What unusual behaviors do you trigger

Recognize unusual behavior patterns in the company

The digitization of business processes brings with it some risks for companies, which can be counteracted, among other things, by identifying unusual behavior patterns in IT structures (anomaly detection). Since the networks of critical infrastructures (Kritis) become more and more complex over time due to additional IT components, hackers have an easy time of it. Malware that can paralyze entire energy systems, for example, is no longer an exception and the need for strategic cybersecurity is increasing. Ideally, the solutions used do not hinder ongoing processes and report every malfunction reliably and immediately.

Attacks on sensitive IT systems, the power grid and other infrastructures

Again and again there are targeted attacks on sensitive IT systems, on the power grid and other infrastructures. The Federal Office for Information Security (BSI) is registering a continuous increase in such attacks. This shows more than clearly that there is an urgent need for action for reliable protection of computer-assisted workplaces and company processes. Kritis operators use Industrial Control Systems (ICS) to control their technical processes. One such system is Scada (Supervisory Control and Data Acquisition), with which higher-level control data can be collected. Attackers have detailed know-how about such systems and their weak points and use this knowledge for their own purposes.

Well thought-out security concept incorporates anomaly detection tools

A system for anomaly detection helps against such attacks. Whether a network device suddenly uses a different communication protocol or network traffic takes a new route unplanned - a system of this kind detects such processes early on and alerts the relevant bodies. In order to identify an anomaly, i.e. a deviation from the norm or unexpected behavior as such, the normal state must first be recorded. To do this, the system analyzes the IT architecture and learns in the background.

After completing this “learning phase”, anomaly detection solutions are able to classify the behavior of malware as unusual. Even the attempt to install or manipulate a driver or to establish unauthorized access to the Internet, for example to reload additional malware components, is recognized as an anomaly. In addition to attack detection, such systems offer another decisive advantage: They allow all participants in network communication to be identified and mapped by monitoring. A great additional benefit for established system landscapes in which many assets are not registered as such.

In addition, the solution automatically prepares log files, issues an alarm in the event of anomalies and thus relieves administrators in IT departments who can use their capacities for other tasks. As a supplement to classic security measures, such a system offers significant added value for the IT security landscape and contributes to significantly improving the security level.

Intelligent IT monitoring solution for companies

The security solution Silentdefense from Forescout (formerly Securitymatters) is such an intelligent monitoring solution that can be used both passively and actively. It observes the behavior of network users and connected systems in order to identify process anomalies, machine status, insecure access and potentially harmful activities. The basis is a detailed inventory of all infrastructure components. Silentdefense is based on patented machine learning functions for monitoring ICS networks, protocols and semantics. The system integrator Telent GmbH - a company of the Euromicron Group, and its subsidiary Koramis, which specializes in cybersecurity, use this solution to meet the increased security requirements. As a specialist in the planning, construction and operation of ICT systems in the Kritis area, telent has extensive practical experience. Koramis also has specialized expertise in holistic solutions for everything to do with cybersecurity, automation, process and network control technology.

Recognize anomalies and unusual behavior patterns

The basic requirement for successful monitoring is the recording of the network status and all devices in the network as well as the analysis of the communication flows. Sensors at interfaces store information, parameters and values ​​and thus learn behavior patterns that are recorded on a network map. The solution detects network, operational and security problems as well as threats "out of the box", such as unauthorized access and data flows, manipulation and access attempts from outside or incorrect configurations of firewall and network components. In addition, it provides information about unsafe protocols, incorrect measurement results, connection problems between devices, software bugs, unstable processes, non-compliance with protocol specifications, anomalies or stoppage of the switchgear and uncontrolled control switch operation.

The IT security solution should be easy to integrate and scale

Another advantage of the solution is its compatibility with more than 120 protocols. It also includes an extensive library for industrial threats with over 2,100 ICS-specific checks and provides timely updates on new threats. It can be seamlessly integrated into the entire ecosystem of a company, including the solutions for Security Information and Event Management (SIEM). The solution is scalable and can be expanded to include additional user-defined monitoring or analysis functions without reinstallation. Finally, the evaluation takes place via a web interface. Using a configurable dashboard, users are shown real-time and forensic network analyzes in a user-friendly manner.

Jakob Schmidt, Coordinator Awareness, Koramis GmbH & Giuseppe D‘Amicis, Head of Marketing and member of the Security Incident Response Team at Telent GmbH.