Note: To learn more about anomaly and breach detection, watch the author’s presentation in the recorded webinar sponsored by Indegy on November 14, 2017.
As discussed in a recent ARC Market Analysis Report, anomaly and breach detection is one of the hottest markets in industrial cybersecurity. But, as is true for many hot markets, there is a lot of confusion about what these solutions really do and how this can help end users.
In simple terms, industrial anomaly and breach detection solutions continuously monitor the health and integrity of critical control systems. The goal is to provide early warning of problems, whether they are cyber attacks or other system issues, and give responders a chance to minimize the impact.
Solutions in this market vary in what they monitor, how they do it, and the kinds of early warning information they provide. To understand the differences between solutions ARC recommends that users evaluate capabilities from two separate perspectives: endpoint breach detection, which is the monitoring of individual endpoint device integrity; and, anomalous network message detection, which is the monitoring of overall control system integrity. Each of these perspectives can be further analyzed according to the methodology used for monitoring and evaluation.
Endpoint Breach Detection
Endpoint breach detection addresses the risk that a cyber attack avoids detection by endpoint protection defenses, like anti-malware software and application whitelisting. Endpoint breach detection may also be applicable for devices, like PLCs and network appliances, that have no endpoint protection software. In either case, periodic monitoring of configuration, software, and firmware is used to identify any unexpected changes in the endpoint device. Alerts are generated as needed to advise security and/or operating personnel of the change so that they can determine if more action is required.
Endpoint Breach Detection Solutions
Endpoint breach detection can be further classified according to the locus of the monitoring software. Agent-based approaches use software within the endpoint device to detect unexpected changes. Benefits of this approach include no impact on network bandwidth and the possibility of detecting additional information (e.g. illegal file access attempts, etc.). The major drawback is that use of this approach is generally limited to PC-based systems with powerful processors and recent releases of Windows, Unix, or Linux. This can leave a large portion of industrial cyber assets, like PLCs and legacy products with older processors and operating systems, at risk.
Agent-less endpoint breach detection utilizes a separate, passive server within the control system. It periodically collects relevant information from all connected devices in a way that minimizes any effect on network bandwidth. Depending on the type of device, collected information may include anything from configuration settings through complete memory dumps. Changes are detected through comparisons with the last validated version. Automatic backups is a natural extension of this approach. The primary benefit of non-agent based approaches is the ability to support a broad-range of devices. While suppliers of products using this approach argue that the impact on real-time, deterministic network performance is negligible, this is something that users should investigate.
The benefits of these two approaches are different and complementary. So, end users can benefit from hybrid approaches that incorporate agent and non-agent technologies.
Anomalous Network Message Detection
Anomalous network message detection monitors network traffic within a control system for illegal or unusual messages and traffic patterns. Industrial solutions using this approach have deep packet inspection and parsing capabilities that understand common industrial protocols.
Anomalous network message detection solutions connect passively to networks, often using firewall spanning or mirroring ports. The benefit of this is that there is no effect on the flow of messages or network bandwidth. But, this also means that there is now way to block messages that are deemed abnormal. While some may consider this a weakness, most industrial users see this as benefit, as they generally want to avoid any possibility that a valid message might be blocked.
Anomalous Message Detection Solutions
Network message anomaly detection approaches vary according to how they establish profiles for situations that are legal and normal. Policy-based detection relies upon users defining legal operations and normal traffic patterns. This includes valid connections, protocols, and commands, including in some cases limits on registers, and data. Behavior-based detection includes capabilities to automatically “learn” what is normal. Data collected during a system training period is analyzed using a variety of statistical classification and machine learning techniques. In some case, learning is also enabled during normal operation to automatically adapt to valid system changes.
While there are significant differences between policy-based and behavior-based anomalous message detection, the boundary is not rigid. Policy-based solutions may include monitoring features that record messages and help users identify what is and is not normal. Likewise, behavior-based solutions generally provide a means for users to manually adjust learned profiles.