Skip to main content

Sentry - Passive Discovery

Sentry provides passive network discovery through SPAN/TAP port mirroring, automatically identifying and classifying devices without sending active network probes. By analyzing network traffic patterns, protocols, and device behaviors, Sentry builds comprehensive asset inventories while maintaining operational security.

How Sentry Works

Sentry operates entirely through passive network observation:

  1. Traffic Capture: Monitor mirrored traffic from SPAN ports or network TAPs
  2. Protocol Analysis: Identify industrial protocols and device communications
  3. Device Classification: Determine device types, vendors, and models
  4. Inventory Population: Automatically populate Manifest with discovered devices
  5. Continuous Monitoring: Update device information as traffic patterns change

Device Identification Methods

MAC OUI Lookup

  • Vendor Identification: IEEE OUI database for manufacturer identification
  • Device Categorization: Network equipment, industrial devices, IT systems
  • Model Detection: Specific device models from OUI registration data
  • Custom OUI Database: Extended vendor information for OT-specific manufacturers

DHCP Fingerprinting

  • DHCP Options: Device type identification from DHCP option patterns
  • Hostname Analysis: Device naming conventions and organizational patterns
  • Vendor Class: DHCP vendor class identifiers for device classification
  • Operating System: OS detection from DHCP fingerprint patterns

Protocol Banner Analysis

  • Service Identification: Application banners and protocol responses
  • Version Detection: Software versions from protocol handshakes
  • Configuration Analysis: Service configurations and capabilities
  • Security Assessment: Default credentials and exposed services

Operating System Guessing

  • TCP Stack Analysis: OS fingerprinting from TCP behavior patterns
  • Protocol Implementation: OS-specific protocol stack characteristics
  • Network Behavior: Traffic patterns unique to different operating systems
  • Confidence Scoring: Statistical confidence in OS identification

Supported Protocols

Industrial Protocols

ProtocolDescriptionDevice TypesAnalysis Depth
EtherNet/IPCommon Industrial ProtocolPLCs, HMIs, I/O modulesDevice identity, configuration
S7commSiemens S7 CommunicationSiemens PLCs, HMIsCPU type, firmware version
Modbus TCPModbus over EthernetRTUs, gateways, metersFunction codes, data mapping
OPC UAOPC Unified ArchitectureServers, clients, gatewaysService types, security settings
PROFINETProcess Field NetworkSiemens devices, I/O modulesDevice configuration, topology
CIP SafetySafety over EtherNet/IPSafety PLCs, controllersSafety configuration, status

IT/Network Protocols

ProtocolDescriptionDevice TypesAnalysis Depth
HTTP/HTTPSWeb servicesHMIs, servers, camerasService discovery, authentication
RDPRemote Desktop ProtocolWindows systems, HMIsVersion, security configuration
SSHSecure ShellLinux systems, switchesVersion, key exchange methods
VNCVirtual Network ComputingRemote access systemsProtocol version, security

Device Auto-Classification

Device Type Categories

  • Programmable Logic Controllers (PLCs): Process control, automation logic
  • Human Machine Interfaces (HMIs): Operator interfaces, SCADA clients
  • Input/Output (I/O) Modules: Field device interfaces, signal conversion
  • Network Infrastructure: Switches, routers, wireless access points
  • Safety Systems: Safety PLCs, emergency shutdown systems
  • Industrial PCs: Panel PCs, edge computing devices

Vendor and Model Detection

  • Manufacturer Identification: Siemens, Rockwell, Schneider, Emerson
  • Product Lines: ControlLogix, S7-1500, Modicon M580, DeltaV
  • Firmware Versions: Specific firmware revisions and patch levels
  • Hardware Revisions: Device model numbers and hardware variants

Purdue Level Classification

  • Level 0: Field devices, sensors, actuators
  • Level 1: PLCs, safety systems, controllers
  • Level 2: HMIs, operator stations, data historians
  • Level 3: Plant servers, databases, manufacturing execution systems
  • Level 4: Business systems, ERP, planning systems

Trust Level Management

Trust Level Categories

LevelDescriptionCriteriaActions
VerifiedKnown good devicesManual verification, authorized deploymentFull network access
TrustedLikely legitimateConsistent behavior, expected protocolsNormal monitoring
UnknownUnclassified devicesNew discovery, insufficient dataEnhanced monitoring
SuspiciousPotential threatsUnusual behavior, unauthorized protocolsSecurity investigation

Trust Level Criteria

  • Behavioral Consistency: Stable communication patterns over time
  • Protocol Compliance: Standard protocol implementations
  • Network Position: Expected network location and connectivity
  • Historical Data: Long-term presence and stable operation

Identity Method Classification

Passive Identification

  • Traffic Analysis: Protocol patterns, timing, data flows
  • Behavioral Profiling: Communication frequency, data volumes
  • Network Topology: Device relationships, communication paths
  • Protocol Fingerprinting: Implementation-specific characteristics

Active Identification

  • SNMP Queries: Device management information base (MIB) data
  • Protocol Probes: Targeted protocol-specific queries
  • Service Discovery: Banner grabbing, service enumeration
  • Configuration Queries: Device-specific information requests

Network Zone and VLAN Tracking

Network Segmentation

  • Production Networks: Manufacturing control systems
  • DMZ Networks: External connectivity, remote access
  • Office Networks: Administrative systems, engineering workstations
  • Safety Networks: Emergency shutdown, safety-critical systems

VLAN Analysis

  • VLAN Membership: Device VLAN assignments and tagging
  • Cross-VLAN Traffic: Inter-VLAN communication patterns
  • VLAN Security: Isolation effectiveness, security boundaries
  • Dynamic VLANs: VLAN assignment changes over time

False Positive Suppression

Automated Filtering

  • Known Good Lists: Whitelisted devices and communications
  • Behavior Baselines: Normal traffic patterns and deviations
  • Protocol Standards: Compliant vs. non-compliant communications
  • Temporal Analysis: Short-term vs. persistent anomalies

Manual Suppression

  • Device Exceptions: Known legacy devices, test systems
  • Protocol Exceptions: Non-standard but authorized implementations
  • Maintenance Windows: Scheduled maintenance activity filtering
  • Custom Rules: Organization-specific suppression criteria

Temporal Tracking

First Seen / Last Seen

  • Discovery Timestamp: When device was first observed on network
  • Activity Tracking: Most recent communication timestamp
  • Presence History: Device availability and connectivity patterns
  • Communication Frequency: Regular vs. intermittent device activity

Change Detection

  • Configuration Changes: Firmware updates, setting modifications
  • Behavioral Changes: Communication pattern alterations
  • Network Changes: IP address changes, VLAN reassignments
  • Security Changes: Protocol version updates, security setting changes

Integration with Other Modules

Manifest Integration

  • Automatic Population: Discovered devices added to asset inventory
  • Asset Enrichment: Passive discovery data enhances asset records
  • Configuration Tracking: Device configuration changes and updates
  • Lifecycle Management: Device deployment to decommissioning tracking

Lookout Integration

  • CVE Matching: Firmware versions matched against vulnerability databases
  • Security Assessment: Device security posture evaluation
  • Threat Correlation: Suspicious devices correlated with threat intelligence
  • Risk Scoring: Device risk assessment based on discovery data

Helm Integration

  • Canvas Overlay: Discovered devices displayed on network topology
  • Real-Time Updates: Live device status on network maps
  • Connectivity Mapping: Device relationships and communication paths
  • Network Visualization: Dynamic network topology updates

Getting Started with Sentry

  1. Configure Traffic Mirroring

    • Set up SPAN ports on network switches
    • Deploy network TAPs for traffic capture
    • Configure Gateway for passive monitoring
    • Verify traffic capture and analysis

  2. Define Discovery Scope

    • Identify network segments for monitoring
    • Configure VLAN and subnet filters
    • Set protocol analysis preferences
    • Establish baseline activity patterns

  3. Review Discovery Results

    • Analyze automatically discovered devices
    • Verify device classifications and identifications
    • Review trust levels and suspicious devices
    • Correlate with existing asset inventory

  4. Tune False Positive Filters

    • Identify and suppress false positive alerts
    • Configure device and protocol exceptions
    • Establish normal behavior baselines
    • Optimize detection accuracy

  5. Integrate with Asset Management

    • Sync discovered devices with Manifest
    • Enrich asset records with discovery data
    • Update device configurations and attributes
    • Maintain accurate asset inventory

  6. Monitor and Maintain

    • Review ongoing discovery activity
    • Update trust levels based on behavior
    • Investigate suspicious devices and activities
    • Maintain discovery accuracy and effectiveness