Day One we installed in under twelve minutes. Day Two we ran 154,000 attack path simulations in 17 minutes and 7 seconds and identified 18 validated paths into the critical Rockwell and Siemens zones. By the end of Day Two, our analysis was complete.
So what do you do on Day Three when your simulations are done?
You build.
Dale's Theme: Connect
One of the recurring themes Dale Peterson has emphasized at S4x26 is "connect." The idea that these products shouldn't operate in silos. They should share data, enrich each other, and give asset owners a more complete picture of their environment. We took that to heart on Day Three.
With our attack path and adversary simulations already wrapped up, we shifted focus to building new integrations with other POC Pavilion participants. Specifically, Cisco Cyber Vision.
Cisco Cyber Vision Integration
Cisco provided API exports from their POC Pavilion Cyber Vision instance. The volume of data was impressive: 63,928 flow records captured in the last 24 hours, 56 devices, and 193 vulnerabilities across 10 assets. The data spanned TCP, UDP, and ICMP traffic with 129 unique component IDs observed across the network flows. Exactly the kind of visibility data that makes Frenos better.
Our team got to work building the MVP of a Cisco Cyber Vision offline parser. The parser normalizes Cyber Vision's data to our asset model so it can be used alongside the other active POC integrations we already had running with Dragos and Claroty.
The first working version was complete in just under three hours.
From API export to normalized data flowing into our asset model. A brand new integration with a platform we hadn't connected to before, built and operational the same morning.
The results of the normalization process were solid. Of Cisco's 56 assets, 53 matched to our existing asset model by IP address and 2 more matched by MAC address. Only 1 asset went unmatched. 43 of the IP-matched assets contributed new port information, adding 316 new port pairs to our model. Cyber Vision also surfaced 165 unique service-like ports across the environment and 193 vulnerabilities spread across 10 devices.
Why This Matters
Most organizations don't have just one visibility tool. They have two or three across different sites, different business units, or different stages of deployment. The ability to normalize and reconcile data from multiple sources isn't a nice to have. It's a requirement if you want an accurate security posture assessment.
Frenos ingests data from multiple sources, normalizes it into a single unified asset model, and feeds that directly into our attack path simulations. The more data sources, the sharper the picture.
Day Three proved that Frenos can ingest a new data source, build a parser, normalize the data, and integrate it into an active assessment environment in under three hours. Not weeks. Not a product roadmap item. Under three hours, start to finish.
More to come. Stay tuned.
Frenos. Build your resilience.
.jpg)
.jpg)
