A layered defence: Introducing anomaly detection
Author : Victor Lough, Cyber Security & Advanced Digital Services Business Lead, Schneider Electric
06 October 2020
As technology continues to evolve and become more sophisticated, so too will hackers. Cybercrime is on the rise, forecasted to be responsible for an estimated $6 trillion in damages each year by 2021, up from a staggering $3 trillion only five years ago.
As a result, most organisations have their own cybersecurity strategies in place, which they have implemented over the years as threats have evolved. From measures such as keeping systems up to date, restricting access and being diligent about patching exploits.
However, while this approach has proven successful so far in building a largely resilient network, it isn’t capable of intercepting unknown threats. With both private and state-sponsored attacks are on the rise and zero-day exploits – previously unknown vulnerabilities for which there is no patch or defence available – market thriving, a more proactive method is required.
If an attacker does succeed in penetrating an organisations network without being detected, the first time the company may become aware of the breach may be when sensitive data has already been leaked or a ransom demand is submitted. If the worst happens, the best outcome is an immediate reaction and the lock down of the network before serious damage is done.
But how do you know when you’ve been breached and what can you do to ensure you remain one step ahead? As cyber-attacks continue to increase, it’s vital that organisations understand the impact they can have on operations and incorporate anomaly detection in their cyber security strategy.
By introducing anomaly detection, an organisation’s normal network conditions will be memorised and can then be used as a benchmark for comparing all future unexpected activity, alerting your teams to possible incoming attacks.
IT and OT: The cybersecurity challenge
While the explosion of the Internet of Things (IoT), with systems and devices permanently connected to the cloud, is offering new and exciting possibilities, it can come with great risks. In particular, having increased connectivity means that a larger attack surface exists, which can ultimately be exploited if the implementation isn’t managed carefully.
Across organisations, the ownership of computers, networks, the internet and all devices fall under the jurisdiction of the IT (Information Technology) department, while OT (Operational Technology) is owned by engineers and facilities managers. In the past, this has meant that cybersecurity challenges have fallen in the hands of IT. However, as IoT has emerged, with technology such as sensors becoming more widespread, IT and OT professionals have started to synchronise with each other to uphold standards throughout their organisations.
As OT typically uses much older and less developed technology, it poses a greater risk to an organisation’s infrastructure. With systems evolving with Ethernet connections and general IT capabilities, operational teams have started building their own networks and linking to the outside world - more often in an insecure way that poses significant risks to the company. Therefore, if not managed correctly, it can become an easy target for hackers – as these systems are retrofitted to include connectivity they often haven’t been designed with cybersecurity in mind.
When talking about cybersecurity, most people might associate it with computers and servers, failing to be mindful of plant and equipment in the connected landscape. Therefore, while a successful attack on your IT infrastructure can mean data breaches and serious disruption for businesses, for OT, the stakes are even higher, where it can mean costly downtime, outages or even loss of life. In fact, 30% of all cyber attacks are now targeting OT. So, what can be to mitigate this and how can organisations ensure that their assets remain protected?
The importance of a layered defence
According to James Scott, Senior Fellow at Institute for Critical Infrastructure Technology, “There’s no silver bullet solution with cybersecurity, a layered defence is the only viable defence”. This suggests that it is essential that all layers work together to maximise security with layers of redundancy to cover all eventualities. This is exactly where anomaly detection comes into place.
Anomaly detection is a crucial part of any cyber security strategy, which can alert you to any known threats and highlights potential malicious activity – becoming an organisations first line of defence. It works by continually monitoring your network activity and comparing it to an established benchmark allowing you to identify suspicious activity and alert organisations in real time, the second an issue occurs. This could be anything from an external attack or unauthorised remote access to an insecure device being connected to the network.
The first crucial step to implementing anomaly detection is to train the system to understand what should be considered normal activity. This is done by profiling networks, discovering all assets necessary and then generating a high-fidelity baseline model of what your monitored network traffic looks like under control conditions. Subsequently, the system will then be able to move into production mode and compare all future activity to this baseline.
With cyber criminals operating 24/7 hours a day, anomaly detection can run throughout the whole day, even when teams have gone home, becoming completely non-invasive. It will run in the background, constantly monitoring networks and looking for unusual activity that could result of a security breach. Not only this, but by delivering up-to-date industrial threat intelligence to the solution, it will make it easier for you to detect threats and identify vulnerabilities in your organisation’s environment.
Strengthen your security posture
It’s easy to have the mindset that a cyber-attack will never happen to you, but the threat posed by cyber-attacks are only set to increase as we become more connected. Failing to take the risks seriously will only increase your chances of becoming a victim. By adopting threat insights such as anomaly detection you will be able to strengthen your organisation’s overall security posture, identify assets at risk of attack, provide yourself with immediate alerts and warnings about suspicious activity in your environment and showcase an integrated knowledge base that includes threat definitions and recommendations for remediation. The benefits are truly second to none.
Contact Details and Archive...