A Simple Look At An Efficient Enterprise MDR
In general, corporate security policies define the information assets needed to continue corporate activities. Detecting threats to this information asset is the role of detection and response system. In addition, reducing or avoiding the risk against detected threats plays a role of prevention, a big word today in the age of left and right hacking incidents happening globally. Firms can more easily respond to threats by understanding the value of assets threatened by threads, detection and response system is the artery where a company can act in response to cyber attacks and other IT issues. In addition, the prevention methodology makes it possible to delegate the response to security products from a 3rd party vendor. This managed detection and response (MDR) technique enables faster response to threats, further reduces the risk of attacks and malware infections from outside the Internet.
There are two main ways to detect threats: signature and anomaly. The former is for detecting fraud based on predefined patterns method, which can detect only known threats. The latter is detects the system’s unusual behavior etc. and can respond to unknown threats. It should be noted that regardless of the detection method, there is a risk of false detection or detection failure.
The function that implements detection in the network is called Network-based Intrusion Detection System (NIDS). NIDS monitors communications flowing on the network and detects unauthorized communications. By installing NIDS on your network, you can monitor a wide range of communications across multiple servers and clients. The function that implements prevention in addition to this NIDS is called Network-based Intrusion Prevention System (NIPS). While NIDS visualizes threats on the network, NIPS interrupts the communication of detected attacks and does everything to prevent damage.
When selecting a product, select whether to select a NIDS / NIPS-specific product or a multi-functional product based on the processing speed, detection accuracy, and which measures need to be taken. You need to make the appropriate decisions, a control device may operate alone, but many are connected by some kind of network and communicate. From a security standpoint, it is a natural idea to take measures to prevent these communications from being tampered with or being intercepted. So what is the network of control systems to be protected?
In so-called information system networks, IP-based communication is mainly used, and many communication protocols used there are also common. However, in the control system network, a communication protocol dedicated to the control system is often used. The communication protocol used in such a control system network has many features, whether IP-based or not, as follows:
- The structure of the protocol is simple, and the purpose of communication can often be understood by looking at specific bytes of communication contents.
- There is often no authentication mechanism or no encryption.
These communication protocols cannot but be designed in a simple manner from the viewpoint of limiting the resources of control devices, it is often converted to IP while maintaining its structure almost along with the flow of opening. Therefore, networks, where these communication protocols are used, may be a relatively easy environment for attackers, whether they eavesdrop or try to block them.
From a security point of view, the current control system network is fragile. So what should we do to the network in such a weak control system? There are three major security measures for communications in control system networks that are currently known.
- Communication encryption and authentication
- Restrict communication
- Monitor communications
In this classification, it is not necessary to distinguish between IP and non-IP. However, in practice, most IP-based solutions are generally available. With regard to the limit of communication, there is a product called firewall for the industrial control system.
The IDS has a small impact on the target control system because it takes a method of monitoring a copy of the actual communication using a port called a mirror port of a switch aggregating communication of the control system. This can be said to be a great advantage when applying IDS to control systems that are aware of the availability and timeliness.
Since the IDS can view the contents of communication as part of its managed detection and response functions, it can perform application-based communication control (AKA Access Control List) in addition to the IP address. By utilizing this characteristic, it is possible to detect a communication that deviates from a predetermined communication rule. For example, taking communication with a PLC, consider that the PLC’s main body has a function of detecting a specific command performed in the above IDS.
Accepting only commands from the PLC’s information readout system and not accepting commands that impair availability, such as stop, reset, and program changes may prevent not only malicious attacks but also operational mistakes of unauthorized users. There is still a lot of room for control system engineers to contribute to the monitoring of the managed detection and response system in terms of security, and it could also be a new business opportunity for the company.