low latency, real time deterministic Many network standards are non-
systems deterministic (such as LoRaWAN and WiFi)

Implementation Expensive. Vendor specific knowledge is In some cases, easier to install, with more
difficulty required, requires skilled personnel. standard and friendlier installation
Software licenses required. procedures.
Typical protocols Vendor proprietary, legacy protocols Industry standard open communications.
”adapted” for TCP/IP networks, some open Designed with Internet/Cloud
protocols communications in mind
Vulnerabilities Lack of authentication, lack of encryption, Supply chain(many stakeholders)
backdoors, buffer overflows. Legacy code is Targets of DDoS
not secure by design and difficult to Internet/Cloud connectivity = bigger attack
completely eradicate over the years. surface

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 30

Supply chain attacks are particularly dangerous. The major challenge for IIoT integration in the Industry 4.0
supply chain is security. Hardware chips with embedded malicious code are hard to find, since this code has the
ability to be executed without being easily noticed for a long period of time. One of the causes of security
vulnerabilities in the IIoT environment is the involvement of many stakeholders. This means that there are
different components of devices being manufactured by different vendors, everything getting assembled by
another vendor, and finally being distributed by yet another one. A vendor has the ability to embed backdoor
channels in their devices, inject viruses, or provide faulty chips.

As the technology evolves, more and more companies are making the switch to having IoT devices in their
plants, manufacturing centers, farms, etc. As a result, Guardian has been updated to include more mechanisms
to detect and monitor IoT devices as well as traditional OT ones.

OT devices = often custom built; often proprietary

IoT devices = typically use consumer-based software/open-source technology; means they’re exposed to higher
level of vulnerability

Nozomi Networks 2022. All rights reserved. 30

NNCE Student Guide Version 22.4

Multiple threat actors/sources

• Adversarial • Structural
• Outside Individual • IT equipment
• Inside Individual • Environmental controls
• Trusted Insider • Software
• Privileged insider
• Ad hoc group • Environmental
• Established group • Natural disaster
• Competitor • Man-made disaster
• Supplier • Infrastructure failure
• Partner (e.g.
telecommunications,
• Customer
electrical power)
• Nation State
• Accidental
• User/Privileged
user/Administrator

“Guide to Conducting Risk Assessments” Special Publication 800-30,

National Institute of Standards and Technology, September 2012 Source: https://www.arcweb.com/industry-best-practices/what-
industrial-cybersecurity-planning-maturity-model

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 31

• Threats/Threat actors can be as advanced as APT by Nation States or as simple as common ransomware
• APT high impact/low likelihood vs “general hacker” low impact/higher likelihood

The important concept from this slide is that depending on whether the attack is perpetrated by a skilled
attacker or a “script-kiddie” will determine how potentially expensive the mitigation and/or aftermath cleanup
will be. It will be even more dangerous and impactful if the attacker(s) knows about OT protocols and network
topology.

Nozomi Networks 2022. All rights reserved. 31

NNCE Student Guide Version 22.4

OT Threats - TRITON
• In 2018 a Middle Eastern oil and gas petrochemical
facility went into an automatic shutdown by a
compromised safety system (SIS) named Triconex.
• SIS, a special type of Controller, designed with
predictability and reliability in mind including failure DC
Corporate
-E S IT Firewall
detection for inputs and outputs were conducting the - O ngin
pe ee OT
shutdown: PL
rat rs
ors
Co
C
Em rpora
• The attack path went from the Internet through the IT ail te
SIS
network using well-documented, easily to detect attack Sta En
tio g
methods, into the OT area via systems providing access SIS
n

to both environments.
• There, an altered and legitimate appearing .exe file was
used to be installed on an SIS Engineering Station to
infiltrate, access and reprogram the SIS.
• First ever witnessed cyber attack on a SIS.
• The SIS were reprogrammed causing them to enter a
failed state and resulting in an automatic shutdown
of the industrial process.

Nozomi Networks Black Hat Research Paper:

https://www.nozominetworks.com////downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 32

More information can be found here: https://www.nozominetworks.com////downloads/US/Nozomi-Networks-

TRITON-The-First-SIS-Cyberattack.pdf

APTs are multi-staged operations where every step could take months or even years to be executed
• APTs use exploits of known and 0-day vulnerabilities
• Nozomi hybrid detection allows us to detect APT in every step of their execution

Considerations:
• 1. How did the attackers have an ability to go from IT to OT? (likely knowledge of OT infrastructure and
technology)
• 2. How did they get to the workstation? (poor security framework, no DMZ, etc.)
• 3. The Triconex SIS has a physical key was inserted and was left in “Remote” which allows for
reprogramming to occur, instead of set to “Run”

Nozomi Networks 2022. All rights reserved. 32

NNCE Student Guide Version 22.4

Nozomi Networks
Through research Tools
Research Reports
and collaboration with
industry and
institutions, we’re Projects Labs Blogs
helping defend
the critical assets and
systems that support Threat Threat and
everyday life. Advisories Asset Intelligence

90% of the time, vulnerabilities/threats

found within 24 hours of installation Dozens of responsible disclosures
and ICS-Cert Alerts

Nozomi Networks Labs page available at this link

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 33

Here we need to highlight that we have a dedicated team that is working every day to fight against malware
and threat

The Nozomi Networks Labs team is dedicated to reducing cyber risk for the world’s industrial and critical
infrastructure organizations.
Through our cyber security research, and collaboration with industry and institutions, we’re helping defend the
industrial systems that support everyday life.

The Labs team provides resources to help those responsible for cyber security effectively defend their
operational systems, including:
Research reports
Free community tools
And threat advisories

The Labs team also participates in developing industry standards for security critical infrastructure, and keeping
our Asset Intelligence and Threat Intelligence services up-to-date.

Nozomi Networks 2022. All rights reserved. 33

NNCE Student Guide Version 23.10

Solution
Overview

34

@2023 Nozomi Networks All rights reserved. 34

NNCE Student Guide Version 23.1.0

Nozomi Networks Solution Portfolio

MANAGEMENT OPTIONS
SERVICE OFFERINGS

CENTRAL MANAGEMENT CONSOLE Certifications

Training
• SaaS • On-Premises
• FIPS-compliant

SENSORS
Professional
Services

• ANSSI-certified ADD-ONS
Customer
• FIPS-compliant Support 24/7

ENHANCED CAPABILITIES
OnePass/
HWaaS

ADD-ONS ADD-ONS SUBSCRIPTIONS

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 35

First off, we have the Guardian which is the appliance that is connected to a switch that is performing the
analysis that performs the asset discovery, network visualization, etc. It works entirely passively, however you can
add the Smart Polling which is an active scanning solution.

Above the Guardian are the CMCs. They are a central location for receiving information from Guardians and
distributing updates and remote, central management.

Vantage: Like a CMC, but as a SaaS service. No hardware required, only license.

Two Subscription services: Asset Intelligence and Threat Intelligence. (AI: for example, we have a PLC from
Schneider that is using version 1.23, then we can give extra information about the device from a known database
as well as possibly an image of the device).

On the right side of the screen are the partnerships and integrations the Nozomi has curated and included for
our products. On the far right are the support and training offerings available to all of our customers to ensure
their success with the product.

@2023 Nozomi Networks All rights reserved.

NNCE Student Guide Version 23.1.0

Nozomi Networks Guardian

Nozomi Networks Guardian sensors provide
What is it? A sensor that analyzes and
asset inventory and network visibility for OT, IoT
visualizes data from your network.
and IT environments, on a per site basis.
Guardians are available in multiple
hardware form factors to fit your
They detect cyber and operational threats and
environment, as well as virtualized and
vulnerabilities, providing situational awareness
container editions.
that is critical for maximizing uptime.

Up-to-date Continuous Detects threats Accelerates

automated monitoring of OT, and generates forensics
asset inventory IoT and IT systems risk alerts analysis

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 36

Guardian is your on-premise workhorse that monitors and analyzes all the data your factory produces, whether
in a production system or lighting and HVAC. You see across all environments and watch system resiliency
through a live, interactive network visualization. And importantly, when problems do occur, you'll have the track
record to decode those incidents and uncover why the failures occurred, so you can make your systems more
resilient in the future.

Follow the slide to describe how Guardian works:

• Up-to-date automated asset inventory…
• See all OT, IoT and IT assets.
• Save time and money by automating data collection.

• Continuous monitoring…
• Get live, interactive network visualization.
• Improve situational awareness.

• Threat detection and alerts…

• Speed up response time and prevent or reduce downtime with early threat/risk detection.

• Forensic analysis…
• Decode incidents and determine causes of failures to improve resiliency.

@2023 Nozomi Networks All rights reserved.

NNCE Student Guide Version 23.1.0

Nozomi Networks CMC

Nozomi Networks CMC
Centrally monitor distributed sites .
Easily streamline SOC/IT workflows What is it? On-prem virtual or physical
Instantly visualize OT networks, assets and risks appliance to consolidate data coming
Optimize troubleshooting and forensic efforts from multiple Guardian

Consolidate the Continuous Automated vulnerability

view of assets and monitoring of OT, assessment with
security risks IoT systems threat prioritization
and remediation

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 37

The CMC is Nozomi’s first management offering and is used by many of its customers. It can be a hardware or
virtual solution and offers management, administration, alerting and reporting capabilities for the entire
environment.

@2023 Nozomi Networks All rights reserved.

NNCE Student Guide Version 23.1.0

Nozomi Networks Vantage

Nozomi Networks Vantage provides unified
visibility and cybersecurity monitoring for an
unlimited number of systems across What is it? A SaaS solution that scales
geographically dispersed locations. security monitoring and visibility for
OT, IoT, IT, edge and cloud assets.
It aggregates and prioritizes risks and Effective for all systems and devices.
vulnerabilities, delivering actionable insights
that improve cyber and operational resilience.

Single pane of glass Continuous Automated vulnerability Power of cloud

for view of assets monitoring of OT, assessment with computing for
and security risks IoT and IT systems threat prioritization enhanced analytics
and remediation

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 38

Vantage is your SaaS solution for security monitoring and visibility across your OT, IoT, and IT networks.
You can see across your network to monitor any number of devices, protect any number of locations from one
single platform anywhere in the world.

Vantage greatly simplifies multi-site deployments with a central cloud-based aggregation, analysis and
management station. Fewer nodes need to be deployed at each site, and fewer admin resources are required to
manage multiple sites and large numbers of sensors.

@2023 Nozomi Networks All rights reserved.

NNCE Student Guide Version 23.1.0

Remote Collector (RC)

Extend Your Reach
Remote Collectors act as "remote interfaces” for
Guardian broadening its capture capabilities, thus What is it? Hardware or Virtual
appliance that allows to monitor
allowing installations to be applied in simple to
remote location or sub-station.
highly distributed scenarios.

Small form factor Low resource usage Cost effective

(DIN mountable)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 39

Remote collectors can be used at substations or remote locations/geographically disparate locations. Imagine if
there is a substation that is far away that only has one or two small switches that communicate with OT devices
(such as pipelines and relays). It’s just not cost effective to install a Guardian at each of these smaller, remote
locations. This is where an RC comes into play.

It communicates via TCP (encrypted) to the Guardian. It does not store any information locally or perform any
analysis and can only handle a small amount of traffic throughput (up to 15Mb/s).

@2023 Nozomi Networks All rights reserved.

NNCE Student Guide Version 23.1.0

Arc Endpoint Sensor

Nozomi Networks Arc Endpoint Sensor provides
customers with endpoint data collection and asset What is it? An endpoint sensor that
visibility for mission critical networks and collects and analyzes data from
industries. Windows, Linux or MacOS
hosts. Collected data can be sent to
It provides further vulnerability assessment,
either Guardian or Vantage.
endpoint protection, traffic analysis capabilities
and more accurate diagnostics of in-progress
threats and anomalies.

Immediate and Increasingly accurate and more More efficient

continuous visibility of detailed asset information data collection
changes

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 40

Nozomi Arc provides customers with enhanced endpoint data collection and asset visibility. Customers can
now easily identify compromised hosts with malware, rogue applications, unauthorized USB drives and
suspicious user activity.

Leverage the flexibility that Nozomi Arc provides to start greenfield deployments with easier-to-
deploy endpoint sensors. Network-based sensors can require a maintenance change window to reconfigure
switches for span ports.

Nozomi Arc sensors are an endpoint executable that runs on either Windows, Linux or MacOS hosts in mission
critical networks. Collected data can be sent to either Guardian or Vantage. By running directly on the host,
Nozomi Arc is the only solution that provides continuous visibility to key endpoint attributes.

@2023 Nozomi Networks All rights reserved.

NNCE Student Guide Version 23.1.0

Nozomi Networks Deployment

Guardian can be connected to
• SPAN/Mirror ports of existing network
equipment
• Native switches
• Can use RSPAN/ERSPAN as well *
• Routers
• Network TAPs
• Or installed into devices’ internal
modules allowing virtualization and
internal routing
These deployment options guarantee a
complete isolation of the appliances
from the producing network, thus
enabling a hot deploy with no TLS (tcp/443) Traffic
interference on active Mirrored Traffic
communications suitable for OT.

* If considering to use ERSPAN, please consult Professional Services

for potential compatibility and/or impact on switch performance.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 41

Delay/Latency of packets cannot be an issue, so the Nozomi solution must be installed using a SPAN or Mirror
configuration so that we introduce no impact to the network – we’re only receiving a copy of traffic and not
generating any (unless the customer is using Smart Polling, covered later).

If needed, we can also use a TAP or some sort of packet broker to send the packets to the Guardian.
• Using ERSPAN is also a supported solution to receive the mirrored network traffic, an internal paper is
available for further details when needed
• Any downtime for Guardian (very rare) does not affect network capability because we’re sitting outside the
network path on mirrored ports

If considering using ERSPAN, discuss with your Professional Services representative for more information and
pros/cons and considerations

@2023 Nozomi Networks All rights reserved. 41

NNCE Student Guide Version 23.1.0

World-Class Go-To-Market Ecosystem

Optimizing OT and IoT with IT Security Solutions

Global Network
of SI, VAR and Distribution Partners

1,500+
Trained and Certified Professionals

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 42

Nozomi Networks has a good relationship with most of the large OT hardware manufacturers as well as several
partnerships in the IT and OT industry.
Nozomi Network is well-positioned to continue to be a market leader and continue to innovate.

@2023 Nozomi Networks All rights reserved. 42

NNCE Student Guide Version 23.1.0

Technology Alliance Ecosystem

Integrations and Interoperability with Controls, Security, Network & Cloud Architectures

SIEM, SOAR and OT / ICS Other Network / IT and Cloud Services

Data Integrations Interoperability Security Technologies Platforms

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 43

Nozomi Networks supports a wide array of partners, automation vendors and both OT and IT protocols. As you
will see, Guardian supports every mainline protocol found in discrete and process automation, as well as power –
and we’re always updating our protocol profile. Support for additional systems and protocols is constantly being
expanded.

One important element of our platform is that it is extremely open. We built it as an open platform to integrate
with other technologies and is not another siloed technology.

We have extensive integration with a wide range of OT and IT technologies that are in many of our customers’
infrastructure.

@2023 Nozomi Networks All rights reserved. 43

NNCE Student Guide Version 23.1.0

Supported Protocols
Nozomi provides extensive support for OT/IoT and IT protocols and is frequently adding
more protocols to this list. See our dedicated webpage for the full list: Protocol List

What can I do if the protocol I am looking

for is not listed?

1. Open a Support ticket with the Nozomi

Support Team (providing all the available
info incl. a corresponding pcap file)
requesting the implementation of the
protocol.

2. Use the Protocol SDK capability of

Guardian if you would like to build it
yourself.
Protocol list on the Nozomi website

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 44

https://www.nozominetworks.com/downloads/US/Nozomi-Networks-Protocol-Support-List.pdf

The above link is a list of all of the currently supported protocols. If a customer has unique/proprietary protocols
used in their environment, they can contact NN support to begin the process of providing a PCAP of the
protocol packets so that the new protocol can be added to Guardian’s current list of supported protocols.

@2023 Nozomi Networks All rights reserved. 44

NNCE Student Guide Version 23.1.0

Nozomi Networks Applications

Perform Security Find Device Find Network misconfigurations

assessments misconfigurations (segregation, data on wrong switches, …)

Operational monitoring
Assetinventory
Asset inventory Network monitoring
on links and processes

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 45

With todays’ IT/OT convergence and changing digital ecosystem, global organizations with both OT and IT
assets have new security requirements to manage a new threat landscape.

Whether security and ops stakeholders sit at the operator level or SOC level, they need:
• 100% visibility and traceability of industrial assets
• Be able to rapidly detect cyber threats / risks
• Reduce troubleshooting time and effort
• Monitor entire ICS and process in real-time
• Sale across multiple departments, sites and locations
• Centrally or remotely secure assets and infrastructure

@2023 Nozomi Networks All rights reserved. 45

NNCE Student Guide Version 23.1.0

Tech Specs

46

@2023 Nozomi Networks All rights reserved. 46

NNCE Student Guide Version 23.1.0

Deployment Options

Rack mounted sensors Small/Remote Sites

Ruggedized options for harsh Virtual appliances edition

environments

Portable sensors for troubleshooting

remote locations Embedded/Containers appliances

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 47

These are the different multiple form factors that are supported by Nozomi Networks.

@2023 Nozomi Networks All rights reserved. 47

NNCE Student Guide Version 23.1.0

Guardian Appliances
for the Large Enterprise
NSG-HS Series NSG-H Series

NSG-HS 3500 NSG-HS 3000 NSG-H 2500 NSG-H 2000

Max. Protected Nodes 500,000 300,000 200,000 100,000

Max. Protected Network

2,000,000 1,500,000 1,200,000 1,000,000
Elements

Max. Throughput 6 Gbps 6 Gbps 3 Gbps 3 Gbps

Max. Remote Collectors* 50 50 50 50

Monitoring Ports Modular up to 16+1 Modular up to 16+1 Modular up to 8+1 Modular up to 8+1

4 slots available 4 slots available 2 slots available 2 slots available

Expansion Slots (empty by
4x1000BaseT I 4x1000BaseT I 4x1000BaseT I 4x1000BaseT I
default)
4xSFP I 4xSFP+ 4xSFP I 4xSFP+ 4xSFP I 4xSFP+ 4xSFP I 4xSFP+

* See Remote Collector tech specs for more details.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 48

The H and HS models are the biggest, most expensive and most capable appliances we have. Note that there
are up to four interface modules that can be installed on the HS models and two modules on the H series.
Customers will have to purchase the modules separately (they can be either copper or fiber, as needed).

Note that we will be covering the concept of nodes and network elements later, but that they are very important
during the needs analysis and solution meetings with the customer for sizing. Also note that we will be going
through a couple sizing exercises later in the course (on the 2nd day of the course, at the end of the Environment
section.)

Physical Appliances Technical Specs are available at https://www.nozominetworks.com/products/technical-

specifications/

@2023 Nozomi Networks All rights reserved. 48

NNCE Student Guide Version 23.1.0

Guardian Appliances
for the Mid-Enterprise
NS20 Series NS1 Series

NS20 1000 NS20 750 NS1 250 NS1 100

Max. Protected Nodes 40,000 10,000 5,000 1,000

Max. Protected Network

600,000 200,000 90,000 20,000
Elements

Max. Throughput 1 Gbps 1 Gbps 500 Mbps 250 Mbps

Max. Remote Collectors* 50 50 20 20

Monitoring Ports 9x1000BASE-T + 4xSFP 9x1000BASE-T + 4xSFP 7x1000BASE-T 7x1000BASE-T

2 slots available 2 slots available

1 slot available 1 slot available
Expansion Slots 4x1000Base-T | 4xSFP | 4x1000Base-T | 4xSFP |
4x1000Base-T | 4xSFP 4x1000Base-T | 4xSFP
4xSFP+ 4xSFP+

* See Remote Collector tech specs for more details.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 49

Physical Appliances Technical Specs are available at https://www.nozominetworks.com/products/technical-

specifications/

The NS20 and NS1 series appliances are our mid-sized and smaller offerings, respectively.

Note that these have built-in 1000Base-T ports and have one upgradable bay for another module.

@2023 Nozomi Networks All rights reserved. 49

NNCE Student Guide Version 23.1.0

Guardian Appliances
Ruggedized series Portable
for Ruggedized or
Portable Scenarios

NG-500R NSG-R 50 Portable P550

Max. Protected Nodes 5,000 500 2,500

Max. Protected Network Elements 80,000 10,000 50,000

Max. Throughput 800 Mbps 100 Mbps 200 Mbps

Max. Remote Collectors* 30 10 Not available

Monitoring Ports 3x1000BASE-T 4x1000BASE-T 5x1000BASE-T

2 additional NIC slots available

Expansion Slots Not available Not available
(Copper and/or SFP)

Form Factor 3 rack unit DIN mountable Desktop with wall mount kit

100-240V AC
100-240V AC 90-240V AC
Power Supply Type 16.6-160 DC
12-36V DC 12-30V DC
DUAL

Temperature Range -40º / +70º C -40º C / +75º C 0 / +60º C

* See Remote Collector tech specs for more details.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 50

Physical Appliances Technical Specs are available at

https://www.nozominetworks.com/products/technical-specifications/

There are two ruggedized models available for areas that don’t have ideal cooling solutions or have
other harsh environmental conditions, like dusty air (marble/granite processing, for example). On the
right is the portable solution, usually carried by our Professional Services team and by partners when
doing a POC at a customer site.

@2023 Nozomi Networks All rights reserved. 50

NNCE Student Guide Version 23.1.0

Guardian Appliances
V Series

for Virtual Environments*

V1000* V750 V250 V100

Max. Protected Nodes 40,000 10,000 5,000 1,000

Max. Protected Network

400,000 200,000 100,000 20,000
Elements

Max. Throughput 1 Gbps 1 Gbps 1 Gbps 1 Gbps

Scenarios Enterprise Large Medium Small

Hyper-V 2012+, KVM 1.2+, Hyper-V 2012+, KVM 1.2+, Hyper-V 2012+, KVM 1.2+, Hyper-V 2012+, KVM 1.2+,
Deployment Options VMware ESX 7.0+, XEN VMware ESX 7.0+, XEN VMware ESX 7.0+, XEN VMware ESX 7.0+, XEN
4.4+, AWS** 4.4+, AWS** 4.4+, AWS** 4.4+, AWS**

Max. Remote Collectors*** 50 50 20 20

* see user manual Section Virtual Machine sizing

** Guardian in AWS will analyze only traffic coming from RC
© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com *** See Remote Collector tech specs for more details. 51

These are our virtualization solutions, controlled by license limits.

We support pretty much all of the major virtualization vendors, as shown on the slide.

@2023 Nozomi Networks All rights reserved. 51

NNCE Student Guide Version 23.1.0

Guardian Appliances
Embedded / Container

• Available for Guardian with

the Smart Polling add-on
module only Embedded / Container

• Cisco Catalyst 9300 Cisco Catalyst

Gatewatcher
Embedded Offerings
• Siemens Ruggedcom RX1500, Siemens RUGGEDCOM
installed on bare metal APE Smart Polling module: included
module Add-ons
Threat Intelligence and Asset Intelligence subscriptions: can be added
• Gatewatcher IDS
Remote Collector
Not available
• Scalance LPE Support

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 52

Note: the “Remote Collector Support” line only means that we can't send RC traffic to a containerized
Guardian, but a container-based RC is still possible.

These are the containerized or embedded solutions. For more information, see the following:

- Cisco Catalyst 9300, RX1500 à https://www.nozominetworks.com/press-release/nozomi-networks-

delivers-ot-and-iot-cybersecurity-to-cisco-ise/

- Siemens Ruggedcom, Nozomi is installed on APE module ->

https://www.nozominetworks.com/blog/nozomi-networks-cyber-security-solution-embedded-in-
ruggedcom/
-- Siemens will handle initial (Level 1, Level 2) support

- Gatewatcher –> https://www.nozominetworks.com/press-release/gatewatcher-and-nozomi-

networks-team-to-deliver-advanced-ot-and-iot-cybersecurity-solutions-for-global-industry/
-- Gatewatcher publishes the TrackWatch IDS detection system.
Ø 1st advanced intrusion detection system qualified by the ANSSI to equip Operators of Vital
Importance (OIV) under the Military Planning Law (LPM)

Schneider Scalance LPE: https://www.nozominetworks.com/press-release/nozomi-networks-and-

siemens-bring-scalable-cybersecurity-to-industrial-automation/

@2023 Nozomi Networks All rights reserved. 52

NNCE Student Guide Version 23.1.0

Arc Endpoint Sensor

Operating System Version

Windows (x86_64) Windows 7, or above Resource Requirements

Resource requirements will depend on traffic loads
macOS (x86_64, arm64) macOS 10.10 Yosemite, or higher and other options

Ubuntu 16.04, or higher Up to 100 MB of free

Disk Space
disk space
Debian Jessie, or later
Linux (x86_64, arm, arm64)
CentOS 7, or higher RAM Up to 80 MB of free RAM

Raspbian Jessie, or later

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 53

More information will be given on the last day regarding ARC sensor, but here we can see that ARC
can be installed on different OS.

@2023 Nozomi Networks All rights reserved. 53

NNCE Student Guide Version 23.1.0

Remote Collector
for Remote Locations Virtual Remote Collector

Max. Throughput Up to 15 Mbps

Hyper-V 2012+, KVM 1.2+,

Deployment Options
NSG-R50 VMware ESX 7.0+, XEN 4.4+

Max. Throughput Up to 50 Mbps

Remote Collector
Not available
Support

Monitoring Ports 4x1000BASE-T

Expansion slots Not available

Form Factor DIN mountable

Temperature Ranges -40 / +70º C Docker Remote Collector

Max. Throughput Up to 15 Mbps

Deployment Options arm64, amd64

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 54

More information will be given on the last day regarding Remote Collectors, but here we can see that
RCs can be offered as hardware or virtual solutions.

Note the small throughput limitation and that the appliance is DIN mountable, ideal for small
deployment spaces and small networks to be monitored.

@2023 Nozomi Networks All rights reserved. 54

NNCE Student Guide Version 23.1.0

CMC Appliances
in the Cloud or at the Edge
Cloud or Virtual Central Management Console

Deployment Options - Cloud Amazon AWS and Microsoft Azure

Deployment Options - Virtual Hyper-V 2012+, KVM 1.2+, VMware ESX 7.0+, XEN 4.4+

Max. Managed Sensorss 400

Max. Protected Network Elements 1,200,000

Storage 100+ Gb

NCMC-100

Max. Managed Sensors 50

Max. Protected Networks Elements 600,000

Max. Throughput 1 Gbps

Management Ports 4x1000BASE-T
Expansion Slots Not available
Storage 256 Gb

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 55

We will cover the CMC appliance configuration and usage later in the course, but you can see here
that the CMC can be either a physical appliance or virtual. Note that it is also possible virtually host
the CMC in a cloud provider, namely Amazon AWS or Microsoft Azure.

@2023 Nozomi Networks All rights reserved. 55

NNCE Student Guide Version 23.1.0

Installing appliances – step 1 of 4

Security
Add GuardianA to Core switches Corporate Corporate SIEM
Workstations Servers Operation Center
L5

Asset Inventory: DNS, AV, DC,

Site IT Site IT L4
Historian, Patch Workstations
Servers
• Minimal extraction of device Remote Access
Servers
Firewall Site Production
vendors, MAC vendors, hostnames, GuardianA
DMZ Switches
Core Switches
Control
Systems
L3
firmware versions, device types.
Vulnerability Assessment:
• Minimal identification of firmware, Line Operator
/Engineering L2
OS, and CPEs: Workstations

Network Visibility:
• Minimal
Threat Detection: PLCs
/RTUs L1
• Basic detection of threats coming Sensors
L0
from higher levels, mainly via
Actuators

signatures. OT Traffic: variables and commands

IT Traffic: NTP, DNS, SNMP, etc. between PLCs, and PLCs and HMIs.
Diagnostics, configuration
Mirrored Traffic commands from Engineering
workstations and PLCs

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 56

In the next four pages, we will cover some possible installation locations within a sample customer
OT network.

Here, we will add a Guardian only at the Core Switch(es). As a result, we will see only limited
information about the devices further “down” in the network. We will be able to identify traffic that
traverses between the IT and OT layer, as well as traffic that is bound for the DNS servers, historians,
possibly the main control room workstations, etc.

This limits our asset identification and monitoring, so it’s best to also receive traffic from elsewhere in
the network.

@2023 Nozomi Networks All rights reserved. 56

NNCE Student Guide Version 23.1.0

Installing appliances – step 2 of 4 Nozomi SaaS VANTAGE

Add GuardianB to Control switches Security

Corporate Corporate SIEM
Workstations Servers Operation Center
L5
Asset Inventory:
• Excellent extraction of device vendors,
Local
MAC vendors, hostnames, firmware DNS, AV, DC,
Historian, Patch Nozomi CMC Site IT Site IT
Workstations
L4
(optional) Servers
versions, device types. (if all switches Remote Access
Servers
Firewall Site Production

covered GuardianA
DMZ Switches
Core Switches
Control
Systems
L3
Vulnerability Assessment:
• Excellent identification of firmware,
GuardianB
OS, and CPEs Line Operator
/Engineering L2
Network Visibility: Workstations

• Good network visibility.

• Partial variable extraction
Threat Detection: PLCs
L1
• Good detection of all threats via /RTUs

signatures and via anomaly detection Sensors

Actuators L0

OT Traffic: variables and commands

A local CMC or Vantage can be added to IT Traffic: NTP, DNS, SNMP, etc. between PLCs, and PLCs and HMIs.
aggregate data from different Guardian Diagnostics, configuration
Mirrored Traffic commands from Engineering
workstations and PLCs

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 57

In this slide, you can see that we’ve now added a Guardian at the control switches that manage
traffic going between the various engineering workstations. Because the PLCs and other controllers
often send updates to the workstations (or vice versa), the Guardian is now able to pick out asset,
node and link information (more about that later).

Note that in this case, we now have two Guardian appliances. At this point, it would be a good idea to
consider a CMC appliance to make monitoring and reporting and alerting easier.

However, in this setup, we won’t have a full picture of all of the individual controllers and/or RTUs. If
you want a complete inventory of all assets, then you will want to install a Guardian at the switches
that they are directly connected to.

@2023 Nozomi Networks All rights reserved. 57

NNCE Student Guide Version 23.1.0

Installing appliances – step 3 of 4 Nozomi SaaS VANTAGE

Add GuardianC to Process switches: Global

Security
Corporate Corporate Nozomi CMC SIEM
Workstations Servers (optional) Operation Center
L5
Asset Inventory:
• Best extraction of device vendors, MAC Local
DNS, AV, DC, Site IT L4
vendors, hostnames, firmware versions, Nozomi CMC Site IT
Historian, Patch Workstations
(optional) Servers
Remote Access
device types. (if all switches covered Servers
Firewall Site Production
DMZ Switches Control L3
Vulnerability Assessment: GuardianA Core Switches Systems

• Best identification of firmware, OS,

and CPEs GuardianB

Network Visibility: Line Operator

/Engineering L2
• Total network visibility.
Workstations

• Total variable extraction GuardianC

Threat Detection:
• Best detection of all threats PLCs
/RTUs L1
via signatures and
Sensors
via anomaly detection Actuators L0

OT Traffic: variables and commands

A global CMC or Vantage can be added IT Traffic: NTP, DNS, SNMP, etc. between PLCs, and PLCs and HMIs.
in case the customer wants to aggregate Diagnostics, configuration
Mirrored Traffic commands from Engineering
the data from different plants workstations and PLCs

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 58

Here a third Guardian will be added to monitor the Process switches to improve the visibility. You can
see that this results in the best anomaly detection and inventory assessment capabilities, because
now we can monitor at all areas of the OT network. However, there are many customers who many
not wish to deploy at this level because of cost reasons, depending on their budget and/or the size of
their deployment. While this configuration is the IDEAL scenario, it’s not always going to be possible
and this is where the needs analysis and sizing discussions with the customer come into play.

If the customer decides to deploy their Guardian solution in different plants, it’s likely they are going
to install a Global CMC or Vantage to aggregate all the data coming from the different
plants/locations.

@2023 Nozomi Networks All rights reserved. 58

NNCE Student Guide Version 23.1.0

Installing appliances – step 4 of 4 Nozomi SaaS VANTAGE

Add Arc to Workstations enabling: Global

Security
Corporate Corporate Nozomi CMC SIEM
Workstations Servers (optional) Operation Center
L5
Asset Inventory:
• Best extraction of endpoint OS version, Local
DNS, AV, DC, Site IT L4
installed software, and hotfixes Nozomi CMC Site IT
Historian, Patch Workstations
(optional) Servers
Remote Access
Vulnerability Assessment: Servers
Firewall Site Production
DMZ Switches Control L3
• Best identification of endpoint OS, GuardianA Core Switches Systems

hotfixes, installed software, and CVEs

Network Visibility: GuardianB

• Total endpoint visibility Line Operator

/Engineering L2
Threat Detection:
Workstations

• Best endpoint USB monitoring, user GuardianC

activity correlation, and SIGMA rules
PLCs
/RTUs L1
Arc provides flexible deployment, allowing for higher Sensors
fidelity information from all parts of your network on: Actuators L0

OT Traffic: variables and commands

• Windows, Linux, macOS IT Traffic: NTP, DNS, SNMP, etc. between PLCs, and PLCs and HMIs.
Diagnostics, configuration
• AMD64, ARM architectures Mirrored Traffic commands from Engineering
workstations and PLCs

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 59

Here we deploy also ARC to have a complete visibility on all the workstation present in the network.
With ARC we will receive precise information about the OS and all the software installed (with the
related Vulnerabilities), also the ones that does not generate network traffic and therefore can not be
passively detected by Guardian.

@2023 Nozomi Networks All rights reserved. 59

NNCE Student Guide Version 23.1.0

Lab Setup

60

@2023 Nozomi Networks All rights reserved. 60

NNCE Student Guide Version 23.1.0

Virtual lab environment

• Guardian machines for the training are available in the cloud.
• Each student is assigned a Guardian machine to connect to and to use during the course, using a
cloud-based VM solution called Cloudshare
• Instructor will provide you with an access link and passphrase in the exercise on the next page
• The initial machine setup has already been done by Nozomi Training:
• The management IP has been configured
• Licenses have been installed
• The Web UI password setup has been done
• The shell access has been configured to use ssh to the Guardian IP address

Access Type Username Password

Shell console* admin Nozominetworks1!

Web UI admin Nozominetworks1

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 61

#cetonline
While there are a few steps necessary to configure a Guardian system, we’ve done that for you
already with the student instances. The IP address and gateway/netmask, licensing, Web UI
password and console access credentials have all been pre-configured for you.

The table shows the usernames and passwords necessary for the shell and Web UI. Note that in this
class we won’t really be using the shell very frequently, but we provide you with the password just in
case you need to or want to try it out.

Trainees will be provided the Cloudshare access details in the lab on the next page

@2023 Nozomi Networks All rights reserved. 61

NNCE Student Guide Version 23.1.0

Activity: Accessing Cloudshare

Lab Exercise

Lab 1
Cloudshare Login page
Connecting to the
Lab Environment

Time to Complete:
5 minutes

Refer to the Lab Guide

Cloudshare Environment For Instructions

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 62

Go to the Lab Guide and follow the steps to connect to the Cloudshare environment.
Lab Guide is available in the Folder for participants available in Trainee Machine in your Cloudshare
environment.

@2023 Nozomi Networks All rights reserved. 62

NNCE Student Guide Version 23.1.0

Installation and
Maintenance

63

@2023 Nozomi Networks All rights reserved. 63

NNCE Student Guide Version 23.1.0

Initial Installation and Configuration

Physical Appliances Default Settings Virtual Appliances
192.168.1.254 IP Address NONE

admin / nozominetworks Web UI: user / password admin / nozominetworks

admin / nozominetworks Shell console: user / password admin / NONE

Physical Appliances management setup Virtual Appliances management setup

• Connect using Shell console • Connect using Shell console
• Login as admin • Login as admin (no password on VM)
• Type enable-me* • Type enable-me*
• Type setup to change the mgmt default IP • Type setup
address • System will ask you to set the password
• To change the admin console default • After password is set proceed with the setup to
password type change_password configure the mgmt IP

*The enable-me command on the Shell elevates the admin user to root
• root elevation requires the admin password to be re-entered as a security measure
• ssh login using root is only possible using ssh keys; the public key can be installed onto the appliance by using the Web UI.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 64

This slide will guide the trainees on all steps that has to be done in order to install a Guardian
appliance. The steps on this slide are all that needs to be done in the shell as well as the default
credentials and IP address for physical and virtual appliances.

Once the shell configurations are finished, you will see a message stating that you can now access
the Web GUI to continue the configuration (as covered later in the next few slides).

@2023 Nozomi Networks All rights reserved. 64

NNCE Student Guide Version 23.1.0

Web UI – New Layout

Product Software Time Installed Web UI error

version Warnings license message

Disable Disk
Appliance Update status Web UI
Enable status
hostname services language
‘Eye’ Web UI timeout

Status of the virtual image,

being LIVE or a loaded
snapshot

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 65

This slide shows all of the options in the header bar of the Guardian UI. Make sure to toggle back and
forth between the slide and your environment to demonstrate a few items, such as the Web UI
Timeout toggle (the eye) and rolling your mouse over the license information.

@2023 Nozomi Networks All rights reserved. 65

NNCE Student Guide Version 23.1.0

Web UI – New Layout (cont.)

1 2 3 4 5 6 7 8 9

9. User menu
1. Dropdown for more options 5. Queries screen
• Includes a
2. Sensors table 6. Smart Polling information toggle for
classic vs.
3. Alerts table 7. Arc Information
new UI
4. List of Assets 8. Administration menu

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 66

@2023 Nozomi Networks All rights reserved. 66

NNCE Student Guide Version 23.1.0

Network setup check and Web UI CLI Timeout

Lab Exercise Lab Exercise

Lab 2 (OPTIONAL) Lab 3

Network Setup and Use CLI to
Configuration Configure the Web
UI Timeout

Time to Complete: Time to Complete:

Approx. 5 minutes 3 minutes
User Manual: Chapter 2: User Manual: Chapter 15:
Installation – Setup Phase 1 Configurations

The management interface config is The CLI is available from Web UI or

available via shell access only. Shell Console

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 67

Many of the configurations that we will do in this class can also be done through the Web CLI, found
in the Administration > Settings menu. Note that this is not a full Shell Console nor a way to elevate
or change your permissions.

Note that most of the CLI commands can be found in the User Manual. Consider having the User
Manual already open to Chapter 15 and switch to it to see a few examples of commands that are
listed in there.

@2023 Nozomi Networks All rights reserved. 67

NNCE Student Guide Version 23.1.0

System – General information, Date & Time

• The Hostname of the Guardian
• The Login banner is being displayed while using
both the Web UI or Shell console
• Description and Site will be used in CMC/Vantage

• Date/Time: The managing CMC is providing date & time in

most installations, a manual config is also possible
• The local Time zone setting will adjust the visualization

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 68

Here are the first tasks that most administrators will perform on receiving a new appliance, after
they’ve been able to access the Web UI. First walk users to the Administration > System > General tab
and showcase the different fields.

Afterwards, switch to the Administration > System > Date and Time screen and demonstrate the
time zone and NTP settings.

The hostname seen here corresponds to what was provided during initial CLI setup. The default time
zone is UTC +0:00.

@2023 Nozomi Networks All rights reserved. 68

NNCE Student Guide Version 23.1.0

System – Licenses (1 / 2)
• There are 5 total license types:
• One Base License and four Subscription-based Licenses
System > Updates &
• Base License options Licenses
• Standard: includes traffic monitoring
and alerting/security
• Advanced: all Standard license
capabilities; also includes Smart
Polling
• Four optional Subscription-based
Licenses available:
• Threat Intel: signature-based threat
detection
• Asset Intel: more robust asset
information
• FIPS: NIST-compliant security
standards for accessing the appliance
and storing data
• Arc: software-based sensor that can be
installed on OT computers

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 69

Note that there are four different possible licenses that a customer can purchase. You can access the
licenses in the Administration > System > Updates and Licenses menu. The first is the base license,
which may or may not include Smart Polling. The second and third licenses are for the Asset
Intelligence and Threat Intelligence feeds. Each one will need to be tied to a specific machine ID,
which you can see when you click on the Set New License button.

Furthermore, in the upper right, you can click on the Update service configuration link to toggle
between manual or automatic updates of the various licenses.

The fourth type of license is for FIPS compliance. This license enables a more secure way of accessing
the appliance and storing data on it. The Federal Information Processing Standards (FIPS) of the
United States are a set of publicly announced standards by NIST developed for use in computer
systems of non-military, American government agencies and contractors normally only applicable
for United States customer as they need to complaints to the FIPS including:
• HTTPS Web interface
• SSH remote access
• RC and CMC data flows
• Local users password encryption
• Configuration secrets stored in the local configuration file

@2023 Nozomi Networks All rights reserved. 69

NNCE Student Guide Version 23.1.0

System – Licenses (2 / 2)
Threat Intelligence:
Subscription
BASE License: incl. expiry date for updates
• Licenses are provided via three possible ways:
Mandatory
• Online via Account-Code & Machine-ID when incl. expiry date and max.
Asset Intelligence:
purchased number of monitored nodes
Subscription
• Using the Machine-ID for Nozomi to create an incl. expiry date for updates
evaluation license
Smart Polling License:
• Directly from Vantage FIPS:
Optional Add-On Subscription
incl. the expiry date
incl. expiry date
• Arc license:
• Per-seat license Arc:
• Each seat can be enabled/disabled as needed Subscription
incl. expiry date

Licenses on Guardian

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 70

An unlicensed Guardian stops analyzing packets for new nodes

FIPS license enables a more secure way of accessing the appliance and storing data on it. The
Federal Information Processing Standards (FIPS) of the United States are a set of publicly announced
standards by NIST developed for use in computer systems of non-military, American government
agencies and contractors normally only applicable for United States customer as they need to
complaints to the FIPS including:
• HTTPS Web interface
• SSH remote access
• RC and CMC data flows
• Local users password encryption
• Configuration secrets stored in the local configuration file

@2023 Nozomi Networks All rights reserved. 70

NNCE Student Guide Version 23.1.0

Basic Parameters and Licenses

Lab Exercise Lab Exercise

Lab 4 Lab 5
Set Basic System Check Licenses and
Parameters Update Service

Time to Complete: Time to Complete:

3 minutes 3 minutes
User Manual: Chapter 2: User Manual: Chapter 15:
Installation – Setup Phase 1 Configurations

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 71

Many of the configurations that we will do in this class can also be done through the Web CLI, found
in the Administration > Settings menu. Note that this is not a full Shell Console nor a way to elevate
or change your permissions.

Note that most of the CLI commands can be found in the User Manual. Consider having the User
Manual already open to Chapter 15 and switch to it to see a few examples of commands that are
listed in there.

@2023 Nozomi Networks All rights reserved. 71

NNCE Student Guide Version 23.1.0

Monitoring interfaces & traffic validation

System | Network Interfaces
• The visualized traffic is measured after packets being dropped or filtered

1 2 3 4 5 6

Interfaces - throughput & settings

1. Configuration for interface 4. Interface is mirrored (true/false)

2. Interface name 5. Which BPF filter has been enabled, if any
3. Interface status (enabled/disabled) 6. Denylist information

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 72

In the System > Network Interfaces menu you can monitor and configure the installed ports in the
Guardian appliance. The graph here will give you a good indication of the throughput of the various
types of traffic for each interface. This is a good place to go to check to make sure there is network
traffic successfully mirrored from each of the customer’s switches.

NOTE: you may need to change the “Time window” in the upper right to the last 1 minute or the last 1
hour to see the traffic that was just started.

Down at the bottom of the screen, you can see a list of all of the interfaces and filter them as
necessary. You can also click the Configure button to implement filters and denylists and change
other details about each interface. (See next slide)

Also navigate to Environment > Network View > Traffic tab. Here is another place where you can
monitor and perform a high-level examination of the total of all network traffic monitored by the
Guardian. These graphs show the type of traffic, the total amount per protocol and then two pie
charts that break down the protocols into percentages (for both bandwidth and throughput). Only 1
management port is allowed.
To see which protocols are IT and OT, run environment_information {"from":"0"} in the GUI CLI

@2023 Nozomi Networks All rights reserved. 72

NNCE Student Guide Version 23.1.0

Network Interfaces – Configuration

1. Label change the name of the monitoring
interface
1
2. Enable/Disable monitoring interface
3. NAT should be configured to mask the
2
original IP subnet monitored using translated
3
IP addresses.
Suitable, when duplicate address schemes are
being used in the monitored environment

4. BPF filter should be applied to include/exclude

monitored traffic on a network packet basis:
• BPF syntax Guide: https://<GuardianIP>/#/bpf_guide 4
• E.g. vlan and net 172.20.61.0/24

5. Denylist should be applied to filter out single/multiple IPs (supporting 5

wildcards)
• Invalid lines are being ignored • #DESCRIPTION: denylist_test
• Example: - 175.23.44.10
- 44.34.29.*

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 73

This slide shows the interface configuration options when you click the button to the left of a
specified interface. You can change or configure five settings, as listed on the slide. The first is the
label, which is useful to name each interface by switch location or name to make it more “human
readable” to understand what traffic comes from where (this label is also reflected in the data tables
in the Environment menu and also in Queries, so it’s very useful to change these.)

The second allows you to turn on or off the interface (enable/disable).

The third allows you to perform NAT if needed, in the case of network address duplication.

The fourth and fifth allow for the customer to filter which traffic to monitor or ignore (BPF or Denylist,
respectively). The BPF uses the standard Berkeley Packet Filter syntax, while the Denylist uses a text
file that is uploaded (reference the User Manual on page 122 and 123 for the exact format of the text
file).

Example of Denylist
#DESCRIPTION: denylist_1 for test
*
- 192.168.2.*
- 192.168.2.1

The first line is invalid, as it would reject all traffic: invalid lines in a matchlist are ignored.
The last line is simply redundant.

@2023 Nozomi Networks All rights reserved. 73

NNCE Student Guide Version 23.1.0

Monitored Network Traffic

Lab Exercise

Lab 6
Validate the
Monitored Network
Traffic

Network Interfaces menu example Time to Complete:

5 minutes

User Manual: Chapter 3:

Users – Managing Users

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

74

Lab details available in the Lab Guide that can be opened directly in the Trainee machine.

@2023 Nozomi Networks All rights reserved. 74

NNCE Student Guide Version 23.1.0

System - Health
System à Health

• Adjust the Time window as needed (the default is 1 Minute)

• Besides Disk-, CPU- and RAM-usage visualization, additional valuable information is available in Services section
• The Health Log is an exportable table including all Health-related warning messages

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 75

In the System > Health screen, you can access hardware usage levels for Disk Usage, RAM Usage and
CPU Usage. Furthermore, in the bottom right, you can quickly check which services (or daemons) are
currently running for your Guardian. The ”IDS” service is the traffic analysis engine that monitors and
processes the traffic coming from the mirrored ports (from the switches).

If you click on the Health Log menu, you can see (and potentially export) any system hardware issues
that have been logged. In our environment, there’s likely no logged entries, however.

@2023 Nozomi Networks All rights reserved. 75

NNCE Student Guide Version 23.1.0

Features Control Panel

Available under Settings à Features Control Panel
General tab

Retention tab

*
*Link events and Captured URLs
are disabled by default

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 76

Under the Settings > Features Control Panel, you can configure whether IPv6 addresses seen while
monitoring generate unique entries in the Assets table, or if they will be rolled together with the IPv4
addresses seen for the devices as well.

If you click over to the Retention tab in the upper right, you can set the various system limits for
several categories. This is a very useful and common page to access when performing system
maintenance and system troubleshooting, since the settings here can severely impact your
appliance’s performance. As you can see in our training environment, Link Events and Captured
URLs have been enabled, but they are disabled by default to save processing resources. However, we
have them enabled to showcase their function later in the course.

@2023 Nozomi Networks All rights reserved. 76

NNCE Student Guide Version 23.1.0

Users and Groups

Lab Exercise

Lab 7
Configure Local
Users with
Different Privileges

Time to Complete:
Filters 5 minutes

General permissions User Manual: Chapter 3:

Users – Managing Users

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

77

In the Settings > Users screen, you can create, delete or change user and user group details. You can
also configure user import services, such as LDAP and Active Directory or SSO setup using SAML. We
will cover LDAP, etc. later in the course in the Integrations section.

But it’s important to note that you can create and modify users and groups manually, should you
need to. In order for a user to be created, first you will need to make sure that the group that the user
will be part of is created.

In the Groups tab, groups control permission sets. Groups can be created for different levels of users
or for different teams in the organization (such as security vs operations).

Then, after you have created a group, you will switch to the Users tab and create a user and assign it
to the group you just created and Save your settings.

In this exercise you’ll log out and log back in as the new user to showcase that the screens are likely
different, thanks to the enabled/disabled permissions in the new user’s group. Log out of that user
and log back in as Admin.

@2023 Nozomi Networks All rights reserved. 77

NNCE Student Guide Version 23.1.0

System – Audit
• Any configuration change, login and data operation
is stored in the Audit section
Lab Exercise
• Device security entries based on HIDS
• E.g., the log entry created when the formerly created
test_user logged in.
• Entries are exportable (CSV/Excel) using the Export Lab 8
button Identify User
Logins and Config
Changes

Time to Complete:
3 minutes

Audit table User Manual: Chapter 5:

User Interface Reference

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

78

Under the System > Audit screen, you can search through the system’s audit logs for user activity.
Here you can see who performed an action (such as logging in or changing a critical system setting)
and when they did it.

Each of the different columns of data is also searchable, using the filter field at the top of the column.
Simply type a few letters or numbers and the system will parse out the audit log for whatever is
typed.

The audit log is based off of the HIDS (Host Intrusion Detection System), built into the base version of
Linux that the Guardian uses.

As time permits, have the students now perform the lab exercise, “Identify user logins and
configuration changes”. If there isn’t enough time, simply walk through the lab on your own while
delivering the content as part of your demo.

@2023 Nozomi Networks All rights reserved. 78

NNCE Student Guide Version 23.1.0

System – Upload traces

System à Upload traces
• Traces recorded elsewhere can be analyzed
by Guardian ‘offline’.
• The functionality is not designed to be
combined with LIVE traffic.
• Often used in a Guardian set up as a
test or lab system
• Multiple trace files can be uploaded at the
same time.
• Upload traces settings:
• Use traces timestamps: If enabled
(default), the original timestamps are
used, otherwise instant timestamps are
assigned.
• Delete data before play (deletes also Upload traces menu
snapshots).
• Auto play when uploaded.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

79

In the System > Upload Traces screen, users can upload and replay PCAP files (or “traces”). Primarily,
this functionality is meant as a research, testing or incident response activity, so it is highly advised
that customers only replay a trace on test systems and not live ones. This is because PCAP files
replayed here will add to the Guardian’s traffic statistic, and likely create new nodes, links, variables,
and assets not to mention alerts.

If the “Use trace timestamps” checkbox at the top of the screen is unchecked, the system will
append the current date/time to the replayed traffic. Otherwise, if left checked, whatever timestamps
are present in the trace file will be used, which could be potentially several years old, depending on
the PCAP.

Note that we have the background traffic stream that we use in the class saved as a Trace here, in
case you ever want to run the PCAP here instead of through the button at the top left of the student
Ubuntu machine. The other PCAPs will be used in later exercises in the Alerts section.

Max 2 GB, max 10 files, analyzed together.

Note on timestamps and Dynamic Learning: if PCAP timestamps are enabled, and Dynamic
Learning is in place, the learning window’s starting time will be set to the first PCAP timestamp
(which means the Guardian will likely create a number of alerts, especially if the timestamp in the
trace is considerably older)

@2023 Nozomi Networks All rights reserved. 79

NNCE Student Guide Version 23.1.0

System – Operations
System à Operations

• Operations are including the Shutdown,

Reboot or N2OS Update of the appliance
• Shutdown will require a manual action
to restart equipment 1

2
• 3 upgrade methods:
1. Immediately over web UI
2. Scheduled for connected sensors
3. Over Shell (requires a file transfer)

• There are additional upgrade options which

will be covered later in this training

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

80

Under the System > Operations screen, an Admin user can trigger a system shutdown or restart if
necessary, such as during a maintenance window.

Furthermore, this is also where an N2OS version upgrade can be performed (if there is no CMC
present, since usually CMCs control individual Guardian updates automatically).

Note that the upgrade files have a .bundle extension at the end of the filename, and that there are
two different kinds of update files:

• Standard: does not include Smart Polling

• Advanced: does include Smart Polling

@2023 Nozomi Networks All rights reserved. 80

NNCE Student Guide Version 23.1.0

Upgrade file
• This is the same file for CMC/Guardian/RC.
• The file has to be downloaded from support portal
• The extension of the update is .bundle

• Two versions of update files are available (where XX.Y.Z is the

N2OS version, for example 23.0): Documentation

• XX.Y.Z-standard-update.bundle à is the standard update

file
• XX.Y.Z-advanced-update.bundle à is the standard update
file including the Smart Polling Add-on software

XX is the core version (currently 23)

Y is the sub version
Update bundle files
Z is the fix

Starting from version 23.x.+ Nozomi will release only

one update file, more details at this KB article

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

81

Under the System > Operations screen, an Admin user can trigger a system shutdown or restart if
necessary, such as during a maintenance window.

Furthermore, this is also where an N2OS version upgrade can be performed (if there is no CMC
present, since usually CMCs control individual Guardian updates automatically).

Note that the upgrade files have a .bundle extension at the end of the filename, and that there are
two different kinds of update files:

• Standard: does not include Smart Polling

• Advanced: does include Smart Polling

@2023 Nozomi Networks All rights reserved. 81

NNCE Student Guide Version 23.1.0

System – Operations | Software Update

Lab Exercise

Lab 9
Perform an N2OS
Version Update
1 - Operations menu
Time to Complete:
Approx. 10 minutes

User Manual: Chapter 10:

2 - Proceed 3 - Automatic Maintenance–Software Update
Reboot

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

82

Also note that you cannot navigate away from the screen while the upload is underway (i.e., do not
click on any other menus, unless the are opening them in another tab), since that would stop the
upload. When the upload is completed, be patient and wait for the “Proceed” button to appear and
then click on it. At that time, the update is underway and you can navigate elsewhere or close down
the browser, since the upgrade is now happening on the machine. On successful completion of the
update, students will now see ‘Smart Polling” as a menu option at the top of the screen.

If you want to perform a System Upgrade via shell:

First, copy the update file to the temp folder in the Guardian:
• scp <VERSION>-update.image.bz2 root@IP:/data/tmp

Second, run the update installation command, as follows:

• install_update /data/tmp/VERSION-update.image.bz2

@2023 Nozomi Networks All rights reserved. 82

NNCE Student Guide Version 23.1.0

System – Backup & Restore

Full backup archives can be created/scheduled or restores can
be performed under System > Backup/Restore, or via Shell
console
• Full backups contain the /data folder incl. environments,
alerts, db´s, log files, network settings and (optional) traces
• Download button creates a backup archive on the fly which
can be saved to the administrator´s workstation
• Schedule backup allows to configure recurring backups to be
created and to be stored not only locally but remotely using
the SSH/SCP, FTP or SAMBA protocol
• Restore a Backup allows to choose from a locally stored
backup archive or to upload such an archive. The max. file size
to be uploaded is 2Gb (for a file > 2Gb use scp and the shell
command)
• The Backup file name includes the hostname, date & time and
N2OS version of the Guardian, e.g.:
“backup_Guardian1.local_20211223102419_22.0.0-
12061235_00473.nozomi_backup” Backup & Restore menu

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

83

#cet

In the System > Backup/Restore screen, you can trigger an ad hoc backup or configure a scheduled
backup. The backup file can be downloaded to the administrator’s workstation (if “Download” is
selected) or uploaded to a storage site of your choice. Backup files are tar.gz files.

You can also trigger an existing backup file to be restored onto the system using the Restore
Previous Backup section at the bottom of the screen. Here you can use an existing backup or upload
one to use.

Manual command to create a tar.gz archive (after stopping services):

(cd /data && tar cpzf /data/tmp/backup.tar.gz --exclude=log --exclude=run --exclude=remove-me-to-
free-up-space --exclude=tmp --exclude=update.image.bz2 *)

( xxx ) it is a context for the command list merged by &&. It does not really go to /data but that output
is used as input to tar

( xxx ) it is a context for the command list merged by &&. It does not really go to /data but that output
is used as input to tar

@2023 Nozomi Networks All rights reserved. 83

NNCE Student Guide Version 23.1.0

Environment

84

@2023 Nozomi Networks All rights reserved. 84

NNCE Student Guide Version 23.1.0

Environment Concept
• The Environment is the real time representation of the network monitored, providing a
view of all the assets, all the network nodes and the communication between them.

• The main information processed from the monitored networks is stored within these sections:

Asset inventory

Network discovery and visualization:

Nodes, Links, Sessions, Graph, Traffic statistics

Process variables
and supervision

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

85

We start here in the product because it’s full of the traffic data that is collected and analyzed.
Everything from the physical hardware detected (assets) to the logical addresses of those devices
(nodes) and their communications (links, sessions and variables). We will cover each of the menus in
more detail throughout this section, starting with Network.

@2023 Nozomi Networks All rights reserved. 85

NNCE Student Guide Version 23.1.0

Environment tables – general controls

• These controls are applied to all tables available in: Asset, Network and Process View

Live or manual refresh

Export selection
Bulk actions (apply to selection) into xls or csv

Enable/disable
Field name (click to apply sorting)
visibility of fields
Live Filter textbox,
operators: >,<,==,!=

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

86

Each of the various areas in the menu allow you to perform similar actions, as listed on this slide.
While some buttons and controls will differ from page to page, many of the filtering and navigation
options remain the same throughout.
Bulk Actions: when viewing the results of one or more filters (or having no filters at all), a single
action can be taken against all of them using this button. Depending on the page you’re viewing, the
bulk action options will differ.

Clicking on “Address” or the title of any other column will sort the results in ascending or descending
order. Typing anything in the rectangular fields will search the column for all entries that match. It is
not case sensitive and looks anywhere in the field for the string.

Export: this option exports all of the results (not just those listed on the page) to a CSV or Excel file

Live/Refresh: the Live toggle forces the system to refresh the data in the table every roughly 5 – 10
seconds. The Refresh button forces an as-needed refresh of the data.

You can also select which columns are present in your current view by selecting them from the
dropdown. Clicking a highlighted field will remove the column from the table (and remove the
highlight in the dropdown)
When operators are used, write a complete IP address or field as argument. Example: ip < 192.0.0.0
Do not use an incomplete statement like: ip < 192

@2023 Nozomi Networks All rights reserved. 86

NNCE Student Guide Version 23.1.0

Network

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

87

@2023 Nozomi Networks All rights reserved. 87

NNCE Student Guide Version 23.1.0

Network – Menu
• The Network menu contains the tables related to information extracted from the monitored networks

1 2 3 4 5

1. Nodes: network participants related to the traffic that Guardian is monitoring

2. Links: communication data between two nodes using a specific protocol over time in total
3. Sessions: actual state of the interactive information exchange between two nodes in the environment
4. Graph: graphical visualization of the monitored networks
5. Traffic: traffic statistics about the monitored networks

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

88

Note that you have already seen the contents of the Traffic tab during the lab in the Installation and
Maintenance section. Otherwise, each of the other tabs will be covered in the following pages.

@2023 Nozomi Networks All rights reserved. 88

NNCE Student Guide Version 23.1.0

Network – Nodes
• The Nodes table contains all the network participants within the monitored network

Source and Destination address will be added to the nodes table

Same Mac address but
different values in the
Node ADDRESS column

• A Node ADDRESS can be:

• a MAC address (when L2 communication is detected)
• an IP address (when L3 or higher communication is detected)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

89

This slide gives an overview of how we derive nodes, which are logical representations of devices in
the network. While assets (covered later) are physical devices, nodes represent the logical (layer 2
and 3) addresses for them (ie, MAC and IP addresses).

We need to have nodes separated as individual entries because some protocols and
communications only happen at Layer 2, including some uncommon OT protocols.

@2023 Nozomi Networks All rights reserved. 89

NNCE Student Guide Version 22.4

Network – Sessions
• The Sessions contain the actual state of the interactive information exchange between two nodes in the
environment

Source Node:Source Port Destination Node: Destination Port

192.168.10.1:34563 Session1 192.168.10.16:502

192.168.10.1:22763 Session2 192.168.10.16:502

Protocol: Modbus

• A Session is the combination of:

• Source Node:Source Port
• Destination Node:Destination Port
• Protocol (Layer 2, 5 or 7; using DPI or default port)
• The Session status entries include TCP-SYN, SYN-ACK, ACTIVE, CLOSED
• Old, closed sessions are deleted (refer to "Clean up old sessions" in the User Guide)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

90

Sessions involve the communications between two nodes, but more importantly, they’re the
active/current exchange of information. Each time a node opens up a new communication (with a
random high-range source port) with a destination node, we will record that as a new session entry.
As you can see on the slide, each unique session is tracked separately as an “Active” session.

When the session is closed (via a TCP FIN, RST or similar), the status of the session will toggle over to
Closed. Because tracking and storing every session can quickly fill up the database and storage
capacity, the Guardian was built to include a “garbage clean up” process that regularly deletes
Closed sessions from the database. The default timing for the deletion is every 100 seconds, but that
can be changed (see the referenced User Guide section on the slide).

NOTE: the training Guardians in Cloudshare have the garbage cleanup disabled, for demonstration
and training purposes. This is not a recommended setting.

Nozomi Networks 2022. All rights reserved. 90

NNCE Student Guide Version 23.1.0

Network – Links
• A Link represents the communication between two nodes using a specific protocol over time in total
• Entries in the links table are persistent.

Source Node Destination Node

Protocol: Modbus

• A Link is the combination of:

• Source Node
• Destination Node
• Protocol (Layer 2, 5 or 7; identified by DPI or default port)
• Link Events are recorded for computing availability: TCP-SYN, UP, DOWN
• A link is populated from a session when the direction is known

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

91

Links are similar to sessions in that they represent communications between nodes, but they differ in
that they are a persistent representation of the information. Furthermore, only the source and
destination address and protocol information are retained (not the ports). Each session will add to
the total amount of traffic for the related link.

@2023 Nozomi Networks All rights reserved. 91

NNCE Student Guide Version 23.1.0

Network Tables – Controls

NODE

Configurations, Alerts related Download Request Events, Captured Manage Navigate to Trigger Arc /
custom alerts to the entry trace trace Availability URLs Learning related tables Smart Polling

LINK

SESSION

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

92

Depending on what table you’re viewing, the buttons/controls available will change. This slide covers
all of the available ones across Nodes, Links and Sessions.

Configure: this option on the Nodes page mostly sets up metadata about the node. Whereas in the
Links page, it allows the user to create Custom Checks (alerts) for specific links. (See the Alerting
section for more information)

Alerts: shortcut to any related alerts for the node or link

Cloud icon: download any traces that have been activated for the node, link or session

Lightning Bolt: set up a trace to occur for the node, link or session (which can then be downloaded
through the cloud icon after it’s completed)

Clock icon: view any link event information that has been tracked, such as TCP-SYN, UP or DOWN
events, used to determine availability of the link

Chain icon: this will show all captured URLs for the link for http, dns, smb and similar protocols that
URLs can be captured from. Https is likely not going to show anything because the packets are
encrypted.

Cog wheel: this button will allow you to Learn or Delete the node or link in the baseline. If the icon is
gray, you will be given the option to delete the node or link. Conversely, if it is red, you can choose to
Learn the node or link. (More about this during the Alerts section)

Arrow button: shortcut to useful pages related to the node, link or session

Radar button: add this node to a Smart Polling plan

@2023 Nozomi Networks All rights reserved. 92

NNCE Student Guide Version 23.1.0

Network – Graph
1. PDF: download the current graph visualization 1 2 3 4 5 6 7 8 9 10 11 12
2. ?: colour-code legend used for nodes and links
3. Filters: by name, IP, zone etc.
4. Reset: clear any filter
5. Live: refresh manually or automatically
6. Time Frame: visualization over the selected time frame (def. 15 min)

7. Magic Wand: tweaking the graph rendering, useful for

large environments

8. Nodes: change node perspectives, apply filters, etc.

9. Links: change link perspectives, apply filters, etc.

10. Layout: select between Standard, Purdue, and Grouped (in

combination with Group by function)

11. Pause: pauses the dynamic behaviour of the graph

12. Increase/decrease: adjust the icon size

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

93

PDF: download the current graph visualization in PDF format

?: displays the legend of colourcode being used for nodes and links
Filters: filter by name, IP, zone etc.
Reset: clear any filter
Manual / Live refresh
Time Frame: the visualization of items and values comptued over the selected time frame
Magic Wand: allows tweaking the graph, useful for large environment to render better in the graph
Nodes: change node perspectives, apply nodes filters, etc.
Links: change link perspectives, apply link filters, etc.
Layout: select between Standard, Purdue model, and Grouped (in combination with Group by
function)
Pause: pauses the dynamic/organic behavior of the graph
Increase/decrease: adjust icon size

@2023 Nozomi Networks All rights reserved. 93

NNCE Student Guide Version 23.1.0

Graph – Node Perspective examples

Roles (default view) Zones
• IT/OT function or purpose • Nodes belonging to a
• Independent from the device Type common network

Public nodes
• Non RFC-1918 IP addresses

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

94

Roles: IT/OT function or purpose:

Independent from device Type (e.g. role Producer could be covered by a PC or PLC)
Multiple roles can be covered by the same Asset
Consumer: controls and collects process data from Producers
Producer: sends process data (variables) and it is controlled by Consumers
Terminal: runs remote control protocols like vnc, rdp, ssh, telnet (often HMIs
Other possible Node Perspectives:
• Level
• Transferred Bytes
• Not Learned Node
• Node reputation
• Appliance host à you can find for example which node has been discovered by a remote collector

@2023 Nozomi Networks All rights reserved. 94

NNCE Student Guide Version 23.1.0

Graph – Link Perspective examples

Transferred bytes TCP retransmitted bytes
• Measuring transferred bytes values to • According to percentage of retransmitted
display within links, instantaneous and bytes in relation to the other links
continuously updated

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

95

Other possible Link Perspectives:

• TCP firewalled
• TCP handshaked connection
• TCP connection attempts
• TCP transmitted bytes
• Throughput
• Interzone
• Interlevel
• Not Learned links
• Alert Risk

Similar to the Node dropdown above, Links will apply shading to the lines connecting the nodes
according to a chosen perspective. Some useful perspectives include Transferred Bytes to get a good
sense of which communication pathways are the most talkative/carry the most traffic. TCP
Retransmitted Bytes allows you to see repeated attempts to connect to a resource. This may provide
insight into misconfigured devices, compromised hosts, or attacker behavior. You can also choose by
Alert to see links that are currently creating alerts in the system.

@2023 Nozomi Networks All rights reserved. 95

NNCE Student Guide Version 23.1.0

Graph – Zones and Topology

Zones: Display zones and interzone connections
172.16.0.0/16 providing a high-level zones overview:
• Standard zones (locked)
• Automatically created zones based on discovered
networks (use the „plus” icon to add these)
• User defined zones, editable.
• A Node is part of one zone only, the more specific
172.16.0.0/24 one. Example, node 172.16.0.1 would be member of
the 172.16.0.0/24 zone instead of zone 172.16.0.0/16.
By default, zones are managed by the Guardian.
The CMC or Vantage can be configured to manage
zones on a global level.
Topology: Display the network topology
• Network devices such as switches and
routers
• Networks and inter-network connections
(high level network overview)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

96

On the upper left side of the screen, there are tabs that can open up a panel on the left side of the
screen.
Zones shows all of the interconnected zones, including those that have been custom created. A node
will be added only to one zone at a time. If there’s ever the possibility that a node matches with more
than one, it will be added to the more specific zone (a /28 versus a /16 for example).
Topology is an attempt by the Guardian to create a visual representation of your network devices,
such as switches and routers, and which ones communicate with each other.

@2023 Nozomi Networks All rights reserved. 96

NNCE Student Guide Version 23.1.0

Graph – Zones
2 1 Lab Exercise

Lab 10
Configure Zones

Time to Complete:
5 minutes

User Manual: Chapter 5:

User Interface Ref. - Settings
Zone Definition

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

97

zone_configuration.cfg file used in this exercise is available at “/Folder for Participants/Import_zone/”,

follow the Lab guide to complete the exercise.

@2023 Nozomi Networks All rights reserved. 97

NNCE Student Guide Version 23.1.0

Zones and Groups

Lab Exercise

Lab 11
Configure Group
with Specific Zone
Visibility

Time to Complete:
Zones Assigned to Operations Group
5 minutes

User Manual: Chapter 5:

User Interface Ref. - Settings

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

98

This exercise will demonstrate the impact that zones can have on groups that users are assigned to.

@2023 Nozomi Networks All rights reserved. 98

NNCE Student Guide Version 23.1.0

Create Traces
• Request a custom trace:
• Admin > Other actions > Request custom trace
• Packet Filter needed
• One or more traces in parallel possible
• Default settings: 5000 packets or 60sec, configurable

• Request a continuous trace:

• Admin > Other actions > Continuous trace
• In general, or by applying a Packet Filter
• One or more traces in parallel possible
• Chopped in 100MB slices

• Download and delete traces via WEB UI, or direct on

Shell console:
- /data/continuous_traces
- /data/traces

• Creating a trace is a background process not affecting

other functionalities

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

99

On this slide we introduce one of the various methods that we can create a trace. From the user
menu (in this case, called admin), go to Other Actions.

You can change your password and erase your personal settings in the browser. Here you can also
request a custom trace or view requested traces.

Continuous Trace: this option will create a trace file that keeps growing until manually stopped. It
will record all traffic corresponding to the BPF filter specified. The trace capture will be broken up
into 200MB files, should it go over that size. Otherwise, there are no limits to the size of the capture
aside from disk storage space allocated (set in the Features Control Panel).

Request Custom Trace: create a custom trace that will either record for the amount of time
indicated or until it reaches the number of packets, whichever is satisfied first.

Show Requested Traces: this is where the requested continuous or custom traces can be
downloaded

@2023 Nozomi Networks All rights reserved. 99

NNCE Student Guide Version 23.1.0

Network – Using actions in Links table

Lab Exercise

Step 4
Lab 12
Step 6
Use Options Within
the Links Table
Links Table: Trace and Alert configuration

Time to Complete:
Step 10 7 minutes

Links Table: Disable the active checks

User Manual: Chapter 5:
User Interface Ref. – Network view

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

100

In this activity the filter on field FROM, TO , PROTOCOL are used to get the correct link.

As you can see you can filter for each column present in the table but when it comes to filter for columns that
contain bytes or throughput you must be aware that the values are stored in raw format
In this case to correctly apply a filter please have a look at this KB article
(https://nozominetworks.my.site.com/support/s/article/How-to-filter-the-columns-that-contains-bytes).

@2023 Nozomi Networks All rights reserved. 100

NNCE Student Guide Version 23.1.0

Assets

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

101

@2023 Nozomi Networks All rights reserved. 101

NNCE Student Guide Version 23.1.0

Assets – General Concepts

• Assets represent a local, physical system to care about, a resource with a
value for the company, it can be composed of one or more Nodes switch WAP
router IOT_device
• Nodes can only become part of an asset when the node:
printer light_bridge
• is not public group firewall
• is confirmed (it has communicated) OT_device RTU
• is not a group address or broadcast computer teleprotection
cctv_camera active_scanner
• Scope examples: PLC radio_transmitter
• Depict devices according to a logical networks segregation (PURDUE) HMI UPS
• Assemble multiple MAC Addresses into 1 Asset when applicable barcode_reader data_concentrator
sensor gateway
• When created, an Asset Name is assigned, accordingly to information in digital_io AVR
other fields, such as node label or vendor inverter DSL_modem
• The Asset Type is assigned at the Asset level on the Guardian by default controller IO_module
using predefined Asset Types, see table on the right, subnet media_converter
historian NTP_appliance
• More Asset Types can now be imported (System > Import) and be
IED PDU
managed on a global level using the CMC
VOIP_phone power_line_carrier
• Example of an import file, the first row should contain name: mobile_phone power_quality_meter
name tablet protection_relay
asset_type1
mobile_device other…
asset_type2

Asset types

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

102

Asset Name à The asset name is taken from the nodes table and more specifically from the LABEL
filed and if the LABEL field is empty Guardian will take the PRODUCT_NAME)

An “asset” in the Guardian is a representation of a physical device detected on the network. Multiple
nodes can be assigned to a single asset, which makes sense because each NIC on a computer or
server will typically have two logical addresses (MAC and IP). And if the computer has multiple NICs,
then it’s possible to have multiple IPs assigned to the same Asset.

As the Guardian performs DPI, it passively detects information about the asset from within the
packet and it is reflected in the Assets page. Such information can include the label, vendor, MAC
vendor and Type. The Type is assigned by the Guardian based on predefined types, such as PLC, HMI,
computer, etc. Alternatively, the customer can change the Type designation, which will override the
system’s assignment.

If the predefined asset types are not sufficient, it is possible to import new asset types, as detailed on
the slide. The CSV file must contain a header row with name and the list of type names in the
following rows, one per row. Each asset type is identified by its name; this implies that, during the
import process, each already present asset type name will be ignored and notified. Reference the
user manual for more information about the syntax of the import file.

@2023 Nozomi Networks All rights reserved. 102

NNCE Student Guide Version 23.1.0

Assets – Details
Asset Config
Asset Info and Options

Asset Tabs

Nodes Node(s) Config

belonging and Options
to the Asset

Nodes details,
e.g. network info Vulnerability
Status
Learning and
AI status

Host performance
details by SmartPolling

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

103

The little “i” icons next to some fields indicate where the information came from, such as from either
passive detection or from the AI feed.

Among the different tabs in the Asset page, some of the tabs will only be filled if Smart Polling has
been performed on the asset (such as Software, Hotfixes and Patches). Note that in the upper right
portion of the page that there are additional controls for the asset, including the ability to create a
PDF report of the asset’s information (including traffic statistics, vulnerabilities detected, IP and MAC
address info and more) as well as a shortcut icon similar to those found in the other tables (Links,
Nodes, etc.)

@2023 Nozomi Networks All rights reserved. 103

NNCE Student Guide Version 23.1.0

Assets – Extracting Asset Details (1 / 2)

plc151.ACME0.corporationnet.com
192.168.1.28
1 EWS connects to
PLC and requests 2 PLC responds and
asset information shares asset
information
Engineering
Workstation (EWS)
192.168.162.22

Switch

3
Mirrored traffic is
sent to Guardian

Mirror Traffic

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

104

This diagram explains how Guardian extracts asset information from packets that it receives. It is
paramount that students understand this concept so that they can architect their solution
accordingly. Since Guardian is primarily used as a passive tool, we must make sure that Guardian is
placed appropriately so that it can receive the “magic packet” that allows it to fill in all necessary
asset details in the database.

@2023 Nozomi Networks All rights reserved. 104

NNCE Student Guide Version 23.1.0

Assets – Extracting Asset Details (2 / 2)

1 EWS connects to
PLC and requests
asset information

2 PLC responds Response Details

and shares asset
information

Vendor
Module type
Switch Product code

Firmware Version

Serial Number
Product Name

Mirror Traffic

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

105

This page continues the explanation of how Guardian extracts asset information from packets that it
receives. It is paramount that students understand this concept so that they can architect their
solution accordingly. Since Guardian is primarily used as a passive tool, we must make sure that
Guardian is placed appropriately so that it can receive the “magic packet” that allows it to fill in all
necessary asset details in the database.

@2023 Nozomi Networks All rights reserved. 105

NNCE Student Guide Version 23.1.0

Assets – Activity
Lab Exercise

Lab 13
Explore the Assets
Asset - Diagram (PURDUE Model) Page

Time to Complete:
4 minutes

User Manual: Chapter 5:

Asset example: Modicon M340 User Interface Ref. – Asset view

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

106

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 106

NNCE Student Guide Version 23.1.0

Process

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

107

@2023 Nozomi Networks All rights reserved. 107

NNCE Student Guide Version 23.1.0

Process
“The part of the industrial system
primarily concerned with
producing the output is referred
to as the process”

The Process menu:

• contains Variables exchanged by OT
protocols
• Variables (aka tags, objects) are
representing field information
• Guardian’s DPI capabilities and OT
knowledge are reflected here

An Oil and Gas process: from wells to refineries

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

108

The Process View shows all of the variables that are collected from OT controllers and devices. The
Guardian is capable of understanding a majority of OT protocols in the industry. These variables can
include quality information, flow information, function codes, tags, objects, and more.

@2023 Nozomi Networks All rights reserved. 108

NNCE Student Guide Version 23.1.0

Process – What is a Variable?

Operator
The Consumer collects the
5 data to be shown in an HMI, it
4 …and transmitted
allows the Operator to control
to the Consumer Guardian
the process, or it runs
algorithms to control it
automatically
Each input is mapped
3 by the controller onto 6 Commands are sent back down
to controllers again via the
a variable/tag/object
protocol…
according to the used
protocol… …and converted to controlling signals
7 addressed to the rail (outputs)

Hard wired signals are fed Valve Finally, the controlling signals
2 to to the controller rail 8 are fed to the actuators to
(inputs) control the physical process
Fan
Each sensor/actuator
9 And the cycle iterates…
1 converts a physical Pump
magnitude into a signal for Mirror Traffic
the controllers

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

109

It’s important to know the typical flow of information in an OT environment. Here on this slide you
can see how data is passed from a motor or fan or some other OT device to its controller then
onwards from there.

Step 1: First we start off with a reading from a motor, fan, pressure guage, etc. Depending on
whether the device is digital or analog will determine the nature of the signal generated. If it’s digital,
it’ll be a 1 or 0 to indicate a state of on or off. But if it’s analog, it will typically be somewhere between
4 and 20 milliamps.
Step 2: that signal (called an input) is sent along the wire to the controller, such as a PLC or IED.
Step 3: the PLC translates the signal according to the protocol in use. The amperage in the input will
determine the value of the variable, as well as function code, label and more.
Step 4: the PLC will then transmit the translated value to a consumer device to be read (and likely a
Guardian will be present to read the data as it passes through the switch on its way to the
Consumer).
Step 5: the consumer takes the input and converts it for the HMI to be stored and read, should the
operator need to change any values manually. If there aren’t any manual values to be changed, an
automated process will read and calculate what values may need to change (such as for fan speed,
water flow, oil pressure, etc).
Step 6: once the calculations are made, they are sent back down to the controller
Step 7: The controller converts the signal back to digital or analog as appropriate and then sends it
out along the wire as an output
Step 8: The signal is read by the actuator to enact the change in speed, temperature, etc.
Step 9: Another reading is taken and the process begins at Step 1 all over again.

@2023 Nozomi Networks All rights reserved. 109

NNCE Student Guide Version 23.1.0

Process – Controls

PROCESS
VARIABLE

Configure entry and Variable Mark Variable Navigate to

custom alerts details as Favourite related tables

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

110

The Process View page reflects the values of the variables read during the exchange highlighted on
the previous slide. Note that similar to the Links, Nodes, etc. tables, you also have some menu
controls.

Configure: similar to Links and Nodes, you can configure a custom label for the variable, and also
enable custom alerts (see the Custom Checks information in the Alerts section).

Magnifying Glass: this brings up the details of the variable, as seen on the next slide

Star Icon: mark this variable as a favorite, which puts it at the top of the list. If you click the star icon
again, it will remove it from the Favorites list.

Arrow: redirect to related tables

@2023 Nozomi Networks All rights reserved. 110

NNCE Student Guide Version 23.1.0

Process – Details
• Each row in the table represents a variable extracted from the OT protocols

Variable
name

Value Value range

and Quality
Protocol and FC Historical
data

Activity info

Flow control

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

111

The Details screen shows a list of all of the information gathered from the variable. Important
information shown here includes the name of the variable (label), the type of value (analog or digital),
what the value was (as well as what the last value was) and the quality. Quality is something that can
be alerted on (see the Custom Checks section later in the course).

Other important information include the range (high and low) of values seen, the protocol and any
FCs (function codes) used. A history of the variable activity is also shown as well as a chart of the
history of the variable (if historical information is toggled on for the variable).

@2023 Nozomi Networks All rights reserved. 111

NNCE Student Guide Version 23.1.0

Process – Activity
Lab Exercise

Lab 14
Explore the Process
Table

Variables table Time to Complete:

3 minutes

User Manual: Chapter 5:

User Interface Ref. – Network view

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

112

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 112

NNCE Student Guide Version 23.1.0

Sizing Appliances

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

113

@2023 Nozomi Networks All rights reserved. 113

NNCE Student Guide Version 23.1.0

Sizing parameters

• Choosing the right model of Nozomi Appliances is based on the networks monitored:

• Environmental conditions, harsh or standard

• Throughput of the monitored networks

• Amount and type of needed monitoring ports

• Number of nodes

• Number of monitored Network Elements

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

114

When a Nozomi Sales engineer or Professional Services meets with a customer to determine which
appliances they will need, there are many factors that go into that decision. Some of them are listed
on the screen here, including:
• Environment conditions, because some environments are hot or cold or very dusty and may
require ruggedized hardware
• Total throughput of the network (adding up all of the traffic across all SPAN ports from
switches)
• Number of needed ports: i.e., how many switches will be configured with a SPAN port
• The total number of nodes, as this is a hardware limitation on Nozomi appliances
• The total number of Network Elements is also very important to consider, since there is a finite
number of total separate database values that can be tracked simultaneously.
Network elements are covered on the next slide

@2023 Nozomi Networks All rights reserved. 114

NNCE Student Guide Version 23.1.0

Network elements definition and calculation

Network Elements are the mathematical sum of:
• Nodes
• Links
• Variables

• Most of the customers don‘t have these numbers handy. After analyzing our pool of
available support archives, we discovered the following estimation does work for most of
our clients.
• How to estimate the number of Networks Elements:
• Start with the number of Assets
• Estimate the number of Nodes: Equals Assets * 2 (worst case scenario considering L2 + L3 traffic)
• Estimate the number of Network elements: Equals Nodes * 20

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

115

A network element is a unique data point that is tracked within the Guardian. The total number of
network elements is the sum of all nodes, links or variables.

Since it’s difficult for customers to get an accurate count of these items (especially since many
customers use the Guardian solution to get a reliable view and count of their inventory), we have
come up with a useful approximation.

Simply take the total number of Assets that the customer suspects they think they’ll have and
multiply it by two (since each asset typically has two nodes). Then multiply that number by 20 to
account for all of the variables. Of course, this number is an estimation, but it’s a good start to use for
sizing purposes.

@2023 Nozomi Networks All rights reserved. 115

NNCE Student Guide Version 23.1.0

Deployment: Sizing an installation – 1

Use Case 1 NS20 1000 NS20 750 NS1 250 NS1 100

Max. Protected
Find the best technical proposal for the Network
Elements
600,000 200,000 90,000 20,000

following scenario:
Max. Protected
40,000 10,000 5,000 1,000
Nodes
Scenario Max. Throughput 1 Gbps 1 Gbps 500 Mbps 250 Mbps
One site with 200 devices (ca. 400 nodes,
Max Remote
each device consists of one MAC & IP- Collectors
50 50 20 20

address) to monitor 9 different switches, all 9x1000BASE-T + 9x1000BASE-T +

located in the same 19’’ rack. Monitoring Ports
4xSFP 4xSFP
7x1000BASE-T 7x1000BASE-T

2 slot available 2 slot tavailable 1 slot available 1 slot available

• Use only physical appliances. Expansion Slots 4x1000Base-T |
4xSFP | 4xSFP+
4x1000Base-T |
4xSFP | 4xSFP+
4x1000Base-T |
4xSFP
4x1000Base-T |
4xSFP
• Assume the traffic throughput is not an
issue.
Answer available in Solutions section, at
the end of this book.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

116

See solutions to this exercise at the end of the Participants Guide, in the Solutions section.

@2023 Nozomi Networks All rights reserved. 116

NNCE Student Guide Version 23.1.0

Deployment: Sizing an installation – 2

Use Case 2 NS20 1000 NS20 750 NS1 250 NS1 100 NSG-R50

Max. Protected
Not
Find the best technical proposal for Network
Elements
600,000 200,000 90,000 20,000
applicable
the following scenario:
Max. Protected Up to 50
Scenario Nodes
40,000 10,000 5,000 1,000
Mbps
One site to be monitored centrally, Max. Not
1 Gbps 1 Gbps 500 Mbps 250 Mbps
3 buildings in 3 separate locations: Throughput Apllicable
Building 1: Max Remote Not
• 1000 devices (ca. 2000 nodes, each Collectors
50 50 20 20
Applicable
device consists of one MAC & IP-
4x1000
address); Monitoring Ports
9x1000BASE-T 9x1000BASE-T
7x1000BASE-T 7x1000BASE-T Base-T
+ 4xSFP + 4xSFP
• 300 Mbps throughput over 7 switches.
Building 2 and 3: 2 slot
• 50 devices each (ca. 100 nodes, each 2 slot available tavailable 1 slot available 1 slot available
Not
device consists of one MAC- & IP- Expansion Slots 4x1000Base-T | 4x1000Base-T | 4x1000Base-T | 4x1000Base-T |
available
4xSFP | 4xSFP+ 4xSFP | 4xSFP 4xSFP
address); 4xSFP+
• 10 Mbps throughput over 3 switches
each.

• Use only physical appliances.

Answer available in Solutions section, at
• Buildings are connected over the
internet.
the end of this book.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

117

See solutions to this exercise at the end of the Participants Guide, in the Solutions section.

@2023 Nozomi Networks All rights reserved. 117

NNCE Student Guide Version 23.1.0

Deployment: Sizing an installation – 3

Use Case 3
NSG-HS 3500 NSG-HS 3000 NSG-H 2500 NSG-H 2000
Find the best technical proposal for the
following scenario: Max. Protected
2,000,000 1,500,000 1,200,000 1,000,000
Network
Elements

Scenario Max. Throughput 6 Gbps 6 Gbps 3 Gbps 3 Gbps

A supervisory system monitors 100,000
Max. Remote
devices (ca. 200,000 nodes, each device Collectors
50 50 50 50

consists of one MAC & IP-address): Modular up to Modular up to Modular up to Modular up to

Monitoring Ports
• Using a total throughput of 2.5 Gbps; 16+1 16+1 8+1 8+1

• Equally split into 2 core switches(fiber 4 slots available 4 slots available 2 slots available 2 slots available
port), installed in two separated locations; Expansion Slots 4x1000BaseT I
4xSFP I 4xSFP+
4x1000BaseT I
4xSFP I 4xSFP+
4x1000BaseT I
4xSFP I 4xSFP+
4x1000BaseT I
4xSFP I 4xSFP+
The management platform should be able to
cover future expansion and monitor any
number of devices.
Answer available in Solutions section, at
• Use only physical Guardian appliances. the end of this book.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

118

See solutions to this exercise at the end of the Participants Guide, in the Solutions section.

@2023 Nozomi Networks All rights reserved. 118

NNCE Student Guide Version 23.1.0

Vulnerabilities

119

@2023 Nozomi Networks All rights reserved. 119

NNCE Student Guide Version 23.1.0

Vulnerabilities – Overview
• The Vulnerabilities menu provides an overview of the security status of the monitored assets
• Guardian handles a vulnerability database within its Threat Intelligence content, matches
vulnerabilities to assets in the monitored environment and notifies about assets suffering from
vulnerabilities.
• The information is stored within the Vulnerabilities section :

1 2 3

1. Assets: display the vulnerabilities grouped per asset

2. List: display the list of all the vulnerabilities detected
3. Stats: display pie charts with Top CPEs, TOP CWEs and Top CVEs
When Guardian is connected to Vantage/CMC, vulnerabilities are not automatically calculated and must be enabled

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

120

This slide showcases the contents of the Vulnerabilities screen. Vulnerabilities are an overview of
potential weaknesses and exploits that can be performed on detected assets within the network.

The vulnerability database is derived from the Threat Intelligence Feed; if the customer does not
subscribe to this feed, this capability will not be present. If an asset matches a given vulnerability in
the database, the relevant CVE will be listed here.

Item 1: Assets Tab – each asset is listed separately on this tab

Item 2: List Tab – all vulnerabilities are listed on this tab

Item 3: Stats Tab – showcases a variety of pie charts that summarize the top CVEs, CWEs and CPEs

@2023 Nozomi Networks All rights reserved. 120

NNCE Student Guide Version 23.1.0

How Guardian detects Vulnerabilities

Two steps should be performed by the Vulnerability Manager to display the information:

1. IDENTIFY
• Means that we should be able to detect the critical information needed to uniquely
characterize the device and provide a set of minimum information such as:
o Vendor of the device
o Device Name/Product Code
o Firmware/Software version
• The result of this step is a list of CPEs assigned for a specific node.

2. MATCHING
• Guardian will use the group of CPEs that were identified for a specific node (on step 1) to
calculate its vulnerabilities (CVEs)
• Nozomi curates the CPE - CVEs assignments, enhancing the NIST NVD with the most
accurate data.
Nozomi Blog article : The challenges of Vulnerability Assestment in ICS

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

121

This slide introduces the methods by which the Guardian detects and matches vulnerabilities to
assets. Divided into two steps, as listed below:

Step 1: Identify
In order to be able to assign a matching vulnerability, we first need to have enough matching
information about the asset. At minimum, the Guardian requires the vendor of the device, the device
name or product code and the firmware or software version. Lacking any of this information will
severely curtail the ability to have an accurate match. The information listed above is commonly
referred to as a CPE (Common Platform Enumeration). Once the CPEs have been identified, then we
move on to step 2 below.

Step 2: Matching
CPEs gathered in the first step will be assigned to CVEs within the vulnerability database. NN curates
further information about various CVEs to enrich the database obtained from the NIST NVD.

Be aware that by default, Vulnerabilities computation is disabled on new Guardians connected to

Vantage or CMC. This behavior can be customized using the 'va cve enable' configuration option
described in the user manual.

@2023 Nozomi Networks All rights reserved. 121

NNCE Student Guide Version 23.1.0

Device IDENTIFICATION – Phase 1

The device identification can be achieved using different methods by:
• Passively monitoring and analyzing the traffic
• Actively querying the device (Smart Polling/Arc)
• Importing Asset info manually into Guardian (using “Import configuration / project file”
function)
The passive method is preferred as it does not require any human interaction

Passively

Smart Polling
Importing Asset info

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

122

Device identification (Step 1 from the previous slide) can come from three potential sources. The first
– and primary – source of information gathered is via passive detection through deep packet
inspection.

Second, some gaps in details can be filled in through Smart Polling, which is instrumental in
lowering the amount of detected vulnerabilities. (Next section will give more information about
Smart Polling.)

Finally, a customer can manually import custom information about assets, which will be covered
during the Integrations section later in the course.

CPEs that have reached the end of their life (EOL) and are loaded from Threat Intelligence contents,
no longer generate or match obsolete CVE.

@2023 Nozomi Networks All rights reserved. 122

NNCE Student Guide Version 23.1.0

Vulnerability MATCHING – Phase 2

• The matching mechanism is internal to Guardian and is the one that generates the
CVE displayed in the Vulnerability menu.
• This mechanism rely on Threat Intelligence DB(locally stored in Guardian):
• TI DB is synced with NIST NVD - National Vulnerability Database
• Nozomi is curating and enriching NVD information, in some cases, adding for
example:
o fix-version
o fix-patch
o fix-description
Asset info

CVE to be
displayed MATCHING

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

123

Once the asset information has been gathered, the Guardian will use it to match against the internal
TI DB (Threat Intelligence Database), which is supplemented by the NIST National Vulnerability
Database (NVD). The Guardian looks for known CVEs (Common Vulnerability Exposure) in the TI DB.

In addition to the NVD information, Nozomi adds its own research and notes and fix/resolution
information into the entries.

@2023 Nozomi Networks All rights reserved. 123

NNCE Student Guide Version 23.1.0

Vulnerabilities – Outcome
CVE - Common Vulnerability
Exposure

CWE - Common Affected Node by this vulnerability

Weakness Enumeration
CVSS - Common
Vulnerability
CPE - Common Scoring System
Platform
Enumeration

Summary
and reference

Example: CVE-2022-0979
Info added by Info coming from
Nozomi NVD

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

124

Likelihood depending on: information on the CVE itself (e.g. “applicable to most firmware
versions”, or “to all versions lower than X”), Bayesian statistics
NVD = NIST National Vulnerability Database
CVE = Common Vulnerability Exposure. The vulnerability instance (definitions are possibly
enhanced by NN before importing)
CVSS = Common Vulnerability Scoring System
CPE = Common Platform Enumeration, identifying the type of system subject to the
vulnerability.
CWE = Common Weakness Enumeration. It’s a tag to classify in depth the vulnerability
categories (hierarchical structure).

Link of the NIST related to the CVE displayed in the screenshot https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2020-6457

@2023 Nozomi Networks All rights reserved. 124

NNCE Student Guide Version 23.1.0

Vulnerabilities – Change resolution

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

125

Once a customer has addressed a vulnerability on one or more assets, they can mark the
vulnerability as “Mitigated”. If they do so, that vulnerability will be hidden from the list if they change
the filter to “Show only unresolved”.

Alternatively, the customer can accept the risk of the vulnerability by selecting “Accepted”.
In either case, the customer has the option of entering notes to detail why they chose that resolution
for later reference.

@2023 Nozomi Networks All rights reserved. 125

NNCE Student Guide Version 23.1.0

Smart Polling

126

@2023 Nozomi Networks All rights reserved. 126

NNCE Student Guide Version 23.1.0

Smart Polling
• The Smart Polling menu allows to configure and display the information collected
• To use this module, you need the following license “Guardian Base + Smart Polling”
• Patching levels (e.g., hotfixes) are not always detectable without querying the devices directly
• Smart Polling has been created therefore, using limited active communication to interact with the
monitored network
• The menu is available under Smart Polling:
1 2 3 4

1. Summary: display the plans configured; create, edit or delete plans

2. Polled nodes: display information polled from the nodes
3. Settings: configure the usage of Progressive Smart Polling
4. Health: display queued Smart Polling plans and their status

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

127

In order to be able to use Smart Polling, the customer must have the “Advanced” version of Guardian
installed as well as a license that enables it as well.

Normal passive detection and DPI cannot extract software versions, installed software/antivirus,
hotfixes that have been installed and more. Since that information is very useful for enumerating a
more accurate list of vulnerabilities for the asset, a customer may wish to use Smart Polling to query
this information directly from the network node.

Note: this means that the Guardian will be issuing traffic into the network, and routing, switching
and firewall/ACL rules will need to be in place to support and allow this as a result.

Facilitator Note: we do not have any devices installed in the network to poll, so this is a section that
will have to be demo and theory only.

@2023 Nozomi Networks All rights reserved. 127

NNCE Student Guide Version 23.1.0

Smart Polling – Configuration

To deploy Guardian+Smart Polling, the following info should be taken into consideration:
• The Guardian Management IP will be used by default to send Smart Polling requests.
• The Guardian Management IP(source) and the target device(destination) should be
able to communicate between each other.

Smart Polling à Plan tab: Define the

Label
Define the
Strategy

Define polling
interval

Select data to
be collected

Define devices
to poll

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

128

The Guardian will send Smart Polling requests out through the Management port on the appliance
(or VM, as appropriate). As a result, the Management IP and the end destination will need to be able
to communicate (as noted on the previous slide).

The Strategy is the method by which the Guardian will poll the end device. The Strategy you choose
will be determined in part by the type of device: for example, if the customer wants to query a switch,
they’ll likely use SNMP (v1 – 3). Furthermore, the chosen Strategy will determine the possible data
that can be gathered (configured below).

The Query uses the query language unique to the Guardian and covered in the next module. Use a
query to determine which devices in the network to target with the chosen Strategy. Be as specific
as possible with the query, since this causes the Guardian to inject traffic into the network, which is
often undesirable beyond the few approved devices targeted by this process.

The devices supported using HTTPS are : FANUC(GE), SIPROTEC4(SIEMENS), SIPROTEC5(SIEMENS),

COGNEX(GE)

Possibility to import MIB for a specific vendor in order to use them instead of the default one
available in Guardian. ( The benefit is that we can queries devices using their specific MIB)

Important note: WinRM and SSH strategy both have a specific option that allow to detect Log4j
vulnerabilities

@2023 Nozomi Networks All rights reserved. 128

NNCE Student Guide Version 23.1.0

Smart Polling – Identity

To use authenticated protocols, an Identity must be configured

Identity can be created from the plan configuration clicking on Create Identity

Define Identity Name

Define Credentials

Define Target Nodes

Identities can be managed under Administration à Settings à Credentials Manager

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

129

Identities are related to specific nodes so this is possible to configure multiple credentials for the
same plan according to target devices.

Using the credential manager, this is possible to manage all credentials but then, identity must me
associated to target plans from the Smart Polling menu.

Credentials can be imported using CSV file

@2023 Nozomi Networks All rights reserved. 129

NNCE Student Guide Version 23.1.0

Smart Polling – Execution mode

• Automatically: Enabled plans will be executed • On Demand: Regardless the
based on the interval time set: status(enabled/disabled) of the plan a node can
• Enabled plan: be polled on demand:

• Disabled plan:

• From the Nodes table a new node can be

added to the plan:

Toggle to
execute
immediately

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

130

Once the Plan has been saved, it can be enabled or disabled. Additionally, after one or more plans are
created, it’s possible to add an individual node to the plan through the radar-like icon in the Nodes
table in the Network menu.
Once it’s been added to the plan, then it will be queried at the next configured interval.

Alternatively, if the customer wishes for the polling to occur immediately, they can toggle the “Poll
Node Immediately” button at the bottom of the configuration screen.

@2023 Nozomi Networks All rights reserved. 130

NNCE Student Guide Version 23.1.0

Smart Polling – Settings

Progressive mode can be enabled to save time in creating new Smart Polling plans
• Automatically creates queries that search for devices of the chosen strategies
Smart Polling à Settings tab:

Choose the
polling strategy

Currently only supports

strategies that require no
authentication

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

131

@2023 Nozomi Networks All rights reserved. 131

NNCE Student Guide Version 23.1.0

Smart Polling – Execution check

Execution Statuses

List of nodes, click to display

information

Time of each
executions

Data collection result

Error Message
for
troubleshoot

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

132

Click the History icon (looks like a circular arrow) to see a history of all of the polls that have been
performed for the plan. It will show the date and time of each execution as well as the results.

@2023 Nozomi Networks All rights reserved. 132

NNCE Student Guide Version 23.1.0

Smart Polling – Execution results

Under Smart Polling à Nodes points tab the info of polled nodes are displayed:

Smart Polling results panel

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

133

Toggle over to the Polled Nodes tab to view the results of all polled nodes across all Plans.

@2023 Nozomi Networks All rights reserved. 133

NNCE Student Guide Version 23.1.0

Smart Polling – Health

The Smart Polling Health screen shows status of Smart Polling plans
Smart Polling à Health tab:

Shows all currently

running Smart Polling
threads and their
progress

Shows all scheduled

future Smart Polling
jobs

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

134

In the Health tab, you can see the queued Smart Polling jobs and the progress of the ones that are
currently happening.

@2023 Nozomi Networks All rights reserved. 134

NNCE Student Guide Version 23.1.0

Exercise: Creating a Smart Polling Plan

Lab Exercise

Lab 15
Set UP and Run
Smart Polling Plan

Time to Complete:
5-7 minutes

User Manual: Chapter 8:

Smart Polling
Smart Polling Plan Setup

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

135

Follow the Lab guide, available in the Trainee machine , to complete this exercise.

@2023 Nozomi Networks All rights reserved. 135

NNCE Student Guide Version 23.1.0

Arc Sensor

136

@2023 Nozomi Networks All rights reserved. 136

NNCE Student Guide Version 23.1.0

Arc Endpoint Sensor

Nozomi Networks Arc Endpoint Sensor provides
customers with endpoint data collection and asset What is it? An endpoint sensor that
visibility for mission critical networks and collects and analyzes data from
industries. Windows, Linux or MacOS
hosts. Collected data can be sent to
It provides further vulnerability assessment,
either Guardian or Vantage.
endpoint protection, traffic analysis capabilities
and more accurate diagnostics of in-progress
threats and anomalies.

Speed and Simplicity of Offline and Remote Network Dormant Malware Detection
Deployment Segments Monitoring and USB Monitoring

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 137

Nozomi Arc provides customers with enhanced endpoint data collection and asset visibility.
Customers can now easily identify compromised hosts with malware, rogue applications,
unauthorized USB drives and suspicious user activity.

Leverage the flexibility that Nozomi Arc provides to start greenfield deployments with easier-to-
deploy endpoint sensors. Network-based sensors can require a maintenance change window to
reconfigure switches for span ports.

Nozomi Arc sensors are an endpoint executable that runs on either Windows, Linux or MacOS hosts
in mission critical networks. Collected data can be sent to either Guardian or Vantage. By running
directly on the host, Nozomi Arc is the only solution that provides continuous visibility to key
endpoint attributes.

@2023 Nozomi Networks All rights reserved. 137

NNCE Student Guide Version 23.1.0

Arc – Rationale
Arc is a host-based sensor that detects malicious or compromised endpoints, and insider
attacks.
Arc helps identify compromised hosts that have:
• Malware
• Rogue applications
• Unauthorized USB devices
• Suspicious Activities

Arc Use cases:

• Incorporate air-gapped devices into the analysis and reporting system
• Gain deeper intelligence or insight on critical endpoint devices
• Continuously monitor endpoints
• Use a low-impact process to scan air-gapped networks

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 138

When detecting cyberthreats, identifying vulnerabilities, or analyzing anomalies in your processes,

it is critical to have as much detailed network and system information as possible. More accurate
and timely access to data leads to better diagnostics and a faster time to repair.

Because the Arc sensor is on the host, it can monitor traffic continuously, even when the device is
not sending or receiving traffic.

@2023 Nozomi Networks All rights reserved. 138

NNCE Student Guide Version 23.1.0

Arc – Sample Architecture

• Arc sends network telemetry directly to Guardian
or Vantage to be parsed
VANTAGE
• Gain visibility of all your sites in a single place,
regardless of geographical location

• Leverage the power of the cloud for processing

large amounts of data, fast and reliably GUARDIAN

ARC REMOTE ARC

SENSORS COLLECTORS SENSORS

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 139

When detecting cyberthreats, identifying vulnerabilities, or analyzing anomalies in your processes, it is critical
to have as much detailed network and system information as possible. More accurate and timely access to
data leads to better diagnostics and a faster time to repair.

Because the Arc sensor is on the host, it can monitor traffic continuously, even when the device is not sending
or receiving traffic.

@2023 Nozomi Networks All rights reserved. 139

NNCE Student Guide Version 23.1.0

Arc Sensor Dependencies

Arc has additional features which depends on:

Feature Windows Linux MacOS

Sigma Rules Sysmon and Powershell Not applicable Not applicable

USB detections USBPcap Not applicable Not applicable

Traffic Monitoring Winpcap Not applicable libpcap

Nozomi provides a configuration file for Sysmon in the Arc installation folder (arc.xml)

Arc must be restarted to activate a newly installed dependency

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 140

Users have to install dependencies(from version 1.4.0 this will be done automatically).
To install the dependencies manually, download them and install them individually.
Alternatively, you can use a MDM tool to install them across the managed network.

In order to use Sigma rule, some configuration on the log events has to be performed.
Please refer to Arc Administrator manual chapter 3

@2023 Nozomi Networks All rights reserved. 140

NNCE Student Guide Version 23.1.0

Arc
• The Arc menu allows to deploy Arc and display the information collected
• To use this module, you need the following license “Guardian Base + Arc”
• Updates can be installed manually or automatically

1 3

1. Deployment: display the list of candidate nodes

2. Advanced: configure automatic deployment / uninstall
3. Node Points: display information polled from the nodes

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

141

The default table view only shows nodes that had their OS detected

Arc menu requires the advanced software version and a proper licensing to be visible.

Updates are performed using the Updates and Licences configuration menu.

@2023 Nozomi Networks All rights reserved. 141

NNCE Student Guide Version 23.1.0

Arc – Deployment methods

Arc can be deployed manually on target devices and
requires to get installation file from:
• Support Portal
• Guardian: Download Arc button under the Sensor page
• Vantage: under Sensor page, click on Add New then
select Arc tab

Arc can be deployed automatically using:

• Guardian via SMB or SSH method *
• MDM (Microsoft Intune or Endpoint Configuration
Manager)

Guardian automatic deployment menu

* Requires communication to endpoint using TCP port 445 for SMB
and 22 for SSH

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 142

To be able to deploy automatically Arc from Guardian, the management interface must be able to
communicate with target device.

Deployment using MDM requires first to download installation file and create a MSI package.

All installations are detailed in the Arc administrator manual chapter 5

Available strategies are: Automatic, WinRM, SSH (for Windows, for Linux, for macOS)

@2023 Nozomi Networks All rights reserved. 142

NNCE Student Guide Version 23.1.0

Arc – Execution modes

Arc has 3 different execution modes:

• Service
• Standard mode having Arc monitoring and reporting data to Guardian or Vantage
• Arc is installed as service / daemon and runs when the machine is up

• One-shot
• Arc runs as a portable application and collects data in a single execution then
reports data to Guardian or Vantage
• Application can be deleted after data collection

• Offline
• Arc runs as a portable application (same as one-shot)
• Single execution with data collected locally using an archive file
• Archive file to be manually imported into Guardian or Vantage

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 143

Service mode is recommended for:

• Continuous monitoring
• Users who can host Arc for a longer time than with the two modes below
• Networks where Arc can be granted connectivity to Guardian or Vantage

One shot mode mode is recommended for:

• Users who cannot run Arc continuously due to compliance reasons
• Networks where Arc can be granted connectivity to Guardian or Vantage

For import, see import section in the User Guide.

@2023 Nozomi Networks All rights reserved. 143

NNCE Student Guide Version 23.1.0

Arc – Local Configuration

Default settings are set when Arc is deployed but a local interface is available to:
• Check Arc status locally
• Change settings
• Run Arc locally

To access the local UI there are 2 ways:

• Double click on the executable file
• From a shell invoking Arc with a command like .\arc-windows-amd64.exe

This will open a page of the default browser using address http://127.0.0.1:4510 *

* If the port 4510 is in use, the first open port above 4510 will be used

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 144

The main configuration file is arc.json

Default configuration from Guardian or Vantage comes with connection information only, Execution
mode has to be set directly on the local installation.

@2023 Nozomi Networks All rights reserved. 144

NNCE Student Guide Version 23.1.0

Arc – Configuration
Arc Configuration tab available at http://127.0.0.1:4510 looks like this:

Guardian IP or Vantage
URL

Synchronization token

Test Connection button

Execution / Feature
options

Duration of data collection

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 145

The data collection is only applicable to One Shot and Offline modes

@2023 Nozomi Networks All rights reserved. 145

NNCE Student Guide Version 23.1.0

Arc – Status
Arc Status tab available at http://127.0.0.1:4510 looks like this:

Uniq ID of the Sensor and

software version

Status of dependencies to
be used by features

Information about mode

and connectivity.
Execution can be set
when Arc is stopped

Action button (Stop /

Uninstall / Run

© 2023 Nozomi Networks Inc. 146

| All rights reserved. | nozominetworks.com

When dependencies are not installed, the status page provides a link to an external reference to
target documentation.

When Arc is unistalled locally while was running in continuous mode, it won’t remove the sensor
from the upstream equipment (Guardian or Vantage)

@2023 Nozomi Networks All rights reserved. 146

NNCE Student Guide Version 23.1.0

Arc – Viewing data

The information acquired by Arc can be viewed at multiple locations:
• Nodes Discovered: under the Nodes page, these nodes will have Arc as capture_device field

• Asset enrichment:
• As an information source when Arc is the dedicated source
• As passive source when network traffic is received from Arc
• Node points: from the Arc menu using Node Points tab (or queries)
• Specific alert types:
• SIGN:SIGMA-RULES
• SIGN:MALICIOUS-HID
• SIGN:USB-DEVICE
• User field in alerts: alerts coming from Arc host are getting the logged user information

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 147

@2023 Nozomi Networks All rights reserved. 147

NNCE Student Guide Version 23.1.0

Queries

149

@2023 Nozomi Networks All rights reserved. 149

NNCE Student Guide Version 23.1.0

Queries
• Queries boost Guardian’s flexibility and usability
as they can be used to:
• Extract, connect and show data in tabular or a
graphical way
• Create custom Dashboards
• Create custom Alerts (Assertions)
• Create custom Reports
• Setup Smart Polling strategies
• Configure Integration scope
• Create OpenAPI requests

• Queries are written in N2QL (Nozomi Networks

Query Language) defined in Guardian

Queries results example

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

150

In this lesson, you will be learning about queries. First we will cover their structure and use-
cases and then later some common commands, operators and filters that are used in queries.
So let’s dive in!

First, it’s important to know that Queries are integral to the successful usage of the Guardian
solution. They’re used for many purposes, as highlighted on the screen.

At their core, queries are a method of searching for some sort of data. Well-built queries will
help greatly with not only the day-to-day operations, but also with creating impactful reports
and informative dashboards for customers.

On top of that, you can use queries to define custom alerts (called assertions) as well as define
which devices to contact in a Smart Polling plan.

Beyond that, queries are often used in API requests to grab some data which can then be
parsed out in whatever manner the customer requires.

@2023 Nozomi Networks All rights reserved. 150

NNCE Student Guide Version 23.1.0

Queries – Source tables and fields

Lab Exercise

Lab 16
Get Familiar With
the N2OS Data
Model

Time to Complete:
5 minutes
Source tables and fields
in the User Manual SDK User Manual SDK: Chapter 3:
Data Model

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

151

Useful Query examples to try in your lab environment:

links | where protocol == vnc | select first_activity_time last_activity_time from to protocol
transferred.bytes tcp_handshaked_connections.total

nodes | group_by mac_vendor | pie mac_vendor count

nodes | where os include? Win | group_by os | column os count

links | join nodes to ip | where joined_node_to_ip.zone include? DMZ | join nodes from ip | select from
joined_node_from_ip.zone to joined_node_to_ip.zone protocol first_activity_time last_activity_time
transferred.bytes

links | join nodes to ip | where joined_node_to_ip.is_public == true | join nodes from ip | select from
joined_node_from_ip.zone to joined_node_to_ip.zone protocol first_activity_time last_activity_time
transferred.bytes

@2023 Nozomi Networks All rights reserved. 151

NNCE Student Guide Version 23.1.0

Queries – Format
The menu is available under Queries
“|” uses the output of the command can be a condition,
Table to use as expression on the left to pass it as function, merging tables, or
data source
input to the expression on the right defining the output

6 1
Source | command1 | command2 | …

5 4 3 2

1. Expert/Standard: switch from Expert(default view) to Standard 4. Export: to export in CSV or Excel the query result

2. Save: save the query for future use 5. To assertion: to convert the query into an assertion

3. Live/Manual refresh: automatic or manual refresh of the result 6. History: to view all the previous, executed queries
7. Saved queries: to view the saved queries

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

152

On this slide, you can see the format on how to build a query. You always start with the “source” of the query, or
the table that you are pulling the data from.

Then similar to working in the command line, you will pipe that output into another command. Just keep in
mind that it’s important to have a space before and after the pipe character – the syntax is very specific. A lack of
a space or accidentally inserting a double space is a frequent reason for the ”Incorrect syntax” error message.

After the first pipe character and a space, type your first command. This will often serve as a filter of some kind to
narrow down your search. Then after that, you will again type another pipe character surrounded by a space and
then type out the next command. Repeat this process until the query is finished and then press enter to run the
query.

Also on the Queries page in Guardian/CMC, are the following buttons:

1. Toggle between Standard and Expert View. (Standard view allows you to build queries using a wizard-like
interface, however it does not offer every data table or every command or filter)
2. The Save button allows you to save a query. A saved query can later be used for reports and dashboards.
3. Use these buttons to refresh the results of the query, as needed.
4. Export the results of a query either to a CSV or Excel file.
5. Use this button to toggle to the Assertion page. The current query will be carried over and there you can
choose to save the query as an Assertion (see the lesson on Assertions later in the course).
6. The History button allows you to see the previously run queries. Note that the query history is maintained
by the browser history and is NOT kept resident on the appliance itself. If you clear the browser history,
this history will also be cleared.
Click the Saved Queries button to view all queries that have been saved for later use.

@2023 Nozomi Networks All rights reserved. 152

NNCE Student Guide Version 23.1.0

Queries – Details 1
Source tables list
help //list of source tables with description
help nodes //list of fields in indicated table with description
Select, Rename and Reorder table fields
links | select from to protocol
links | select protocol->Protocol from->Source to->Destination

Choose a field and filter the content: where - operators: ==, !=, >=, <= - field: is_empty()
nodes | where mac_vendor == Hewlett Packard
nodes | where mac_vendor != Hewlett Packard
nodes | where is_empty(mac_vendor) == false
Filtering using Wildcards: include? / !include?
assets | where name include? hmi
captured_urls | where url !include? ntp
Count
nodes | count

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

153

Help: the help command is only available when typed by itself. It gives a list of the available tables
that can be queried and a brief description.

Select: the select command is used to choose which columns will be output in the query. If you do
not have a select command in your query, you will see all columns displayed by default. Note that if
you select specific columns, all commands to the right of the select statement will need to reference
only those columns. Otherwise, you will receive a syntax error in the statement. If you put a hyphen
followed by a greater-than symbol to make an arrow shape (no space), as shown on the slide, you can
rename the fields.

Where: the where statement is a filter command that finds all rows of data that match a criteria you
specify. If you use the == or != operators, the values you type are case sensitive AND an explicit string
match (for example, typing “Cisco” will not find fields with “Cisco Inc.”)
You can also use the is_empty filter to find fields that are empty or not empty.

Wildcards: because using == and similar operators in a where statement is a string literal match, it
may be advisable to use a wildcard operator instead. That’s where include? and !include? come into
play. You can type a portion of a word after the wildcard and the search will not be case sensitive
(typing “cis” will find “Cisco”, “cisco” and so on).

Count: the count command simply counts the number of results for the query

@2023 Nozomi Networks All rights reserved. 153

NNCE Student Guide Version 23.1.0

Queries – Details 2
Group_by
nodes | group_by mac_vendor
nodes | group_by mac_vendor,zone

Pie chart
nodes | group_by mac_vendor | pie mac_vendor count

Sort
nodes | group_by mac_vendor | sort count desc
nodes | group_by mac_vendor | sort mac_vendor

Head
nodes | group_by mac_vendor | sort count desc | head 5

Column chart
nodes | group_by mac_vendor | sort count desc | column mac_vendor count

Compare field values

nodes | where mac_vendor == $vendor

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

154

Group By: the group_by command is similar to the count command, except that it groups each
result by the specified field and gives a count for each result that matches. You can also specify
multiple fields after the group_by command, each separated by a comma (but with no space
between them). If you do, each unique combination of results for the specified fields will be counted
separately. (If you receive an error, check to make sure you did not accidentally insert a space before
or after the comma)

Pie: (I like pie) the pie command creates a pie chart out of the specified information. Typically, it takes
the form of “pie <field> count”, where the field is whatever data-point you’re measuring and “count”
providing the number for the statistic.

Sort: this command sorts the data in the specified field in ascending order by default. If you type
desc after the field, it will be listed in descending order instead.

Head: this command lists only the first X amount of results, given the syntax of “head x”. It is often
used in conjunction with the sort command to put the results in a specified order and then listing
only the highest or lowest responses, depending on the sorting order.

Column: in addition to the pie command, you can visualize your results with a column chart with this
command. The syntax of the command is “column <X axis> <Y axis>”. Similar to the pie chart, this is
often combined with the count command as the Y-axis of the graph. Alternatively, you can use
column_colored_by_label to give each column a random color instead.

Compare: if you want to find results in a query where two different fields have the same or different
values, you can preface the right-hand value with a dollar sign ($) which indicates that the value is
the name of another field. For example, as written on the slide, the presence of the $ informs the
Guardian that you want to find all rows in the nodes table where the “mac_vendor” and “vendor”
fields are exactly alike. Removing the $ would result in the Guardian searching for all “mac_vendor”

@2023 Nozomi Networks All rights reserved. 154

NNCE Student Guide Version 23.1.0

fields that have the string-literal of “vendor” (which is very likely to have no results)

Nozomi Networks 2023. All rights reserved 154

NNCE Student Guide Version 23.1.0

Queries – Details 3
Where/OR with equal
sessions | where status == ACTIVE | where to_port == 53
sessions | where status == ACTIVE | where to_port == 53 OR to_port == 2404

Seconds_ago(), minutes_ago(), hours_ago(), days_ago(), months_ago()

nodes | where hours_ago(last_activity_time) > 12 | select id last_activity_time

Expand function (to array fields: [x1,x2,..] )

nodes | select id protocols //the protocols field is an array. E.g. [“iec104”,”browser”]
nodes | select id protocols | expand protocols | where expanded_protocols == vnc

“.” Operator (to structured fields: {“value1”:”x1”, “value2”:”x2”,..} )

nodes | select id mac_address:info // the mac_address:info field is a structure
nodes | select id mac_address:info | where mac_address:info.likelihood > 0.9

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

155

OR: if you want to search for multiple results with a Boolean OR, you can separate the where string
with an “OR” with capital letters followed by the next string to search for. For example, as seen on the
screen you can search for all results that have a port of 53 or 2404. If you want to do the equivalent of
a Boolean “AND”, simply create two where statements separated by a pipe, as normal.

<time>_ago: if you want to search for values that are measured against a period of time, you can use
the minutes_ago, hours_ago, days_ago and months_ago filter. Similar to the is_empty filter, you
specify the field to measure in between parentheses. For example, hours_ago(last_activity_time) <= 2
will find all results with a last activity time of less than or equal to 2 hours ago. Make sure the field you
are filtering is one that uses date/time stamps.

Expand: if the field you want to extract data from is an array, you will first need to “expand” that field
so that each unique value in the field is presented on a separate line. For example, in the nodes table,
the protocols field is one that is an array, since a node can potentially communicate using multiple
protocols. An array is depicted by square brackets surrounding the values within. After performing an
expand command, a new field that can be searched against called expanded_<fieldname> will be
created. Therefore in the previous example, a new field will be created called expanded_protocols
that you can search within using a where statement.

Structured Fields: some fields have data arranged in a structured field, which is to say that the
information is broken into sub-categories within the field. As an example, the label:info field in the
nodes table has three subcategories within it: source, granularity and confidence. To indicate which
of these sub-fields to search, simply denote them with a period after the field name followed by the
sub-field name. For example, label:info.granularity to search through the granularity information.
Any field that has curly brackets surrounding the values is a structured field.

@2023 Nozomi Networks All rights reserved. 155

NNCE Student Guide Version 23.1.0

Queries Exercises

Nozomi Networks 2023. All rights reserved 156

NNCE Student Guide Version 23.1.0

Queries – Use cases 1

1. Count how many variables were transmitted, using modbus protocol, on the monitored
network.

2. Produce a column chart of assets running a Windows OS grouped by the Operating

System version. (The result will be used to plan patch installation).

3. Produce a tabular representation of HTTP links including the from, to, protocol,
first_activity_time and last_activity_time, sorted by transferred.bytes passing through the
link.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

157

See the answers to these Use Cases in the Solutions section at the end of the PDF.

@2023 Nozomi Networks All rights reserved. 157

NNCE Student Guide Version 23.1.0

Queries – Merge tables: join

The join command is used to connect tables when data is in two different
“Destination IP” “Type”
tables info in links info in nodes

Example: We want to display every link using a barcode_reader as destination.

1. The links table contains the info on destination IP´s while the info on the Match tables Match tables
using field: “to” using field: “ip”
device type being a barcode-reader is part of the nodes table.
2. To correctly merge these tables and match the rows accordingly we need to join
identify a corresponding field in both tables.
3. Here, we are using the “to” field in the links table and the “ip” field in the
nodes table, both containing IP addresses. Matching these fields allows to
merge the nodes table data into the corresponding links table row: links | join nodes to ip

table-1 | join table-2 table-1-field table-2-field

links | join nodes to ip
links nodes

4. The nodes table data is now being added into one new field within the
links table named joined_node_to_ip.

Solution:
links | join nodes to ip |
where joined_node_to_ip.type == barcode_reader Original links one additional field incl.
table fields and all the nodes table data

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

158

Now that you have a basic understanding of how a query can be constructed, it’s important to know
that it is possible to pull in data from a second table to search through. Up until now, we’ve only
referenced one table, such as the nodes or links table. But there may come a time when you have
need to query multiple tables at once, because one table doesn’t have all of the information you’re
looking for.
Using the join command links two tables together to allow you to search through both of them.

However, in addition to the names of the tables you want to search, two more pieces of information
are necessary to complete the command: the names of the fields that contain common values. For
example, the links and nodes tables both reference IP addresses. The links table contains the “from”
or the “to” fields for the source and destination addresses, and the nodes table contains the “ip” field.
And since these fields in both tables contain IP addresses, they are suitable for joining two tables
together. Note that you don’t have to use IP addresses to link two tables together; any two fields that
contain equal values will suffice.

The syntax is straightforward. First you indicate the source table, as usual. Then, after the pipe, type
join followed by the second table name, then the name of the field for the source table and the
second table respectively. For example, as you can see on the slide, we are starting with the links
table and joining it to the nodes table. We’re using the “to” field from the links table and the “ip” field
from the nodes table to complete the join operation.

Once the join has completed, a new structured field will be create for the table, typically starting with
the word joined. In our example on the screen, we have a field called “joined_node_to_ip” (because
we used the “to” and “ip” fields). Remember from earlier that you can reference the sub-fields in the
newly created structured field by using a period (see Slide 147 for a reminder, if needed).

@2023 Nozomi Networks All rights reserved. 158

NNCE Student Guide Version 23.1.0

Queries – Use cases 2 (Optional)

4. Produce a table including nodes in the network that are inactive for the last 10 days,
filtering out ghost nodes (tips: ghost nodes never sent.bytes, and the timeframe being
inactive can be seen within the last_activity_time column).

5. Produce a table reporting from, to, function_codes name, last_activity_time of every

link using iec104 protocol.

6. Produce a table showing links that are likely being blocked by firewall (tip: this can be
modelled by the tcp_connection_attempts.total and tcp_handshaked_connections.total).

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

159

See solutions to these Use Cases in the Solutions section at the end of this PDF.

@2023 Nozomi Networks All rights reserved. 159

NNCE Student Guide Version 23.1.0

Queries – Use cases 3 (Optional)

7. Produce a table to show how many links are initiated from each zone (tip: in the links
table there are fields about zone information).

8. Produce a table showing from, to, protocol and tcp retransmission percentage of all
links with tcp retransmission percentage between 40 and 90 percent.

9. Produce a table showing the function codes seen on the monitored network for iec104
protocol and sort them so to have the most used first (tip: work with the variables table).

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

160

See solutions to this exercise at the end of the Participants Guide, in the Solutions section.

@2023 Nozomi Networks All rights reserved. 160

NNCE Student Guide

Queries – Use cases 4 (Optional)

10. Produce a column chart including the list of source IPs that opened iec104
links, sorting them by number of links.

11. Show how many links with the same zone (source and destination) are in the
monitored network.

12. Produce a pie chart showing the percentage of every transport protocol used in the
monitored network.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

161

See solutions to this exercise at the end of the Participants Guide, in the Solutions section.

161
NNCE Student Guide Version 23.1.0

Queries Activity: Create Saved Queries

Lab Exercise

Lab 17
Create Saved
Queries

Time to Complete:
Review the saved Queries
3 minutes

User Manual: Chapter 11:

Queries

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

162

These queries will be used for Dashboard and Reports activities

@2023 Nozomi Networks All rights reserved. 162

NNCE Student Guide Version 23.1.0

Reports
• Can be run On-demand or Scheduled
• Available formats are Excel, CSV and PDF
• Predefined layouts are:
• Empty
• Alerts
• Assets Inventory
• CIS Controls
• Vulnerability
• Predefined widgets and custom queries can
be used
• Filters can be applied globally or per widget
• Reports can be stored in customizable
Folders Report dashboard
• Report Schema can be Exported and
Imported (Json format)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

163

Reports are an important function of the Guardian and can be greatly customized. Reports can be
either run ad-hoc or on a scheduled basis. However, if they’re scheduled, you also need to configure
an SMTP server.

Reports can be created as either CSV, Excel or PDF. When creating reports, you can either use a
predefined layout or create your own.

Reports can be organized into folders (similar to the groups for saved queries).

@2023 Nozomi Networks All rights reserved. 163

NNCE Student Guide Version 23.1.0

Reports – Overview

Global Filters

Folder
structure

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

164

Here is the report Management screen. On the left you can create the folders into which you can
organize your created reports.

At the top left, you can click on the blue “New report…” button to create a new report; otherwise,
select an existing report from the folders to edit it.
While editing a report layout, you can filter the results of the report using the Filter button at the top
middle of the screen. Using a query, you can indicate what items to show in all report results.

In the middle work area, you can add rows and/or add “widgets” to the report. Each widget can be
one of several pre-defined out-of-the-box or you can use any of your saved queries as a report widget.
Don’t forget to Save the report layout when finished.

Clicking the Settings tab at the top right will give you the opportunity to upload a custom company
logo (or use the default Nozomi Networks logo) and/or configure your SMTP server information so
that scheduled reports can be emailed to their intended recipients.

@2023 Nozomi Networks All rights reserved. 164

NNCE Student Guide Version 23.1.0

Reports – Use Case

Lab Exercise

Lab 18
Create a Custom
Report
Create a new Empty report
Time to Complete:
5 minutes
3
1

2 User Manual: Chapter 5:

User Interface Ref. - Reports
Add a row and choose widgets

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

165

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 165

NNCE Student Guide Version 23.1.0

Dashboards
• Two default dashboards are available: Overview and Stats
• The Configuration mode is available under Settings à Dashboards or by clicking directly on the Dashboard
• Creating the first new dashboard will remove the default ones
• Predefined widgets and custom queries are available to compose the Dashboard
• Dashboards can be exported and imported (Json format)

Dashboard configuration

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

166

When customers first start using the Guardian, their default dashboard options are Overview and
Stats. However, they will likely want to change, add or delete these dashboards to their liking. In
order to do this, those with sufficient privileges can click the wrench icon in the upper right corner of
their Dashboard screen or navigate to Administration > Settings > Dashboards.

If they create a custom dashboard, the initial default layouts will no longer be available. If they want
to bring them back, they will need to create a new custom dashboard using the Stats or Overview
template.

Dashboards, like reports, can be created using predefined widgets or use any saved queries
(including pie charts, graphs and column charts created from those queries). These widgets can be
moved around and arranged as needed. They can also be exported or imported, using the JSON
format.

@2023 Nozomi Networks All rights reserved. 166

NNCE Student Guide Version 23.1.0

Dashboards – Use Case

Lab Exercise

Dashboard templates Lab 19

Configure a
Custom Dashboard

Time to Complete:
5 minutes

User Manual: Chapter 5:

User Interface Ref. – Dashboard
Dashboard - Stats based customized

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

167

Special elements cannot be created by queries, but are only usable to include in custom dashboards.

@2023 Nozomi Networks All rights reserved. 167

NNCE Student Guide Version 23.1.0

Alerts and
Hybrid Threat
Detection

168

@2023 Nozomi Networks All rights reserved. 168

NNCE Student Guide Version 23.1.0

What are Alerts?

• Alerts are network events detected and recorded by Guardian because they could be malicious or insecure
• Alerts need to be interpreted and investigated by a user

6
2

1
3 4
5

• The main components of an alert are:

1. Time – timestamp of the moment when the event occurred

2. Type-ID – Descriptor of the type of check/signature/learned behavior that triggered the alert
3. Source – source node where the event originated
4. Destination – destination node where the event was targeted to
5. Protocol – Application layer protocol where the event occurred
6. Risk – level of risk of the alert, number from 0 to 10

• These properties and others can be observed from the Alerts section or by querying the alerts table
• Most alerts also come with a packet capture of the event; this can be downloaded from the alert actions menu.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

169

@2023 Nozomi Networks All rights reserved. 169

NNCE Student Guide Version 23.1.0

What are incidents?

• Incidents are groupings of alerts that could be related to the same root cause
• After an alert is generated, Guardian correlates the alert with previously generated alerts.
If a correlation is found, an incident is created; always have this symbol:
• An incident will be a new entry in the alerts table in queries. It will be displayed in the Alerts section if the
“Group by Incident” switch is enabled by the user.

Multiple alerts within one

incident

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

170

@2023 Nozomi Networks All rights reserved. 170

NNCE Student Guide Version 23.1.0

Built-in
Alerts practice Checks

Lab Exercise

Lab 20
Familiarization
with Alerts and
Incidents

Time to Complete:
5 minutes

User Manual: Chapter 6:

Sec. Features - Alerts

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

171

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 171

NNCE Student Guide Version 23.1.0

Alert Categories
Custom Checks Protocol Validation
• Assertions • Protocol Knowledge
• Links and Variables • Undesired Protocol
Configuration Behaviours

Alerts
Alerts
Virtual Image
• Behavioural Anomaly
Built-in Checks plus
Detection Threat Intelligence
• Most alerts in protecting
• Known Security Attacks
mode (Learned
Patterns
Behaviour)
Arc • Signatures
• Asset Intelligence • Sigma rules
• Device fingerprinting • Usb monitoring
• Baseline strengthening

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

172

Through the use of multiple detection/inspection engines running simultaneously, we can

detect known malware, zero day malware behavior, security breaches, network and hardware
misconfigurations as well as operational details and trends.

From an alerting perspective, we have four categories: protocol validation, built-in checks,
custom checks and the Virtual Image.

Protocol validation is performed against every packet. It checks to make sure the packet follows
the expected behavior according to the protocol and RFC.
Built-in checks make use of the Threat Intelligence Feed to use signature analysis to find
known malicious behavior.

Custom checks are alerts that you as the user of the Guardian setup and include link and
variable alerts as well as assertions. The latter uses queries to look for traffic that you wish to be
alerted about.

The Virtual Image is behavioral analysis, matching packets and behavior against the system’s
established baseline.

@2023 Nozomi Networks All rights reserved. 172

NNCE Student Guide Version 23.1.0

Alert types descriptions

Lab Exercise

Lab 21
Access the User
Manual to Research
Alert Type

Time to Complete:
Alerts list and descriptions 3 minutes

User Manual: Chapter 6:

Security Features. – Alerts Dictionary

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

173

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 173

NNCE Student Guide Version 23.1.0

Asset Intelligence

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

174

@2023 Nozomi Networks All rights reserved. 174

NNCE Student Guide Version 23.1.0

Asset

Asset Intelligence (AI) – Service Intelligence

Asset Model Asset Model with Device

Asset lifecycle status
with protocols images/desc
Intelligence
and function information (only in Vantage)
codes

= + +
• By detecting the asset´s details (e.g. product name
and vendor), further features of these devices are fed
into Guardian’s asset inventory and creating a more
solid baseline.
• The service is Subscription based (License is
required).
• Updates can be installed manually or automatically.
• The content is created/curated by Nozomi Networks
Labs.
System à Updates & Licenses

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

175

We’ve already discussed the Asset Intelligence feed from a high level, but let’s dive a little
further into it because not only does it inform details about hardware but it can also help with
detecting anomalies (and also reducing the amount of potential alerts).

As a reminder, the AI feed is subscription-based. Updates to the feed are managed either
automatically or manuals, typically from a CMC or Vantage (if a customer has it).

The information within the AI feed is gathered by Nozomi Networks through research and good
relationships with hardware vendors.

@2023 Nozomi Networks All rights reserved. 175

NNCE Student Guide Version 23.1.0

Enriched Asset Information

The Asset inventory benefits from the Asset Intelligence (AI) subscription:
• More detailed and precise info about the assets (when Vendor or Product Name is detected)

Added information
about
- “End of sale”
- “End of support”

• 3 different states:
(a) enriched asset: asset benefits from AI database info (b) asset not matched: asset is not part of the AI database

(c) not active: no active AI license on this Guardian

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

176

Here you can see some sample information that can be provided by the Asset Intelligence feed.
The device type (here, Light bridge) and product lifecycle information (in terms of end-of-sale
and end-of-support) is added via the AI feed. Hover your mouse over the “i” next to a field for
information about the source of the details.

While it’s not shown here, the AI feed also informs which protocols and function codes are
supported by the devices; that information is integral to creating some VI alerts and preventing
false positives. For example, if an asset can support 3 different protocols and only one of them
has to-date been seen and then a second protocol is finally seen, it won’t trigger an erroneous
alert because the Guardian knows that it supports all three. (Note: certain factors may influence
the generation of an alert in this circumstance - specifically, the Detection Method. More about
that later.)

On the Asset details page, you can see if the feed has provided additional information or not by
this box. If it says “Enriched Asset”, then the AI feed added some information. If it says “Asset Not
Matched”, unfortunately the device and vendor information did not match anything in the
database and no further information was added by the AI feed. Last, if a customer is not using
the AI feed at all, it will have “Not active”.

@2023 Nozomi Networks All rights reserved. 176

NNCE Student Guide Version 23.1.0

Enriched Asset Information

• Adding information like: picture, protocols and function codes being supported by the assets

Device picture added by AI

(only on Vantage)

Once the device is correctly identified, AI

is adding the info about supported
function codes, protocols, end of
sale/support dates into Guardian without
the need of analyzing the network traffic.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

177

Here you can see that the AI feed can also provide an image of the device if available; however,
that capability is only present on the Vantage. As mentioned before, the AI feed will inform the
Guardian and list out the supported protocols and function codes, regardless of whether they’d
been previously seen in the network or not.

A helpful query you can run would be: assets | where type:info.source include? kb

@2023 Nozomi Networks All rights reserved. 177

NNCE Student Guide Version 23.1.0

Asset Intelligence
Lab Exercise

Lab 22
Use Asset
Intelligence
Information

Time to Complete:
3 minutes

Asset Details for Enriched Device User Manual: Chapter 10:

Asset Int. – Enriched Info

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

178

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 178

NNCE Student Guide Version 23.1.0

Built-in Checks

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

179

@2023 Nozomi Networks All rights reserved. 179

NNCE Student Guide Version 23.1.0

Built-in
Threat Intelligence (TI) - Service Checks

Threat
Intelligence
Packet Yara STIX SIGMA Vulnerability
Rules Rules indicators Rules DB

= + + + +
• The service is Subscription based (License is required).
• Updates can be installed manually or automatically.
• The Rules and DBs are created by Nozomi Networks Labs or obtained
by the infosec community, each verified by Nozomi Networks.

Guardian is providing a Hybrid intrusion/anomaly detection system

which is based on:
• Behavioral anomaly detection: Learning/Protecting and
• Signature and/or pattern-match detection: Threat Intelligence
signatures and additional Built-in Checks.
System à Updates & Licenses

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

180

The other subscription feed that Nozomi Networks offers is the Threat Intelligence feed, which
allows the Guardian to perform signature analysis on every packet and file seen in the
monitored network. Similar to the Asset Intelligence feed, it can be installed/updated
automatically or manually, depending on your settings. By default, it will be maintained and
updated by an upstream CMC or Vantage, if present.

The contents of the TI feed are created by the NN Labs research team and some of it is
informed by partnerships and information from the greater infosec community as well.

Through the Threat Intelligence feed, the Guardian has four different detection capabilities:
packet rules, Yara rules, STIX indicators and the vulnerability database.
Sigma rules are only used by Arc

@2023 Nozomi Networks All rights reserved. 180

NNCE Student Guide Version 23.1.0

Built-in
Packet Rules - Overview Checks

Packet Rules are available under Settings à Threat Intelligence

• Executed on every packet sent over the network, related Alerts are using the type-id
SIGN:PACKET-RULE.
• Supporting the SNORT syntax allows users to easily add new rules using a well-known standard.
• Based on the engine written by Nozomi Networks.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

181

The first of the components of the TI feed that we’ll cover is the Packet Rules. Navigate to
Administration > Settings > Threat Intelligence > Packet Rules tab to see the list of packet rules
enabled or disabled.

Packet rules – as their name implies – inspect every packet seen by the Guardian. Each of these
‘rules’ look for a known malicious content or behavior and will trigger a “SIGN:PACKET-RULE”
alert. These rules are written using the well-known SNORT syntax, but only use the “alert” action
(which makes sense, considering the function of the Guardian as a passive detection
appliance).

Each of the rules can be enabled or disabled. However, rules that are part of the feed cannot be
edited. You can choose to create your own rule as well, which you can edit or delete (as well as
enable or disable) at your leisure.

PACKET RULE EXAMPLE à DoublePulsar Ping

Options at this point: content, byte_extract, byte_test, pcre, msg and reference.
Bsp content: “string” searches string in the payload

The contents already shipped with Guardian can be enabled or disabled but not modified or
deleted, new contents can always be added by the user.

Yara rule analyze files of 2 to 4 Mb depend on the protocol and the limit can not be changed
because it could become dangerous in terms of performance

@2023 Nozomi Networks All rights reserved. 181

NNCE Student Guide Version 23.1.0

Built-in
Packet Rules – Structure Checks

Lab Exercise

Add a custom packet rule

Lab 23
Explore Packet
Rules and Create a
New One

Time to Complete:
5 minutes

User Manual: Chapter 6:

Security Features. – Packet Rules
SNORT syntax used for Packet Rules

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

182

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 182

NNCE Student Guide Version 23.1.0

Built-in
Packet Rules – Search for content Checks
The SNORT Packet Rules syntax allows to search for specific content within the packet's payload.
The content keyword specifies string(s) or binary data inside a packet to search for. Example:
alert tcp any any -> any any (content:"GET";) à searches for "GET" within tcp packets payload.
The following modifiers are available to influence the search:
• offset specifies where to start searching for a pattern within a packet:
alert tcp any any → any any (content:"GET"; offset:4;) à skips the first 4 bytes in the packet's payload,
then starts searching for ”GET”.

Start searching for “GET”

4 bytes
• depth specifies how far into a packet should be searched for a pattern:
alert tcp any any → any any (content:"GET"; depth:3;) à searches for the "GET" string within the first
three bytes of the tcp payload only.

G E T

3 bytes

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

183

These two modifiers (offset and depth) are used to specify how distant at most a new pattern
should be searched for, from the beginning of the payload.

@2023 Nozomi Networks All rights reserved. 183

NNCE Student Guide Version 23.1.0

Built-in
Packet Rules – Search for content Checks

• distance specifies how many bytes to ignore before starting to search for a pattern relative to the end of
the previous match (minimum distance between the end of pattern-1 and start of searching for pattern-2):
alert tcp any any → any any (content:"GET"; content:"ONE"; distance:1;) à searches for the "GET" pattern,
skips one byte and looks for the "ONE" pattern within all following bytes, "GET ONE" or "GET-123-ONE"
would match.

G E T
Start searching for “ONE”

• within specifies how distant at most in relation to a previous pattern, a new pattern should be searched
for (search from the end of pattern-1 within the number of bytes specified for pattern-2):
alert tcp any any → any any (content:"GET"; content:"ONE"; within:10;) à searches for the "GET" string in the
packet and looks for the "ONE" string within the following 10 bytes.

G E T
Search for “ONE”

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

184

These two modifiers (distance and width) are different from the previous screen. They are used
to specify how distant at most a new pattern should be searched for, in relation to a previous
pattern.

@2023 Nozomi Networks All rights reserved. 184

NNCE Student Guide Version 23.1.0

Built-in
Packet Rules – Exercise Checks

Objective Analyze Packet Rules

1.
When monitoring TCP segments with destination port 21 having the ”MENDRISIO" string as the
start of its payload, which of the following rules would produce an alert (select all that apply):
A. alert udp any any → any 21 (content:"MENDRISIO";)
B. alert tcp any any → any 21 (content:"DRIS"; offset:3;)
C. alert tcp any any → any any (content:”MEN";)
D. alert tcp any any → any any (content:”MEN"; content:”DRISIO"; distance:1;)

2.
Activities In order to find TCP segments with destination port 80 having either “Nozomi-Training” or
“Nozomi_-_Training” within its payload, which of the following rules would produce an alert
(select all that apply):
A. alert tcp any any → any any (content:”Nozomi"; content:”Train"; within:8;)
B. alert tcp any any → any 80 (content:”Nozomi"; content:”T"; within:1;)
C. alert tcp any any → any 80 (content:”Training"; content:”Noz"; distance:1; content:”omi";
distance:1;)
D. alert tcp any any → any 80 (content:”Nozomi"; content:”Training"; distance:1;)

User Manual Chapter 6 - Security Features - Packet Rules

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

185

See solutions to this exercise at the end of this PDF, in the Solutions section.

@2023 Nozomi Networks All rights reserved. 185

NNCE Student Guide Version 23.1.0

Built-in
Yara Rules – Overview Checks

Yara Rules are available under Settings à Threat Intelligence

• Executed on every file transferred, also on .zip/.tar archives, via smb, ftp, http, other and using the
alert type-id SIGN:MALWARE-DETECTED.
• Detecting malicious artifacts (e.g., executables or exploits), searching for specific patterns inside the
files.
• Using the original YARA engine.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

186

The contents already shipped with Guardian can be enabled or disabled but not modified or
deleted, new contents can always be added by the user.

The analysis is done on the file that are transferred over:

- smb
- ftp
- http
- other (the communication where Guardian do no have enough info to understand the
protocol)

Yara rule analyze files of 2 to 4 Mb depend on the protocol and the limit can not be changed
because it could become dangerous in terms of performance.

Default archive level analyzed is 3 and can be configured over CLI

@2023 Nozomi Networks All rights reserved. 186

NNCE Student Guide Version 23.1.0

Built-in
Yara Rules – Structure Checks

Rule metadata (not used by the engine)

Checked Strings to feed the conditions logics

Conditions logics

A Yara rule describing Stuxnet

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

187

YARA – “Yet Another Ridiculous Acronym”

Key Word to start: ”rule” followed by the name of the rule

- Meta descriptions like author
- Strings to look for
- Conditions

The contents provided by NN can be enabled or disabled but not modified or deleted, new
contents can always be added by the user.

Check content of a file after the file it is reconstructed from the stream (on smb, ftp, http)

@2023 Nozomi Networks All rights reserved. 187

NNCE Student Guide Version 23.1.0

Built-in
Yara Rules – Conditions Checks

Different conditions are checked on reconstructed files: if the logical statement made by the condition
matches (returns true), the rule triggers the alert.

• Conditions on strings:

all of them 2 of them 3 of ($s*)

• Conditions on raw bytes:

• Searching for the first two bytes of a file being set to 0x5a4d à uint16(0) == 0x5a4d //it is the
hexadecimal string for a Windows executable file (.exe or .dll or .sys), decoded as “MZ” in ascii

• Conditions on file size:

• The file size is e.g. smaller than 150KB à filesize <150KB

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

188

Strings:
- Per default in ascii
- Unicode > ”wide” addition (“wide ascii” for both)

Raw bytes: where to look:

- uint16(0) == 0x5a4d (Checks that the first 2 bytes are set to 0x5a4d = MZ)
- uint8(8) == 0x85 (Checks the second byte)
- looks for hexadecimal values ascii

@2023 Nozomi Networks All rights reserved. 188

NNCE Student Guide Version 23.1.0

Built-in
Yara Rules – Exercise Checks

Lab Exercise

Lab 24
Practice with Yara
Rules

Time to Complete:
3 minutes
APT Industroyer related
Yara rule

User Manual: Chapter 6:

Security Features

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

189

See solutions to this exercise at the end of the Participants Guide, in the Solutions section.

To help better understand when multiple ands/ors are used, from Trainee machine terminal
you can use python to test:

Mac-Terminal# ~/ >python
>>> 0 and 0 and 0 or 1
1
>>>

@2023 Nozomi Networks All rights reserved. 189

NNCE Student Guide Version 23.1.0

Built-in
STIX Indicators Checks

STIX (Structured Threat Information Expression) are available under Settings à Threat
Intelligence

• Language and serialization format used to exchange cyber threat intelligence (CTI)
• Executed on every IP, URL, and domain detected in the network, and connected to alert types:
• SIGN:MALICIOUS-IP
• SIGN:MALICIOUS-URL
• SIGN:MALICIOUS-DOMAIN
• SIGN:MALWARE-DETECTED
• Available in two versions: V1 (XML-based) and V2 (JSON-based)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

190

For more info about STIX files, please refer to the following doc:
https://oasis-open.github.io/cti-documentation/faq.html

Guardian now checks domains specified in HTTP, FTP, TFTP, SMB, and SSDP protocols against
malicious domains known to STIX

@2023 Nozomi Networks All rights reserved. 190

NNCE Student Guide Version 23.1.0

Built-in
SIGMA Rules Checks
SIGMA rules are available under Settings à Threat Intelligence

• Sigma is a common open-source standard that analyses log files to identify malicious events
• Used by Arc on Windows system only and requires SYSMON
• Generates alerts of SIGN:SIGMA-RULE type
• Nozomi Networks Labs curates all the Sigma rules that are loaded into Arc

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

191

For more info about SIGMA rules, please refer to the following doc:
https://github.com/SIGMAHQ/SIGMA-SPECIFICATION

@2023 Nozomi Networks All rights reserved. 191

NNCE Student Guide Version 23.1.0

Built-in
SIGMA Rules – Structure Checks

Rule metadata (not used by the engine)

Logs to search in

Elements to detect

Conditions logics

A SIGMA rule identifying Kali Mimikatz

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

192

@2023 Nozomi Networks All rights reserved. 192

NNCE Student Guide Version 23.1.0

Custom Checks

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

193

@2023 Nozomi Networks All rights reserved. 193

NNCE Student Guide Version 23.1.0

Custom
Custom checks – Links Checks

Environment > Network View > Links

NET:LINK-
RECONNECTION

NET:TCP-SYN

NET:INACTIVE-
PROTOCOL

• Per link entry configuration

• Default risk is 3, included in LOW security profile
• A “Active checks” field is available to identify configured links

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

194

In this page we are going to recap what we have already seen during the Lab done in the Network section.

@2023 Nozomi Networks All rights reserved. 194

NNCE Student Guide Version 23.1.0

Custom
Custom checks – Variables Checks

Environment > Process View

PROC:STALE-
VARIABLE

PROC:INVALID-
VARIABLE-QUALITY

PROC:NOT-
ALLOWED-
INVALID-VARIABLE

• Per variable entry configuration

• Default risk is 3, included in LOW security profile
• A “Active checks” field is available to identify configured variables

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

195

In this page we are going to recap what we have already seen during the Lab done in the Process section.

@2023 Nozomi Networks All rights reserved. 195

NNCE Student Guide Version 23.1.0

Custom
Custom checks – Assertions Checks

This function is available under Assertions

• An Assertion is a query with a special command appended that converts the query into a
logical statement to be satisfied (become TRUE).
• The moment the logical statment is not satisfied, the Assertion fails.
• If configured, a failed Assertion generates an Alert and creates a PCAP file.

The assertion
gives a TRUE
YES result
Is assertion
satisfied? The assertion If configured,
NO gives a FALSE generate an
result alert / pcap

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

196

Assertion Sample:
inks | join nodes to ip | where joined_node_to_ip.is_public | assert_empty
Equal to
inks | join nodes to ip | assert_any joined_node_to_ip.is_public

Time limited (for having an alert at each occurrence):

links | join nodes to ip | where joined_node_to_ip.is_public | where

seconds_ago(first_activity_time) < 10 | assert_empty

@2023 Nozomi Networks All rights reserved. 196

NNCE Student Guide Version 23.1.0

Custom
Assertions Menu Overview Checks

2
1

4
6

5 3

1. History: to view all the previous, executed queries

2. Configure: to set the execution interval
3. Import/Export: to Import or Export the assertions
4. Save: to save the assertion and configure the alert generation if needed
5. New Group: to create folders to store saved assertions
6. Assertion result: green=true red=false

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

197

@2023 Nozomi Networks All rights reserved. 197

NNCE Student Guide Version 23.1.0

Custom
Assertions Checks

• The Assertion fails when the logical statement results in a FALSE output.
E.g.: we want to make sure not one session`s status using protocol iec104 is closed:
sessions | where protocol == iec104 | where status == CLOSED | assert_empty

This appendix checks if the outcome

of the query is indeed empty

if empty if not empty

The assertion is satisfied, and nothing will happen The assertion has failed, the failure will be
logged and, if configured, an alert/trace is
created
• Assertion options:
1. assert_empty - The assertion will be satisfied when the query returns an empty result
2. assert_not_empty - The assertion will be satisfied when the query returns a non-empty result
3. assert_all - The assertion will be satisfied when each element in the query result matches the
<field> <op> <value> given condition
4. assert_any - The assertion will be satisfied when at least one element in the query result
<field> <op> <value> matches the given condition

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

198

All:
Zone running only iec104 -> sessions | assert_all protocol == iec104

Any:
You don’t care which node is feeding a historian server -> at least one

Empty:
No entry matches
Doesn’t happen: e.g. telnet being used

Not_empty:
At least one == not empty result

@2023 Nozomi Networks All rights reserved. 198

NNCE Student Guide Version 23.1.0

Custom
Assertions – Use Cases 1 Checks

1. Produce an alert when a Node is down for at least one day,

excluding nodes representing broadcast addresses.

2. Produce an alert when an ACTIVE http session is detected.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

199

See solutions to this exercise at the end of the Participants Guide, in the Solutions section.

@2023 Nozomi Networks All rights reserved. 199

NNCE Student Guide Version 23.1.0

Custom
Assertions – Use Cases 2 (Optional) Checks

3. In order to upgrade critical equipment produce an alert when switches are suffering critical
vulnerabilities (assuming critical means a CVE score of 9 or higher, and a likelihood of 0.8 or
higher).

4. Produce an alert when the minimum value of at least one variable named ioa-2-2
belonging to 192.168.231.107 is less than 0.2 - (try not to use the ‘assert_empty’ keyword).

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

200

See solutions to this exercise at the end of the Participants Guide, in the Solutions section.

@2023 Nozomi Networks All rights reserved. 200

NNCE Student Guide Version 23.1.0

Security Control Panel

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

201

@2023 Nozomi Networks All rights reserved. 201

NNCE Student Guide Version 23.1.0

Security Control Panel

Settings à Security Control Panel

Set global
Manage Learning
Security
Map
profiles
managing Set specific
Alert visibility Alert rules

1 2 3 4 5

Set global
Configure zone- Custom Reason
Learning
based controls for closing
parameters

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

202

@2023 Nozomi Networks All rights reserved. 202

NNCE Student Guide Version 23.1.0

Virtual Image
Learning Modes

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

203

@2023 Nozomi Networks All rights reserved. 203

NNCE Student Guide Version 23.1.0

Virtual
Learning and Protecting Image

• Event (E ): Any activity in the monitored network possible

that can be detected by Guardian, this includes for 𝑬
example:
• A new node, link, protocol, or variable appearing
• A new variable value appearing 𝑽𝑰
• A variable changing its update cycle

• Virtual Image (VI ): All events in the monitored network 𝑩

• Baseline (𝑩): Learned or added Events in the monitored
network

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

204

The Events are only related to nodes,, links, protocols , a Malware detected is not consider as an Event by the
Virtual Image.

@2023 Nozomi Networks All rights reserved. 204

NNCE Student Guide Version 23.1.0

Learning and Protecting Virtual

Image
Guardian is running in two modes to create the baseline and protect the network:
Learning mode Protecting mode
When learning is applied, every Every new event that was not included
new event is included into 𝑩 Guardian switched in 𝑩 is considered to be an anomaly and
to Protecting mode added to 𝑽𝑰

NodeA
E
VI Node C 𝑽𝑰
E

Node C
New
Node
VI

NodeA NodeA
B B
S7
Link S7 New
Link Link S7
Event (E ): Any activity possible that Link
can be detected e.g.:
• A new node, link, protocol, or NodeB
NodeB variable appearing
• A new variable value NodeB
NodeB appearing
Virtual Image (VI ): All events in the
monitored network
Baseline (𝑩): Learned or added
Events in the monitored network

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

205

Here an example that explains what is consider as new by the Virtual Image.

@2023 Nozomi Networks All rights reserved. 205

NNCE Student Guide Version 23.1.0

1 Learning
Settings à Security Control Panel

Set global
Learning
parameters

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

206

@2023 Nozomi Networks All rights reserved. 206

NNCE Student Guide Version 23.1.0

Virtual
1 Detection approach Image

Adaptive Learning (Default)

Rationale:
• Addressing a dynamic environment where
devices are exchanged frequently and using
cloud services, e.g., networks with IoT
components.

How it works:
• Learning is applied at site (network) level,
events are considered to be good or malicious
depending on the installed infrastructure.
• New Event alerts are:
• VI:GLOBAL:NEW-FUNC-CODE
• VI:GLOBAL:NEW-MAC-VENDOR
Anomaly Detection: Adaptive
• VI:GLOBAL:NEW-VAR-PRODUCER
• VI:KB:UNKNOWN-FUNC-CODE
• VI:KB:UNKNOWN-PROTOCOL

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

207

Only the mentioned Virtual Image alerts are created, the rest are inhibited

E.g. new mac addresses belonging to mac vendors known to the site, are not alerted

VI:GLOBAL:NEW-FUNC-CODE, VI:GLOBAL:NEW-MAC-VENDOR, VI:GLOBAL:NEW-VAR-

PRODUCER à Works only when in Protecting mode

VI:KB:UNKNOWN-FUNC-CODE, VI:KB:UNKNOWN-PROTOCOL à Works in both Learning and

Protecting modes

(See User Manual, Chapter 6 for more information)

@2023 Nozomi Networks All rights reserved. 207

NNCE Student Guide Version 23.1.0

Virtual
1 Detection approach Image

Strict Learning
Rationale:
• Addressing a stable (classic) OT network where
users know in detail the network and want to
operate the Learning with maximum
granularity.

How it works:
• Learning is applied to single nodes, so events
are considered to be good or malicious at a
node (device) level.
• Any new event is being alerted on, for example:
• VI:NEW-FUNC-CODE
• VI:NEW-MAC Anomaly Detection: Strict
• VI:NEW-LINK
• …..

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

208

@2023 Nozomi Networks All rights reserved. 208

NNCE Student Guide Version 23.1.0

1 Detection approach - Use cases Virtual

Image + Asset
Intelligence
Adaptive + Asset Intelligence Strict in Protecting mode
in Protecting mode
NO ALERT Case 1: After an update, the existing PLCs support the new protocol DNP3 VI:NEW-COMMUNICATION

Modbus Modbus
PLC 1 PLC 1
DNP3 Vendor A DNP3 Vendor A
Modbus Modbus
DNP3 PLC 2 DNP3 PLC 2
Vendor A Vendor A
Modbus Modbus
PLC 3 DNP3 PLC 3
DNP3
Vendor A Vendor A

VI:NEW-NODE
NO ALERT Case 2: An additional PLC of the existing make (Vendor A) is introduced VI:NEW-COMMUNICATION

Modbus Modbus PLC 4

PLC 4
Vendor A Vendor A

VI:NEW-NODE
VI:GLOBAL:NEW-MAC-VENDOR Case 3: An additional PLC of the new Vendor X is introduced VI:NEW-COMMUNICATION

Modbus PLC Modbus PLC

Vendor X Vendor X

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

209

Here you can find some example that highlight the difference between Strict and Adaptive.
In the Adaptive side the Asset Intelligence is included to show the benefit that can introduce.

@2023 Nozomi Networks All rights reserved. 209

NNCE Student Guide Version 23.1.0

Virtual
1 Phase switching Image

Two Phase (Default)

Rationale:
• For static/simple OT environments with
knowledgeable onsite OT personnel covering the
OT life-cycle operating the Learning with
maximum granularity.

How it works:
• Learning: a global learning is applied to all events
in the environment.
• Protecting: After the Learning is evaluated to be
finished, the Protecting phase is set manually to
start, all Events not covered by the baseline are
now alerted on. Two phase switching
• Learning and Protecting are two completely
separated states.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

210

@2023 Nozomi Networks All rights reserved. 210

NNCE Student Guide Version 23.1.0

Virtual
1 Phase switching Image

Dynamic
Rationale:
• Make the management easier
• Decrease false positives

How it works:
• The Learning window is defined up-front
(Default 1m).
• Learning: the dedicated learning periods are
applied per nodes.
• Protecting: Applied automatically accordingly
the chosen learning window.
• Learning and Protecting happen together Dynamic switching
during multiple states

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

211

@2023 Nozomi Networks All rights reserved. 211

NNCE Student Guide Version 23.1.0

Virtual
1 Phase switching - Dynamic Image

Example: Learning window set to 1 month (default)

During this interval events related to

the new node are included into B

1 month
1 month

Day 0: Day 25:

The Learning starts, New node
any event is included into B appear
(for the first time)

After the 1-month learning window, new

events are considered to be an anomaly

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

212

In Dynamic the learning is applied per node, every node that will appear in the network, during the predefined
period, will be set to learning mode for the time defined in the Dynamic mode configuration.

@2023 Nozomi Networks All rights reserved. 212

NNCE Student Guide Version 23.1.0

Virtual
1 Manage Learning - Adding Items Image

False positives - Events detected as anomalies can manually be added into 𝑩 (three ways):
Option 1 Option 2 Option 3
From the Network table From the Manage Network Closing the related alert
Learning

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

213

@2023 Nozomi Networks All rights reserved. 213

NNCE Student Guide Version 23.1.0

Virtual
1 Manage Learning - Removing Items Image

True positives - Events within 𝑩 that have been determined to be anomalies can be deleted by:
Option 1 Option 2
From the Network table From the Manage Network
Learning

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

214

Here we can see the two way to remove True positive from the Baseline.

For example:
- At the end of the Learning period Guardian detected VNC links
- Customer does not want that VNC will be used in the network
- Customer remove all the VNC (client and server) from the devices
- In the Guardian all the VNC links should be removed, thanks to this, if a VNC link will appear again it will
generate an anomaly since is not anymore in the baseline and the Learning mode has been switched to
Protecting.

@2023 Nozomi Networks All rights reserved. 214

NNCE Student Guide Version 23.1.0

Asset Built-in Virtual

Threat & Asset Intelligence Intelligence + Checks + Image

added value
Behavioural Anomaly Detection
Threat
Case Adaptive Learning
Intelligence Strict
with Asset Intelligence
Known malwares and other
signature-related events Alert Possible Alert Possible Alert
transmitted
New Node of an existing Vendor
n/a Alert No Alert
(while in Protecting)

New event deviating from a known Alert (confirmed, higher

n/a Alert
device profile* (while in Protecting) precision)

New event compliant to a known,

n/a Alert (false positive) No Alert (higher precision)
device profile* (while in Protecting)

• *Device profile: Type, Manufacturer, Behaviour, Configuration (installed software), Protocols in use
• For each case, the cell related to the most important engine is in green

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

215

@2023 Nozomi Networks All rights reserved. 215

NNCE Student Guide Version 23.1.0

Virtual
1 Manage Learning Image

Lab Exercise

Lab 25
Manage Learning
Manage Learning from tables on Single and Bulk
Events

Time to Complete:
3 minutes

User Manual: Chapter 6:

Sec. Features – Manage Net. Learning

Manage Learning from Graph

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

216

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 216

NNCE Student Guide Version 23.1.0

Virtual
1 Manage Learning Image

Lab Exercise

Lab 26
Practice with
Learning Settings
Learn in bulk the unlearned nodes
Manage Learning and links in one click
Overview Time to Complete:
5 minutes

User Manual: Chapter 6:

Security Features
Search all the nodes and links with Is learned = false

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

217

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 217

NNCE Student Guide Version 23.1.0

Virtual
1 Manage Learning Image

Lab Exercise

Lab 27
Reset the Traffic
Data

Time to Complete:
3 minutes

User Manual: Chapter 5:

User Interface Ref. - System
Data Reset menu

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

218

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 218

NNCE Student Guide Version 23.1.0

2 Security Profiles
Settings à Security Control Panel

Set global
Security profiles
managing Alert
visibility

Set global
Learning
parameters

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

219

@2023 Nozomi Networks All rights reserved. 219

NNCE Student Guide Version 23.1.0

2 Security Profiles
• Alert types are clustered into profiles managing the creation
within the Alerts menu.
• Only the alert that are part of the selected security profile will be
Paranoid
Alerts
All Alerts
created.

• The following Security Profiles are available: High

• Low (including custom checks, security related alerts)
• Medium (default setting) Medium
Default setting

• High
• Paranoid (including all alerts) Low
• Incidents: all Alerts composing an Incident are created within its Most
details for completeness reasons, independently from the single important
Alerts
Alert´s visibility.
• Profile changes are not retroactive.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

220

Please remember that by default the alerts that are not part of the Security profile selected will
not be generated.
Is possible to change this behavior with a CLI command available in the User Guide (search for
save_invisible_alerts).

@2023 Nozomi Networks All rights reserved. 220

NNCE Student Guide Version 23.1.0

3 Zone Configurations
Settings à Security Control Panel

Set global
Security profiles
managing Alert
visibility

Set global
Configure zone-
Learning
based controls
parameters

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

221

@2023 Nozomi Networks All rights reserved. 221

NNCE Student Guide Version 23.1.0

3 Zone Configurations

Public or Private

Adaptive or Strict Learning

Protecting or Learning Mode

Low, Medium, High or Paranoid profile

Zone specific settings

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

222

To automatically define if a zone is Public or Private Guardian refers to RFC1918.

This RFC define which subnet are Private:

- 10.0.0.0 - 10.255.255.255 (10/8 prefix)
- 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
- 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

The configuration done at the zone level will override what is defined globally in the Guardian.

@2023 Nozomi Networks All rights reserved. 222

NNCE Student Guide Version 23.1.0

4 Alert Tuning
Settings à Security Control Panel

Set global
Security profiles
managing Alert
Set specific
visibility
Alert rules

Set global
Configure zone-
Learning
based controls
parameters

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

223

@2023 Nozomi Networks All rights reserved. 223

NNCE Student Guide Version 23.1.0

4 Alert Tuning
Alerting can be fine tuned using the following options:

• Mute: related alerts won‘t be created anymore

• Mute until: no alert creation until the target schedule
• Change security profile visibility: Set to:
• ON to force the visibility of the selected alert type for any selected profile
• OFF to hide it for any selected profile.
• Change risk: assign a custom risk level
• Change trace filter: assign a specific BPF filter for alert packet capture
• Assign playbook: set the playbook to use

• Muting actions takes precedence over other configured actions.

• Settings are not retroactive.
• Alert rules can be Imported and Exported

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

224

This feature is very useful when the fine tuning should be performed.

In some situation, the Alerts tuning is very important because there can be an alert that is triggered in a
continuous way and can not be fixed by the customer,

For example:
- Guardian detected a password week
- The password is hardcoded in the software that is using it
- The customer can not change and the only way to get rid of it is to use the Alert Tuning.

@2023 Nozomi Networks All rights reserved. 224

NNCE Student Guide Version 23.1.0

4 Alert Tuning - Configure options

Option 1 (configure from scratch) Option 2 (configure from Alerts panel)
Settings > Security Control Panel Alerts > Configure Alert function

Logics (AND-
related)

Notes

Actions

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

225

@2023 Nozomi Networks All rights reserved. 225

NNCE Student Guide Version 23.1.0

4 Alert Tuning - Exercise

Lab Exercise

Lab 28
Use Alert Tuning to
Change Alert Risk
Level

Time to Complete:
5 minutes
Alert configuration menu
User Manual: Chapter 6:
Security Features
Nozomi Networks Blogpost - Revealing Darkside:
https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

226

Follow the Lab guide, available in the Trainee machine, to complete this exercise.
Link shown in slide above:
https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-
darkside-works/

@2023 Nozomi Networks All rights reserved. 226

NNCE Student Guide Version 23.1.0

5 Alert Closing Options

Settings à Security Control Panel

Set global Security

profiles managing
Alert visibility Set specific
Alert rules

Set global
Configure zone- Custom Reason for
Learning
based controls closing
parameters

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

227

@2023 Nozomi Networks All rights reserved. 227

NNCE Student Guide Version 23.1.0

5 Alert Closing Options

These options allow the customization of closure details for alerts and incidents.

Custom Reasons for closing can be configured, e.g.:

• Confirmed Cyber Incident - Treat as incident
• Legitimate Change - Learn
• Configuration Error - Treat as incident
• False Positive - Learn
• Legitimate intervention - Learn

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

228

This option gives the possibility to create your own Alert Closing reason defining the action that the closing
option will do:
-Treat as an Incident
- Learn

@2023 Nozomi Networks All rights reserved. 228

NNCE Student Guide Version 23.1.0

Alerts Operations

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

229

@2023 Nozomi Networks All rights reserved. 229

NNCE Student Guide Version 23.1.0

Alert Panel – Overview

1 2 3 4 5

1. Export: Export the alert in csv or xls

2. Group by incident: Group or ungroup Alerts by Incident
3. Filter: Hide/Unhide Ack’ed or Closed Alerts
4. Live: Manual or automatic refresh
5. Standard/Expert: Switch between Standard and Expert view

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

230

@2023 Nozomi Networks All rights reserved. 230

NNCE Student Guide Version 23.1.0

Alerts Operations – Standard View

Action for a
single alert

Alert details

Few Filtering
options

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

231

@2023 Nozomi Networks All rights reserved. 231

NNCE Student Guide Version 23.1.0

Alerts Operations – Expert View Expert

Select columns to be
Group alerts by view
displayed
different parameters

Extended Filtering options

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

232

@2023 Nozomi Networks All rights reserved. 232

NNCE Student Guide Version 23.1.0

Alerts Operations – Single Alert Details

Description (dynamic) Status and Created Date

Risk is weighted based on

several logics
Playbook

Audit alert operation

MITRE ATT&CK

Alerted Link

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

233

Description is tailored to every trigger

Details are bound 1:1 to Alert_ID

Risk logics: base risk + learned status + ip reputation

@2023 Nozomi Networks All rights reserved. 233

NNCE Student Guide Version 23.1.0

Alerts Operations - Incident Details

Status Created Date and

Last update

All Alerts within the Incident

Risk is weighted based on
are listed
highest Alert

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

234

If an alert is added into an incident, it is visible inside the incident when Group by Incident is
enabled

@2023 Nozomi Networks All rights reserved. 234

NNCE Student Guide Version 23.1.0

Alerts Operations - Playbooks

Configuration is available under Settings à Alert Playbooks
• Used to define procedure to apply in case of alert

• Can be applied to a specific alert

type (or/and with any condition)
from the Alert Tuning Rules

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

235

Allows to define a playbook for every alerts present in Guardian.

@2023 Nozomi Networks All rights reserved. 235

NNCE Student Guide Version 23.1.0

Virtual
Alerts Operations Image

Lab Exercise

Lab 29
Manage Alerts and
Learning Settings,
Enable Protecting mode Part 1

Time to Complete:
5 minutes

User Manual: Chapter 6:

Sec. Features – Manage Net. Learning
Learning the modbus link

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

236

#cet

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 236

NNCE Student Guide Version 23.1.0

Built-in Virtual
Alerts Operations Checks + Image

Lab Exercise

Lab 30
Manage Alerts and
Learning Settings,
Part 2
Manage Network Learning graph

Time to Complete:
5 minutes

User Manual: Chapter 6:

SIGN:OT_DEVICE-STOP default risk value Sec. Features – Manage Net. Learning

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

237

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 237

NNCE Student Guide Version 23.1.0

Built-in
Alerts Operations Checks

Lab Exercise

Lab 31
Investigate More
Alerts

Time to Complete:
5 minutes

User Manual: Chapter 6:

Security Features - Alerts
Show program differences on PLC code

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

238

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 238

NNCE Student Guide Version 23.1.0

Built-in Virtual
Alerts Operations - Review Checks + Image

Lab Exercise

Lab 32
Manage Alerts and
Learning Settings,
Part 3

Time to Complete:
3 minutes
Run previous traces
User Manual: Chapter 6:
Security Features - Alerts

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

239

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 239

NNCE Student Guide Version 23.1.0

MITRE ATT&CK®
Framework

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

240

@2023 Nozomi Networks All rights reserved. 240

NNCE Student Guide Version 23.1.0

MITRE ATT&CK® Framework

Knowledge base of Threat models and Accurate ontology

adversary tactics and methodologies
• All the techniques
techniques
• Classify events with are precisely
• Based on real-world a malicious intent mapped with a
observations specific ID
• Easy to share
information between • Easily usable to
organizations using the enrich Threat
framework Intelligence
References:
- https://attack.mitre.org/matrices/enterprise
signatures
- https://attack.mitre.org/matrices/ics

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

241

References:
- https://attack.mitre.org/matrices/enterprise
- https://attack.mitre.org/matrices/ics

@2023 Nozomi Networks All rights reserved. 241

NNCE Student Guide Version 23.1.0

ATT&CK® Framework in Action

Maps tactics and

1 2 techniques for
both:
1 ICS
2 Enterprise

Number of alerts that

match the category

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

242

The number(in blue) that you can find in the Mitre ATTACK will be different than 1 ONLY when
the alerts are grouped by the incident and it will indicate how many alerts correspond to each
MITRE technic present in the incident.

@2023 Nozomi Networks All rights reserved. 242

NNCE Student Guide Version 23.1.0

Time Machine

243

@2023 Nozomi Networks All rights reserved. 243

NNCE Student Guide Version 23.1.0

Time Machine
• Time Machine is an analysis tool allowing to record, review and compare snapshots of the monitored
network, supporting e.g., forensic analyses.
• Typical use case: “Is my network back to its original state after a maintenance intervention?”
• The menu is available under Time Machine

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

244

@2023 Nozomi Networks All rights reserved. 244

NNCE Student Guide Version 23.1.0

Time Machine – Settings

Default settings of Time Machine:
• A Snapshot is taken every hour, the interval can be changed via CLI (for more details please refer
to the User Guide searching for “tm snap”)
• Snapshot Space retention level is set to 500 MB
• Snapshot Retention level is set to 50 items
In order to change the default settings see Settings > Feature Control Panel on the Retention tab:

• The default number of snapshot retained is up to 50 items, it could be

less in fact because space retention is taking precedence

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

245

@2023 Nozomi Networks All rights reserved. 245

NNCE Student Guide Version 23.1.0

Time Machine – Overview

1. Loading a Snapshot
3

1
2. Choose a snapshot or LIVE
2 3. Create a Diff

Diff: Compare 2 snapshots or a

Snapshot and the LIVE situation
• Added, Removed and
Changed nodes, links and
variables are visible

Back to live: allow to go exit from the

snapshot and go back to live view

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

246

@2023 Nozomi Networks All rights reserved. 246

NNCE Student Guide Version 23.1.0

Time Machine – Activity

Lab Exercise

Lab 33
Learn Time
Machine Feature

Time to Complete:
5 minutes

User Manual: Chapter 6:

Security Features - Alerts

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

247

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 247

NNCE Student Guide Version 23.1.0

Integrations

248

@2023 Nozomi Networks All rights reserved. 248

NNCE Student Guide Version 23.1.0

Integrations

User information

Firewall configuration

Data exchange

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

249

@2023 Nozomi Networks All rights reserved. 249

NNCE Student Guide Version 23.1.0

User Integration

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

250

@2023 Nozomi Networks All rights reserved. 250

NNCE Student Guide Version 23.1.0

User Integration with Active Directory / LDAP

5 4 1 2 3

1. Active Directory: to configure the connection with AD (or more then one)
2. LDAP: to configure the connection with LDAP (or more then one)
3. SAML: to configure the SAML authentication (or more then one)
4. Group: to create local group or import from AD/LDAP and define permissions and allowed sections
5. User : to create local user or assign ssh key to access Guardian via Shell Console

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

251

If a user is moved from one group to another inside AD, the changes are applied immediately.
The user just needs to logout and then log back in again.
It is possible to use multiple database simultaneously.

@2023 Nozomi Networks All rights reserved. 251

NNCE Student Guide Version 23.1.0

Active Directory / LDAP - Configuration

1

1. Status: show if the Guardian can connect to the AD

2. Port : is possible to contact AD if a non-default port is used
3. Add Host : can add more than 1 AD (for redundancy)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

252

@2023 Nozomi Networks All rights reserved. 252

NNCE Student Guide Version 23.1.0

Active Directory / LDAP - Import Groups

4
5

1. Import from Active Directory: browse AD groups

2. AD connection details and filter: filter the group/groups that you want to import and provide AD credentials for each group
3-4. Select the group/groups: import the selected group/groups and import into Guardian
5. Edit group permission: on the imported group select the allowed sections

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

253

@2023 Nozomi Networks All rights reserved. 253

NNCE Student Guide Version 23.1.0

Active Directory / LDAP - Login

Local users created directly on Guardian

coexist with the Active Directory/LDAP
users so when you need to login with
Active Directory/LDAP you need to specify
the domain

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

254

Since Guardian use multiple databases simultaneously you need to specify the domain where the user is
located.

@2023 Nozomi Networks All rights reserved. 254

NNCE Student Guide Version 23.1.0

User Integration with SAML

• Multi-layer supported: a Guardian does not need a direct connection to the
SAML server as long as it is connected to a CMC that does have it

Guardian’s address

Schema to match
roles

XML containing
the Single Sign On
configuration

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

255

Multi-Layer SAML – when using SSO on Guardian, it forwards the request to the CMC, which
then forwards to a configured appliance/server, to finally the SAML server

@2023 Nozomi Networks All rights reserved. 255

NNCE Student Guide Version 23.1.0

Firewall
Integration

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

256

@2023 Nozomi Networks All rights reserved. 256

NNCE Student Guide Version 23.1.0

Firewall Integration

Monitor
1
A threat is detected by Guardian
and an alert is generated.

2 Detect
2
User-defined policies are rapidly
examined, and the appropriate
3 corresponding action is triggered.

3 Protect
Firewall responds according to the
user-configured action (Node
Blocking, Link Blocking, or Kill
Session) and mitigates the issue.
1

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

257

@2023 Nozomi Networks All rights reserved. 257

NNCE Student Guide Version 23.1.0

Firewall Integration - Configuration

Settings > Firewall Integration

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

258

@2023 Nozomi Networks All rights reserved. 258

NNCE Student Guide Version 23.1.0

Firewall Integration - Use cases

1. Nodes blocking
• Guardian detects a New Node that does not belong to its baseline
• Guardian raises an alert
• Guardian sends a filter rule to the Firewall in order to block all activities initiated by this New Node
2. Links blocking
• Guardian detects a New Connection that does not belong to its baseline
• Guardian raises an alert
• Guardian sends a filter rule to the Firewall in order to block this connection
3. Session kill
• Guardian detects a New Function-Code not being learned before within a session
• Guardian raises an alert
• Guardian sends a command to the Firewall in order to kill only this specific session, no rule is
added. See the illustration below:

192.168.10.1:34563 Modbus FC=3 192.168.20.16:502

192.168.10.1:22763 Modbus FC=3 192.168.20.16:502

192.168.10.1:43763 session
Modbus FC=6
ly this 192.168.20.16:502
Firewall kills on

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

259

We create a policy in the firewall

Scenario 1: New node detected, INCIDENT:NEW-NODE

Scenario 2: trusted node using a new function code, INCIDENT:NEW-COMMUNICATION
Scenario 3: New variable/new variable value, INCIDENT:VARIABLES-NEW-VALUES, only the
malicious session is killed

If a node is then integrated in the baseline, the policy is removed and the node allowed once
again.

@2023 Nozomi Networks All rights reserved. 259

NNCE Student Guide Version 23.1.0

Firewall Integration - Vendor support

Firewall Integration allows Guardian to automatically connect to a firewall and control it`s actions
• Guardian supports various firewalls vendors
• The interaction capabilities vary depending on the firewall Vendor & Type/Firmware:

Fortinet Check TX One OT

PaloAlto Cisco Cisco Cisco
Fortigate Point Stormshield Defence Barracuda
V10.0+ ASA FTD ISE
v6/v7 Gateway* Console

Enable nodes blocking OK OK OK OK OK OK N/A OK OK

Enable links blocking OK OK OK OK OK OK N/A N/A OK

Enable session kill OK N/A OK N/A N/A OK OK N/A N/A

Enable logging
OK OK N/A N/A N/A N/A N/A N/A N/A
(on Firewall filter rule)

*will be end of support in a near future

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

260

Enable logging à we enable the log-in feature of the firewall on the filter rule that Nozomi will
create on the Firewall.

@2023 Nozomi Networks All rights reserved. 260

NNCE Student Guide Version 23.1.0

Data Integration

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

261

@2023 Nozomi Networks All rights reserved. 261

NNCE Student Guide Version 23.1.0

SIEM Integration
A SIEM collects standard logs and
1 security events from different systems.
This requires the deployment of parser
and correlation rules to give the data
meaning.

Guardian deeply understands ICS

2 protocols, variables and function codes.
It generates security events that are
relevant and specific to the OT
environment.

Guardian can send native logs to

3 SIEMs, extending its scope and
enriching the data collected.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

262

Integration with SIEM systems is established using different protocol and format.
See next pages.

@2023 Nozomi Networks All rights reserved. 262

NNCE Student Guide Version 23.1.0

Data Integration - Supported vendor

• Providing/retrieve data to/from external devices can be configured using different kind of protocols to endpoints.
The menu is available under Settings > Data Integration
PUSH:

• Google Chronicle (Ingestion API – UDM) à Alerts, Asse and Vulnerabilities

• FireEye TAP CloudCollector*à Alerts, Health Logs, DNS Logs, HTTP Logs, File transfer Logs, Connection Logs
• IBM QRadar (LEEF) à Alerts, Health Logs, Asset information

• ServiceNow à Alerts (bidirectional), Asset information

• Tanium à Asset data

• Splunk - Common Information Model (JSON) à Alerts, Health Logs, Audit Logs

• Kafka à Custom queries

• Cisco ISE à Asset Data

PULL:
• Microsoft Endpoint Configuration Manager (WinRM RPC) à Retrive Asset Data using WinRM client

• Microsoft Endpoint Configuration Manager (DB) à Retrive Asset Data using sql queries
(*end of support in a near future)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

263

@2023 Nozomi Networks All rights reserved. 263

NNCE Student Guide Version 23.1.0

Data Integration - Generic

• Generic integration

PUSH:
• Common Event Format (CEF) à Alerts, Health Logs, Audit Logs

• SMTP forwarding à Alerts, Health Logs, Reports

• SNMP Trap à Alerts

• Syslog Forwarder à to forward to a server the syslog traffic captured from the monitored network

• Custom JSON à Alerts

• Custom CSV à Custom queries

• External Storage à uploads trace to an external machine.

PULL:

• DNS Reverse Lookups à retrieves node names

• As an SNMP daemon à Health Logs (the SNMP manager needs to query the daemon)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

264

TLS is supported on CEF integration

@2023 Nozomi Networks All rights reserved. 264

NNCE Student Guide Version 23.1.0

Custom Fields and Nodes

Information

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

265

@2023 Nozomi Networks All rights reserved. 265

NNCE Student Guide Version 23.1.0

Manual Input formats

Guardian allows to add nodes from scratch or to enrich fields of existing

ones using:
• CSV files (via Web UI or OpenAPI)
• JSON files (via OpenAPI)
• Importing brand-specific project files (via Web UI):
• Rockwell Harmony (.conf, .rsx, .rsh)
• Yokogawa CENTUM VP (.gz, .zip)
• Siemens Configuration (.cfg)
• IEC 61850 SCL/SCD (.scd, .icd, .cid)
• Triconex (.pt2)
• Allen-Bradley (.l5x)
• Honeywell TDS (.txt, .zip)
• Profinet IOCM (.xml)
• Siemens AML (.aml)
• Mitsubishi (.gxw)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

266

@2023 Nozomi Networks All rights reserved. 266

NNCE Student Guide Version 23.1.0

Other Manual Input

From the Import menu, we can consider to import:

• Asset types (using csv files)

• Variables (create or update variables using csv files)

• Content Pack (queries, dashboard, report using Json

file)
• Arc data archive (from offline Arc using zip files)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

267

@2023 Nozomi Networks All rights reserved. 267

NNCE Student Guide Version 23.1.0

Create Nodes’ custom fields

Lab Exercise

Lab 34
Create new custom fields
Add Custom Fields
to the Nodes Table

Time to Complete:
5 minutes

Manually enter information into the User Manual: Chapter 5:

new fields User Interface Ref. - System

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

268

Follow the Lab guide, available in the Trainee machine, to complete this exercise

@2023 Nozomi Networks All rights reserved. 268

NNCE Student Guide Version 23.1.0

Import Nodes’ custom information with CSV

• Imported data is associated to Nodes
• Only specific fields can be written Lab Exercise
• Priority of the information sources:
User input* > Smart Polling > Passive module
1.

Lab 35
Import Node
Information via
CSV File
2.

Time to Complete:
3. 5 minutes

User Manual: Chapter 5:

User Interface Ref. - System
*Some fields are restricted to specific values and will not be written if the values
differ from them. Confirmed Mac addresses will not be overwritten either.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

269

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 269

NNCE Student Guide Version 23.1.0

OpenAPI - Scope
• API stands for "Application Programming Interface"
An API is a set of commands, functions, that programmers can use to create software or
interact with an external system.

• Guardian and CMC include an API that allows to:

• Perform queries
• Import CSV endpoints*
• Import JSON endpoints*
• Configure the monitored networks data through the CLI*
• Manage Alerts: filter, Ack/Unack, close
• Request Trace files*
• Manage users: create
• Import Threat Intelligence indicators (packet rules, Yara rules, STIX)*

• Open API is used by third party applications to pull data from Guardian automatically:
• Service Graph Connector for Nozomi Networks available on Service Now Store
• Nozomi Networks Sensor Add-on available on Splunk App
• Nozomi Networks Sensor - QRadar available for IBM QRadar
* Only available on Guardian and not on the CMC

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

270

@2023 Nozomi Networks All rights reserved. 270

NNCE Student Guide Version 23.1.0

OpenAPI - Examples
• To connect and test the API, use a standard browser with Json parser addon.
• OpenAPI reference is available under User SDK Manual

• Guardian and CMC OpenAPI use the following URL syntax:

• Perform a query, place it after ‘=’:
https://Guardian_IP/api/open/query/do?query=
e.g.: https://Guardian_IP/api/open/query/do?query=nodes | where id == 172.16.0.1
• Import nodes via .csv or JSON file (limited fields available)*:
a. https://Guardian_IP/api/open/nodes/import
b. https://Guardian_IP/api/open/nodes/import_from_json
• Configure the data (same as Web UI or CLI)*
https://Guardian_IP/api/open/cli
• Manage Alerts: e.g. Acknowledge:
https://Guardian_IP/api/open/alerts/ack
• Request trace files, filter by query*:
https://Guardian_IP/api/open/traces/all?operation=
download& query=
• Manage Users:
https://Guardian_IP/api/open/users * Only available on Guardian and not on the CMC

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

271

@2023 Nozomi Networks All rights reserved. 271

NNCE Student Guide Version 23.1.0

Remote Collector

272

@2023 Nozomi Networks All rights reserved. 272

NNCE Student Guide Version 23.1.0

Remote Collector (RC) - Scope and security

• Remote Collectors act as "remote interfaces",

broadening Guardian´s capture capabilities and
thus allowing installations to be applied from
simple to highly distributed scenarios
• Small form factor
• Low resource usage
• Cost-effective
• No Web UI, initial configuration through shell,
further configuration and the monitored data are
visible on the Guardian`s WebUI
• N2OS software upgrades and configuration
managed by Guardian
• Communication via TLS encrypted tunnels:
• from RC (client)
• to Guardian (server)
TLS (tcp/443 and tcp/6000)
TLS (tcp/443)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

273

@2023 Nozomi Networks All rights reserved. 273

NNCE Student Guide Version 23.1.0

Remote Collector - Guardian network flow

Remote
Guardian
Collector
TCP port 443 (TLS)
• Sending RC status data to Guardian
• From RC to the Guardian management IP

TCP port 6000 (TLS)

• Forwarding mirrored traffic for analysis
• From RC to the Guardian management IP
Mirror
traffic

TCP port 22 (SSH)

• ONLY needed for configuration purposes
• From workstation (or Guardian) to the RC
management IP

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

274

The mandatory flow for the RC are TCP port 443 and 6000.
The SSH is only needed only for the initial configuration and debug.

@2023 Nozomi Networks All rights reserved. 274

NNCE Student Guide Version 23.1.0

Remote Collector - Deployment

The Remote Collector communicates to the management IP address of the Guardian
using ports tcp 6000 and 443 (TLS).
On the Guardian:
• Enable the management interface to accept the connection on port 6000 (running
n2os-enable-rc).
• Connection to port 443 is already allowed.
• Copy the Sync token (Setting > Synchronization settings).
• Verify that this option is enabled

On the Remote Collector:

• Connect to Remote Collector´s cli per console or ssh.
• Use enable-me to get root privileges.
• Run setup to configure the management IP of the RC.
• Verify that the n2os version is the same as the one of the Guardian
• Run n2os-tui to configure the connection between RC and Guardian (enter the IP
address and the previously copied Sync token of the Guardian).

RC Default Settings Physical Appliances Virtual Appliances

IP Address 192.168.1.254 NONE

Shell console: user / password admin / nozominetworks admin / NONE

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

275

@2023 Nozomi Networks All rights reserved. 275

NNCE Student Guide

Remote Collector - Finalizing Installation

RC´s list
• RC´s are managed under the WebUI Sensors menu, listing all connected
RC´s incl. its status and configuration settings.
• Choosing one RC to open and verify its details on the right:
1. RC Info & Traffic sync: General info and forwarded traffic statistics. 1
Pressing the Arrows starts the initial traffic synchronization:

Verify the Last seen packet and Dropped packets entries.

2. RC Status sync: Stale/Last sync and Uptime info
2
3. RC Health: CPU, Disk and Ram information
• The last step to complete the config is to run the commands in a
Shell Console: 3
• service n2osrc stop on the Guardian.
• service n2osrs stop on each Remote Collector.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

276

One the RC is correctly configured and connected to Guardian all the monitoring and configuration can be
done from the Guardian Web UI.

276
NNCE Student Guide Version 23.1.0

Remote Collector - Configuration

Controls: Are available on Delete RC
Controls
the top of the details
section to place the RC in Force update
a map, to manage N2OS
upgrades or to delete the Place in
map Toggle version lock
RC
RC will not automatically
update the software

RC will automatically
update the software (default)

Each Monitoring Interface Monitoring

provides: Interface em1
• Filter possibilities using
BPF or Denylist
• Status information on
Throughput and
Dropped packets of the
monitored data

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

277

In the Guardian’s Sensors page it will be possible to monitor and configure the RC.

@2023 Nozomi Networks All rights reserved. 277

NNCE Student Guide Version 23.1.0

Central
Management
Console

278

@2023 Nozomi Networks All rights reserved. 278

NNCE Student Guide Version 23.1.0

Nozomi Networks CMC

Nozomi Networks CMC
Centrally monitor distributed sites .
Easily streamline SOC/IT workflows What is it? On-prem virtual or physical
Instantly visualize OT networks, assets and risks appliance to consolidate data coming
Optimize troubleshooting and forensic efforts from multiple Guardian

Consolidate the Continuous Automated vulnerability

view of assets and monitoring of OT, assessment with
security risks IoT systems threat prioritization
and remediation

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 279

The Nozomi Networks Central Management Console™ (CMC) delivers centralized OT and IoT
security management – no matter how large or distributed your business is.

Whether you’re consolidating visibility and risk management at the edge or in the cloud, the
CMC is fast and simple to deploy.

@2023 Nozomi Networks All rights reserved.

NNCE Student Guide Version 23.1.0

CMC - Scope and Security

• Scalability
• Data aggregation
• Centralized control
• Define areas of responsibility
• Position sensors on a map

• Update propagation
• N2OS
• Threat/Asset Intelligence

• Authentication/Connection:
Guardian(client) and CMC(server)
• Server: authenticates by TLS
certificate
• Client: authenticates by token
• Guardian connects to CMC using
TLS tunnel

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

280

@2023 Nozomi Networks All rights reserved. 280

NNCE Student Guide Version 23.1.0

CMC - Context Concepts

• Multicontext • All-in-one
• Separating sensors data • Merging all sensors data
• Examples: When facing duplicated IP addresses or • Besides Alerts and Assets view data providing also
being used as MSSP common Network and Process view data
• Limited view to Alerts and Assets view

https
mirror traffic

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

281

CMC Multi-Context is the one that scales better because it doesn't need to merge the
appliances’ Virtual Images into its own VI.
In case of All-In-One configuration the merge operation is a scheduled task that runs every 1
minute by default.

@2023 Nozomi Networks All rights reserved. 281

NNCE Student Guide Version 23.1.0

CMC - Remote connection

In order to be able to see all the data available on Guardian from the CMC we can use Go To Sensor function.

VPN TUNNEL CMC Central SOC In the VPN tunnel, only the
Web UI connection to the IP
Global address of Global CMC,
CMC using https is allowed

Europe USA

Network ID Guardian-1 Guardian-3 Network ID

192.168.1.0/24 Connection using 192.168.1.0/24
reverse proxy from
Global CMC to
Local Guardian
Local
CMC-A CMC-B

Network ID Guardian-2 Guardian-4 Network ID

172.30.1.0/24 172.30.1.0/24

https to CMC https

reverse remote access mirror traffic

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

282

If you use the “Go to appliance” button, the CMC opens a reverse proxy connection to the
selected Guardian.
This is an often-used mechanism that customers use to bypass security controls that prevent
direct connection to network appliances.

This connection will not require any additional communication to be opened.

The only communication needed is the one from the lower appliance to the upper one using
TCP 443(TLS).

@2023 Nozomi Networks All rights reserved. 282

NNCE Student Guide Version 23.1.0

CMC - Connect Guardian

Lab Exercise
• Make always sure CMC and Guardian have the same
software version to grant synchronization

Lab 36
Configure the CMC
Connection

Time to Complete:
3 minutes
On Guardian: Setup the CMC connection

User Manual: Chapter 11:

CMC - Settings

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

283

Follow the Lab guide, available in the Trainee machine, to complete this exercise.

@2023 Nozomi Networks All rights reserved. 283

NNCE Student Guide Version 23.1.0

CMC - Sensors List

Managed sensors, Guardians directly,

and RCs via Guardians

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

284

@2023 Nozomi Networks All rights reserved. 284

NNCE Student Guide Version 23.1.0

CMC - Sensors Graph

On the graph, the colour of the

CMC and connected appliances'
icons represent their current
health:

• Green is for good health

• Orange is for average health
• Red is for poor health
• Black when unreachable.

Additionally, the colour of the links between the CMC and the appliances (1 level down from the CMC)
represent the current status of the connection:

• Green is for good connection

• Black is for stale connection

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

285

On the graph, the color of the CMC and connected appliances' icons represent their current health.
The colors and their meanings are as follows:
- Green is for good health
- Orange is for average health, Red is for poor health,
- Black is used when an appliance is unreachable.

Please note that if connected appliances (1 level down from the CMC) have other appliances connected to them
(2 levels down from the CMC),
the "worse” health out of all connected appliances will be the health represented by the appliance (1 level down
from the CMC).

Additionally, the color of the links between the CMC and the appliances (1 level down from the CMC) represent
the current status of the connection.
The colors and their meanings are as follows :
- Green is for good connection
- Black is for stale connection

@2023 Nozomi Networks All rights reserved. 285

NNCE Student Guide Version 23.1.0

CMC - Sensors Details and Controls

CMC

Guardian Sensor type

Controls
Guardian + SP

Remote Collector Allow/Disallow Go To Delete the

sensor Sensor appliance
Arc(Windows) Force
Software
Arc(MacOS) update
Arc(Linux) Place in
a map
Clear data to
Health restart the sync
Focus on
section
Toggle version lock

sensor will not automatically

update the software

sensor will automatically update

Parameters the software

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

286

@2023 Nozomi Networks All rights reserved. 286

NNCE Student Guide Version 23.1.0

CMC - Default General settings

Settings > Synchronization settings > General Settings

Select the Context to be used:

• Multi-context, the user can focus on a
single Guardian to access their data in their
separate contexts.
• All-in-one, the CMC creates a merged,
single Environment section containing all
appliances’ data.

Determines whether the sensor connected to

the CMC will automatically receive the
firmware update package when a new version
is available.

Local Guardian User on the connected sensor

will be able to trigger the update installation.

Enables/disables the icon Go To Sensor

Default config

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

287

The picture above report the Default setting,

In the training Lab you may found some parameter that have been changed by us for training purpose.

@2023 Nozomi Networks All rights reserved. 287

NNCE Student Guide Version 23.1.0

CMC - Connect Guardian continued

Lab Exercise

Lab 37
Finish the CMC
Connection
Configuration

Time to Complete:
5 minutes

Central Management Console Dashboard User Manual: Chapter 11:

CMC - Configuration

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

288

Follow the Lab guide, available in the Trainee machine , to complete the exercise.

@2023 Nozomi Networks All rights reserved. 288

NNCE Student Guide Version 23.1.0

Software and TI/AI Feed Updates

CMC-only Deployment Vantage and CMC Deployment
When using a CMC or Vantage, by
default, they are, for all connected
CMC appliances :
Vantage
- the source of N2OS updates
- the source of TI/AI feed updates

CMC

Updates are requested by lower device;

Guardian A Guardian B provided by upper-level device.
The connection will be established always
from lower to upper-level device.

Guardian A Guardian B

Remote Remote
Collector A Collector B Remote Remote
Collector A Collector B

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

289

Threat and Asset Intelligence update runs every hour, but it can be triggered by resetting all
the appliance services by running n2os-stop-all and then n2os-start-all in the shell.

@2023 Nozomi Networks All rights reserved. 289

NNCE Student Guide Version 23.1.0

CMC - Default Sync with Guardian

Data type Guardian >> CMC* Guardian << CMC

Assets Yes n/a

Asset Types Yes Yes

Nodes Yes n/a

Links Yes n/a

Sessions, Live Traffic No n/a

Variables Yes n/a

Zones Yes Yes

Assertions No Yes

Alerts Yes n/a

Alert's status (open/close, ack/unack) Yes Yes

Alert tuning (creating rules) No Yes

*implies each propagated configuration is supported by the CMC

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com
290

@2023 Nozomi Networks All rights reserved. 290

NNCE Student Guide Version 23.1.0

CMC - Tuning synchronization settings

Settings > Synchronization settings > Tuning tab

• By default the synchronization for the above data-sets is enabled

• The sync settings will be applied to the appliances directly connected to the CMC only
• If the CMC is running in HA the config needs to be done on both CMC
• Disabling synchronization results in the deletion of the existing data received

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

291

@2023 Nozomi Networks All rights reserved. 291

NNCE Student Guide Version 23.1.0

CMC - Policy synchronization settings

Settings > Synchronization settings > Policy tab
Asset Types definition policy
• Local only: Asset types are controlled by Guardian.
Asset Types received from upstream will be ignored.
• Upstream only : Asset types are controlled by top CMC or
Vantage. Asset Types configured local will be ignored.

Zone configuration policy

• Local only: Zone configurations are controlled by
Guardian. Zone received from upstream will be ignored.
• Upstream only : Zone configurations are controlled by
top CMC or Vantage. Local zones will be ignored.

Alert Tuning execution policy

• Upstream only: alert rules are managed in the top CMC or Vantage. Creation and
modification are disabled in the lower-level appliances. Only the rules received from
upstream are executed.
• Upstream prevails: in case of conflicts, rules coming from upstream are executed; *
• Local prevails: in case of conflicts, rules created locally are executed. *

* Even Mute rules are overridden by prevailing rules

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

292

ONLY FOR THE ALERT TUNING a special case is represented by the 'mute' action.
Consider the following example: the execution policy is 'local_prevails' and a mute rule is
received by Guardian from an upstream connection.

This rule will be ignored if at least one local rule matches the alert. Vice versa, with the
execution policy set to 'upstream_prevails', local 'mute' will be ignored if at least one rule
coming from upstream matches the alert.

@2023 Nozomi Networks All rights reserved. 292

NNCE Student Guide Version 23.1.0

HIGH
AVAILABILITY

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

293

@2023 Nozomi Networks All rights reserved. 293

NNCE Student Guide Version 23.1.0

CMC - High Availability function

• The HA feature provides both, better availability and
better load distribution for very large, dispersed Bidirectional link
installations:
• Guardian sends data to one of the CMC, which takes care
to synchronize all the data with the other CMC; Data sync
• In case that one CMC is not available, Guardian sends it´s Main CMC Replica CMC
data directly to the other CMC, until the situation come
back to normal status

• Both CMC are accessible and are constantly being sync’d

to provide both the same set of data; Data sync
(main link)
• The sync load can be balanced by connecting some
Data sync
Guardian to the Replica CMC instead to the Main CMC. (backup link)

https (443/tcp)
https (443/tcp) Guardian

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

294

@2023 Nozomi Networks All rights reserved. 294

NNCE Student Guide Version 23.1.0

CMC - Managing Guardians in HA

CMC
• Guardian HA mode enabling two Guardians
monitoring the same traffic and being managed by
the same CMC.

• During normal operation:

Data sync Data sync
• only the primary Guardian sync’d with the CMC, (main link) (backup link)
• both Guardian are receiving traffic from the mirror
ports of the switch
• if the synchronisation comes to a halt, the
secondary Guardian will start synchronizing the
records from the last primary Guardian update. Primary Secondary
Guardian Guardian

• The configuration is being done via Shell access by

editing the n2os.conf.user file of the Secondary
Guardian.
https (443/tcp)
https (443/tcp) Switch
mirror traffic

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

295

In the Guradian’s n2os.conf.user file, the secondary Guardian has the following line: guardian
replica-of <ID>

@2023 Nozomi Networks All rights reserved. 295

NNCE Student Guide Version 23.1.0

CMC - Managing Guardians in HA with RC

CMC
• Guardians in HA can receive traffic from one Remote
Collector
• For redundancy purpose the RC will send the traffic
to both Guardians
• Two commands need to be executed on the
Remote Collector to enable it to send mirrored Primary Secondary
Guardian Guardian
traffic to both Guardians
• For more details about the commands please refer
to the Enable Multiplexing section of the Remote
Collector chapter in the User Guide.

Remote
Collector
https (443/tcp)
https (443/tcp)
TLS 443/tcp and 6000/tcp Switch
mirror traffic

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

296

@2023 Nozomi Networks All rights reserved. 296

NNCE Student Guide Version 23.1.0

Vantage

297

@2023 Nozomi Networks All rights reserved. 297

 Nozomi Networks Vantage
Nozomi Networks Vantage provides unified
visibility and cybersecurity monitoring for an
unlimited number of systems across What is it? A SaaS solution that scales
geographically dispersed locations. security monitoring and visibility for
OT, IoT, IT, edge and cloud assets.
It aggregates and prioritizes risks and Effective for all systems and devices.
vulnerabilities, delivering actionable insights
that improve cyber and operational resilience.

Single pane of glass Continuous Automated vulnerability Power of cloud

for view of assets monitoring of OT, assessment with computing for
and security risks IoT and IT systems threat prioritization enhanced analytics
and remediation

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 298

Vantage is your SaaS solution for security monitoring and visibility across your OT, IoT, and IT
networks. You can see across your network to monitor any number of devices, protect any number of
locations from one single platform anywhere in the world.

Vantage greatly simplifies multi-site deployments with a central cloud-based aggregation, analysis
and management station. Fewer nodes need to be deployed at each site, and fewer admin resources
are required to manage multiple sites and large numbers of sensors.
NNCE Student Guide Version 23.1.0

SaaS - What Does It Mean?

• Nozomi takes care of the Operation:
• Scaling the load
• Fixing problems as they arise

• Utilizing Kubernetes, Automation, etc.:

Architecture:
• Frontend: API calls designed to be as fast as possible, and frontend
API workers scaled to fasten queue processing
• Backend: the work is broken in little tasks that can be queued, and
background service workers are scaled to fasten queue processing
Site Reliability Engineering:
• Identify and Solve Issues Quickly
• Monitoring performance and errors

• Customer Data Protection:

• Each Customer uses its Data Tier in the region that best suits
his Data Governance needs
• State-of-the-art product security:
• End-to-end encryption in transit and at-rest, 3rd party VA/PT, scans, etc.
• Compliance and Certifications (ISO 9001 and 27001)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

299

@2023 Nozomi Networks All rights reserved. 299

NNCE Student Guide Version 23.1.0

Scalable 2/3 Tier Architecture

• Vantage: Centralized OT and IoT visibility

and security VANTAGE

• Guardian sensors process data and sent

to Vantage

• Remote Collectors send data streams to

a Guardian GUARDIAN

• Arc sends in-depth asset and network

information to a Guardian or directly to

Vantage
ARC REMOTE ARC
SENSORS COLLECTORS SENSORS

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 300

@2023 Nozomi Networks All rights reserved. 300

NNCE Student Guide Version 23.1.0

Goodbye to All-In-One vs. MultiContext

Welcome Network Domains & Organization
• MultiContext was introduced to:
• Addressing overlapping IPs address spaces from
different Guardians
• Boosting performance (limited featureset in
MultiContext mode)

• Vantage is introducing Network Domains Organization: Organization:

Company A Company B
• Performance is not a problem
• An IP is unique inside a Network Domain
• Network Domain “own” Assets Guardian Guardian Central
• Vantage is introducing Organization Management
Console
• Allow System Integrator and MSSP to manage
multiple customers from one single platform
Remote Remote
• Easy way to provide visibility to a customer Collectors Collectors
Network Network
domain: Area A Guardian Guardian
domain: Area B

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

301

The All-In-One and MultiContext are concept that are still present in the CMC but not in Vantage anymore.
Network Domains and Organizations offer more flexibility compare to the All-In-One or MultiContext.

@2023 Nozomi Networks All rights reserved. 301

NNCE Student Guide Version 23.1.0

Vantage – Navigation

Organization - List’s
users organizations to
switch between them

Vantage IQ – Use ML/AI

algorithms to understand
when something
unexpected happens

World Map - Change

between 3D or 2D
image

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

302

@2023 Nozomi Networks All rights reserved. 302

NNCE Student Guide Version 23.1.0

Vantage – Queries
New Query Functionality

Multiline
queries

History of
queries Sort Group by

View details
Output
of the
query
Auto filter

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

303

Vantage has a more powerful engine due to being a SaaS product. We’ve created a new library
specifically for enhancing the query experience

New Query Functionality

Add filter feature
Autocomplete queries
Multi-line queries
Query results load up on the fly
Create saved queries
Create assertions

@2023 Nozomi Networks All rights reserved. 303

NNCE Student Guide Version 23.1.0

Vantage – Alerts
Improved Alert Information

Visual – Provides visual

summary based on
geographical location

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

304

There’s a new look for our alerts – including a visual depiction of data communication based on
geographical locations. This is especially useful for something like visualizing Command and
Control (C&C) Activity

@2023 Nozomi Networks All rights reserved. 304

NNCE Student Guide Version 23.1.0

Vantage - Alerts
Improved Alert Information

Number of alerts within the

incident

Incident Alert
Timeline

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

305

There is a new, more clear way to present the timeline of alerts.

Within the alert panel we have a number indicating the number of alerts pertaining to a
specific incident.

Within the incident page the alert timeline has been improved

@2023 Nozomi Networks All rights reserved. 305

NNCE Student Guide Version 23.1.0

Vantage - Playbooks
Create Alert Playbooks

Add
comments

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

306

Vantage includes the ability to add playbooks for alerts.

The playbooks here in the screenshot are ones that we’ve added for example purposes however
note that the playbook does not come with any built in

Once the playbook is added then these can be added to alerts

@2023 Nozomi Networks All rights reserved. 306

NNCE Student Guide Version 23.1.0

Vantage – Workbooks

Recommended
actions to lower risk

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

307

There is now a new Workbooks Vulnerability page which provides a summary of how to reduce
risk within the environment

This is great for an executive summary and provides actionable items to reduce risk

@2023 Nozomi Networks All rights reserved. 307

NNCE Student Guide

Vantage – User Management

User management is applied to every Organization of the
account.

• Users are email address based and receive the invitation via
email

• SAML SSO option is available

• Groups rights are applied using Role Assignments

• API Key management is available

Available Roles

Vantage user management is not related to sensor’s user management

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

308

308
NNCE Student Guide Version 23.1.0

Vantage – Management features (1/2)

Per Organization settings

• Sensor/Arc Updates can be managed by Vantage

• Automatically pushed by Vantage
• With or without SP according to license

• Synchronization settings (logs, nodes, links, etc.)

• Vantage can be leveraged only for license
provisioning based on environment
requirements

• Zones can be managed at Vantage level

• Per site(s) or sensor(s)
• Cannot be edited on sensor

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

309

@2023 Nozomi Networks All rights reserved. 309

NNCE Student Guide Version 23.1.0

Vantage – Management features (2/2)

Per Organization settings.

• Fleet Management
• CLI configuration commands can be sent
to a batch of sensors

• Asset Rules
• Assign Tags

• Alert Management:
• Alert Rules
• Alert Close Options
• Alert Playbooks

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

310

Tags can be assigned to Assets for access management purposes, so that Role Assignments can be
constrained into a specific Tag.

@2023 Nozomi Networks All rights reserved. 310

NNCE Student Guide Version 23.1.0

Vantage – Other features

• Backup
Built-in Integrations
• Restoration is full, not partial
Splunk
• Contact support only
IBM QRadar
• SAML SSO Service Now
• To connect to Vantage only
Traffic Replay
• Import Predefined sets
• Asset details (CSV or project file) For demo purpose only
• Arc (offline zip archive)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

311

@2023 Nozomi Networks All rights reserved. 311

NNCE Student Guide Version 23.1.0

Vantage IQ

312

@2023 Nozomi Networks All rights reserved. 312

NNCE Student Guide Version 23.1.0

Introducing Vantage IQ
Vantage IQ helps you understand what's
happening across a network of IoT and OT
devices. Sophisticated machine learning
algorithms identify activity patterns, and
Vantage IQ warns you when something
unexpected happens.

Delivers vastly deeper

insights, correlation and
actionable intelligence than
prior or competitive systems

A flexible query system to extract business

insight and intelligence from massively
scalable data sources

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

@2023 Nozomi Networks All rights reserved. 313

NNCE Student Guide Version 23.1.0

The Evolution of Data and Knowledge

Information Insight

Vantage Vantage IQ

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

314
@2023 Nozomi Networks All rights reserved. 314
NNCE Student Guide Version 23.1.0

Vantage IQ Features
• Insights
• New dashboard highlighting actionable intelligence to improve your environment's
security. Data is correlated across the Vantage solution to streamline forensics, tuning,
and security enhancements.

• Answers
• Learn more about your environment by asking simple questions
• What are the relevant characteristics of high-risk vulnerabilities?
• How are vulnerabilities clustered into groups?
• How do asset attributes correlate with each other?
• How do alert sources correlate with risk?
• Powerful customizable queries are used to answer questions and ultimately provide
users with a deeper understanding of their environment.

• Time Series
• Utilize advanced machine learning techniques for predicting and alerting on abnormal
bandwidth in the Sensor network baseline.

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

Vantage IQ is an add-on module to Vantage

No additional configuration on the customer side
Once Vantage IQ is added it will begin analyzing the database and provide insights immediately

@2023 Nozomi Networks All rights reserved. 315

NNCE Student Guide Version 23.1.0

Architecture
VANTAGE IQ

• Vantage IQ is an add-on module to VANTAGE

Vantage
• No additional configuration on the
customer side
• Once Vantage IQ is added it will begin
analyzing the database and provide
insights immediately

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

@2023 Nozomi Networks All rights reserved. 316

NNCE Student Guide Version 23.1.0

Support

317

@2023 Nozomi Networks All rights reserved. 317

NNCE Student Guide Version 23.1.0

Partner Portal
Partner Portal* enables access to:
• Deals and deal dashboard
• Download customer documents,
whitepapers and briefs
• Sales and SE Training
• Technical Training (Nozomi Networks
Academy)
• Marketing Collateral

To Sign Up:

Remember that Partner Portal does not NN Academy

have product User Manuals or Release
Notes. This is on the Support Portal.

* Partner Portal is available for employees of a Partner organization

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

318

@2023 Nozomi Networks All rights reserved. 318

NNCE Student Guide Version 23.1.0

Support Portal
Support Portal* access enables to:
• Open and manage tickets
• Receive news and updates
• Download software versions
• Read Guides (Knowledge Base)

* Support Portal is available for partners and users with an active SLA

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

319

@2023 Nozomi Networks All rights reserved. 319

NNCE Student Guide Version 23.1.0

Documentation Menu on Support Portal

Under the Documentation menu, you can access a searchable

browser-based version of:
• Release Notes
• User Manual
• User Manual SDK

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

320

@2023 Nozomi Networks All rights reserved. 320

NNCE Student Guide Version 23.1.0

Support Portal - Opt-In Subscription Feature

Allow [email protected] email address into
your inbox or it might end up in your spam folder.
1

3 4

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

321

@2023 Nozomi Networks All rights reserved. 321

NNCE Student Guide Version 23.1.0

Nozomi Networks Global Customer Support

CustomerCare Premium
Support Portal
24 x 7 support.nozominetworks.com
Phone Support
365 Days

Hardware Replacement 2 Business Days RMA* Phone

+1 877 282 5858 (International)
Software Updates For regional support numbers,
please visit:
nozominetworks.com/support
Online Support Portal

* Subject to regional Customs regulations

For more info please refer to the Global Customer Support brochure

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

322

@2023 Nozomi Networks All rights reserved. 322

NNCE Student Guide Version 23.1.0

Ask support
• When a support ticket needs to be opened, the support department will need to be provided enough data to
understand the problem:

• A detailed description of the problem

• The compressed Support archive provided by Guardian that can be generated in 2 ways:
• from the Web UI System > Support, downloaded via Browser
• from the Shell console executing the n2os-asksupport command with root privileges then download it via scp
from /data/tmp/

*If you want to run the command using the Anonymize option
please use n2os-asksupport --anonymize

Web UI interface Shell console

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

323

Run the n2os-asksupport –anonymize command in the shell console, with root permission, if
you want to run the archive request anonymized from SSH.

@2023 Nozomi Networks All rights reserved. 323

NNCE Student Guide Version 23.1.0

Project Delivery

324

@2023 Nozomi Networks All rights reserved. 324

NNCE Student Guide Version 23.1.0

Typical Schedule for a Site Activation

PLAN
PLAN DURATION Project Week Project Week Project Week Project Week Project Week
START (ELAPSED) 1 2 3 4 5
Project Phase (Day) (Days) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Site Kickoff Call 1 1

Information Gathering 2 3

Solution Design 5 1

Confirmation of the HW delivery and site preparation 2 9

Installation and initial configuration of appliance(s) (onsite) 11 2

Traffic Data Acquisition and Baseline Period 13 10

Remote Fine Tuning 23 3

Main Deliverables per site

1 Site Acceptance Test

2 User Acceptance Test

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

325

@2023 Nozomi Networks All rights reserved. 325

NNCE Student Guide Version 23.1.0

A low impact and high value-added process

Review, Tuning and Operations, Maintenance
Installation
Optimization and Evolution

Nozomi Guardian from The second stage consists of After the go-live, Nozomi
installation increases the visibility tuning the Guardian baseline Networks’ Guardian permits:
of the network, enabling the and defining security rules to • Real-time industrial operations
opportunity to observe and act, check the compliance to the and security monitoring
securing network zones, which company standards or to find the
had until that moment remained gaps with security best practices • Control over the remediation
activities in place to enforce
unknown or uncontrolled.
security
The Activation phase consist of 4 • Impact analysis of the planned
different sub-phases: and unplanned changes in the
Information Gathering Fine Tuning ICS environment
Solution Design Go-Live

Site Preparation

Installation and Basic Configuration

Continuous Feedback Loop

Nozomi Delivery & Project Management Nozomi Support team

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

326

@2023 Nozomi Networks All rights reserved. 326

NNCE Student Guide Version 23.1.0

Project Workflow

Installation
Information Solution Site
and Basic Fine Tuning Go-Live
Gathering Design Preparation
Config

ICS network Identification of Commitment of Activation and Alert Tuning, Close-out

information and the best device resources and commissioning customizations meeting and
documentation deployment access of the Nozomi and transfer of the
gathering in order topology and permissions Guardian configuration of installation
to define and to configuration required for the appliances integrations documentatio
characterize activities required appliance (virtual or n to end users
project activities for installation implementation physical)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

327

@2023 Nozomi Networks All rights reserved. 327

NNCE Student Guide Version 23.1.0

Lessons Learned
Not Planning in Advance for
Issues with Configuration of Under-sizing Monitoring
Integrations, Central
Traffic Mirroring Hardware
Monitoring, Training
• Who is responsible for enabling • Traffic throughput estimates • Who will be monitoring alerts?
traffic mirroring? Network typically used – have they been Will different groups handle
team? OEM? verified? operational vs security alerts?
• How will mirrored traffic for • If using embedded / • Have the proper teams
monitoring be set up? containerized version within (firewalls, ticketing systems,
Necessary approvals and another tool (i.e., the switch or SIEM, etc., been notified)
change control happen? FW) has the device been • Network flows: Will policy allow
• Can mirrored traffic be scoped to include monitoring? for data to exit secure zones to
aggregated or will monitoring • Does the vendor offer reach DMZ / SOC / MSSP?
devices need to be able to ruggedized appliances where • Have all stakeholders been
connect to each switch required? If not (or if software trained in how to use the
• Any devices hidden? only), has appropriate hardware solution?
been acquired?

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

328

@2023 Nozomi Networks All rights reserved. 328

NNCE Student Guide Version 23.1.0

Solution Design (HLD): Network flows NOZOMI CLOUD

SITE A
HEADQUARTER
https, ssh
(tcp-443,-22)
Workstation https (tcp-443)
REGION
VANTAGE
Guardian Workstation Operator

https, ssh
(tcp-443,-22)
Workstation
SITE B Threat Asset
https, ssh TLS tunnel (tcp-443) Intelligence Intelligence
(tcp-443,-22)
Time Server
ntp (udp-123) Nozomi Appliances Network connections
TLS tunnel TLS tunnel
(tcp-443) CMC HQ tcp-443
(tcp-443)
AD/LDAP
TLS tunnel Secure TLS tunnel from
Guardian ldap(s) (tcp/udp-389,tcp--636) Guardian/CMC to Management
(tcp-443)
tcp-443/-6000
CMC regional Central Management
SIEM Console (CMC) Secure TLS tunnel
CMC local ldap(s) ntp syslog, cef, leef (tcp/udp-514) from RC to Guardian
(tcp/udp-389, (udp-123)
tcp-636) tcp-443/-22
Guardian Mail Relay tcp-22
smtp (tcp-25)
TLS tunnel Guardian Admin access to Web UI (https)
and to Shell console (ssh)
(tcp-443,-6000) Other Integrations
SITE B e.g. snmp, api tcp-443
Remote location
AD / LDAP NTP Secure TLD tunnel from ARC
to Guardian/Vantage

Remote Collector (RC)

ssh (tcp--22) Dashed lines indicating
Solution communication: Nozomi Endpoint optional network connections

Remote
Collector
Ports and Protocols Mirrored network
traffic to monitor
Arc Sensor

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

329

This picture display all the connections/protocols needed by the different Nozomi product.

@2023 Nozomi Networks All rights reserved. 329

NNCE Student Guide Version 23.1.0

Wrap-up

330

@2023 Nozomi Networks All rights reserved. 330

NNCE Student Guide Version 23.1.0

Nozomi Networks Strengths

Platform Ease of Industry-Leading Actionable

Scalability Deployment Threat Detection Intelligence
Proven Large Deployments Sensor Options to Fit Nozomi Network Labs Power of AI
Deployed with some of the Your Environment Premier research organization for Only vendor with AI/ML engine
largest customers in the world Physical, virtual, cloud, edge, new threats and latest cybersecurity for more analysis of data and
endpoint, research anomalies
Cloud-Based Scale container sensors
Option to aggregate and analyze Latest, Detailed Threat Prioritized Remediation
data on-premises through Cloud Architecture Intelligence Workbooks and customized
Guardian or with Vantage cloud SaaS platform speeds onboarding, Most completed set of CVEs for playbooks prioritize and guide
eliminates sizing issues cyber-physical systems across remediation efforts
Consolidated Management
industries Overcoming the Skills Gap
Management through CMC or
Industry’s Largest Partner Intelligent automation to deal
from the cloud Threat Feed for Non-Nozomi
Ecosystem and Open API with low alerts, data deluge and
Solutions
Minimizes integration complexity security issues
Vendor agnostic threat feed for
third-party security solutions

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com 331

Platform Scalability: Nozomi supports a wide range of sensors for the right architecture for any size
deployment. Our platform has been deployed in the some of the largest organizations in the world.

Ease of deployment: Our technology gives our users maximum flexibility to get the security and
visibility they need. Our massive partner ecosystem means that we can integrate with existing
security and network stacks, reducing complexity.

Anomaly and Threat Detection: With Nozomi Networks Labs, we can provide our customers with
the latest threats and research. We offer this information through Threat Intelligence feature. The
threat intelligence data is also available to third party security solutions to provide our customers
with the most comprehensive threat data.

Actionable Intelligence and Automation: Nozomi is the only vendor with AI/ML engine for analysis
of data and anomalies. Workbooks and Playbooks help to prioritize and guide remediation.

@2023 Nozomi Networks All rights reserved. 331

NNCE Student Guide Version 23.1.0

Nozomi Networks Certified Engineer Community

Join our NNCE Community on Linkedin
https://www.linkedin.com/groups/9013276/

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

332

@2023 Nozomi Networks All rights reserved. 332

NNCE Student Guide Version 23.1.0

Thank You
Nozomi Networks accelerates digital transformation by protecting
the world’s critical infrastructure, industrial and government
organizations from cyber threats. Our solution delivers
exceptional network and asset visibility, threat detection, and
insights for OT and IoT environments. Customers rely on us to
nozominetworks.com minimize risk and complexity while maximizing operational
resilience.

333

@2023 Nozomi Networks All rights reserved. 333

NNCE Student Guide Version 23.1.0

Solutions

334

@2023 Nozomi Networks All rights reserved. 334

NNCE Student Guide Version 23.1.0

Solutions - Sizing
Scenario 1
Option 1:
- 1x NS1 100 plus an expansion slot reaching 9 monitoring ports
Option 2:
- Add a core switch to merge the traffic from 9 switches
- 1x NS1 100
- Assumption: Possibility to add switch (often not viable)

Scenario 2
- Building 1 – NS1 250
- Building 2 – NSG-R50 connected over internet to NS1 250 (TLS)
- Building 3 - NSG-R50 connected over internet to NS1 250 (TLS)
- Central management: by the NS1 250

Scenario 3
- Switch 1 - NSG-HS 3500 + 1 Expansion slot 4xSFP+
- Switch 2 - NSG-HS 3500 + 1 Expansion slot 4xSFP+
- Central management: Vantage

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

335

@2023 Nozomi Networks All rights reserved. 335

NNCE Student Guide Version 23.1.0

Solutions - Queries
1. Count how many modbus variables were transmitted on the network.
variables | where protocol == modbus | count
2. Produce a visual representation of the assets having a Windows operating system grouped by the Operating System version. (The result will be used to plan
patches installation).
assets | where os include? Win | group_by os | column os count
3. Produce a tabular representation of HTTP links showing the from, to, protocol and times of first and last activity, sorted by the amount of traffic passing
through the link.
links | where protocol == http | select first_activity_time last_activity_time from to protocol transferred.bytes | sort transferred_bytes
4. Produce a table to show nodes in the network that are inactive in the last 10 days, filtering out ghost nodes (tip: ghost nodes never sent bytes).
nodes | where days_ago(last_activity_time) > 10 | where sent.bytes > 0
5. Produce a table reporting source, destination ip, function code name, last activity time of every iec104 link.
links | where protocol == iec104 | expand function_codes | select from to expanded_function_codes.name last_activity_time
6. Produce a table showing connections that are likely blocked by firewall (tip: this can be modelled by the number of attempted and handshaked
connections).
links | where tcp_connection_attempts.total > 0 | where tcp_handshaked_connections.total == 0
7. Produce a table to show how many links are initiated from each zone (tip: in the links table there are fields about zone information).
links | group_by from_zone
8. Produce a table showing from, to, protocol and tcp retransmission percentage of all links with tcp retransmission percentage between 40 and 90 percent.
links | where tcp_retransmission.percent > 40 | where tcp_retransmission.percent < 90 | select from to protocol tcp_retransmission.percent
9. Produce a table showing the function codes seen on the monitored network for iec104 protocol and sort them so to have the most used first (tip: work with
the variables table).
variables | where protocol == iec104 | group_by last_function_code | sort count desc
10. Produce a column chart showing the list of source IPs that opened iec104 links, sorting them by number of links.
links | where protocol == iec104 | group_by from | sort count desc | column from count
11. Show how many links with the same zone (source and destination) are in the monitored network.
links | where from_zone == $to_zone | count
12. Produce a pie chart showing the percentage of every transport protocol used in the monitored network.
links | expand transport_protocols | group_by expanded_transport_protocols | pie expanded_transport_protocols count

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

336

@2023 Nozomi Networks All rights reserved. 336

NNCE Student Guide Version 23.1.0

Solutions - Packet and Yara Rule

Packet Rule:
• Question1: Answer: B and C
• A is incorrect because it has udp protocol instead of tcp
• D is incorrect because the use of “distance:1” won’t find “DRISIO” (because it’s technically a distance of
‘0’ from ‘MEN’)

• Question 2: Answer: A and D

• B is incorrect because the capital “T” is not within 1 space of “Nozomi”
• C is incorrect because the order of operations is incorrect (Noz would need to be first and Training
would need to be second)

Yara Rule:
• Question1: No; If all of $x and $s are present, it will trigger the rule
• Question2: No
• Question3: 1; it will only require one of the $x* strings (as well as being a file less than 400KB)

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

337

@2023 Nozomi Networks All rights reserved. 337

NNCE Student Guide Version 23.1.0

Solutions - Assertions
1. Produce an alert when a Node is down for at least one day, excluding nodes representing broadcast addresses.
nodes | where type != broadcast | where days_ago(last_activity_time) > 1 | assert_empty

2. Produce an alert when an ACTIVE http session is present in the monitoring network.
sessions | where status == ACTIVE | where protocol == http | assert_empty

3. In order to upgrade critical equipment produce an alert when switches are suffering critical vulnerabilities
(assuming critical means a CVE score of 7 or higher, and a likelihood of 0.8 or higher).
node_cves | where cve_score >= 7 | where likelihood >= 0.8 | where node_type == switch | assert_empty

4. Produce an alert when the minimum value of at least one variable named ioa-2-2 belonging to 192.168.231.107 is less
than 0.2 - (try not to use the ‘assert_empty’ keyword).

variables | where host == 192.168.231.107 | where name == ioa-2-2 | assert_all min_value > 0.2

© 2023 Nozomi Networks Inc. | All rights reserved. | nozominetworks.com

338

@2023 Nozomi Networks All rights reserved. 338

NNCE Student Guide Version 23.1.0

Thank You
Nozomi Networks accelerates digital transformation by protecting
the world’s critical infrastructure, industrial and government
organizations from cyber threats. Our solution delivers
exceptional network and asset visibility, threat detection, and
insights for OT and IoT environments. Customers rely on us to
nozominetworks.com minimize risk and complexity while maximizing operational
resilience.

339

@2023 Nozomi Networks All rights reserved. 339