Detect anomalous behaviour patterns in the network: Why anomaly early detection is crucial for your IT security
by Svenja Koch
Every company's nightmare is a successful cyber attack: data is encrypted and systems are blocked. IT security has the task of preventing precisely this worst-case scenario. A modern and comprehensive cyber defence is based on a variety of strategies and defence techniques. One of the most crucial today is anomaly detection. This article looks at why this technique is so effective in the fight against cyber attacks and why an IT security early warning system is part of any sensible IT security strategy.
What is anomaly detection?
Anomaly detection is a methodology that identifies unusual activity on the network. Anomaly is defined as operations that deviate from the norm and are unexpected. Such activities indicate unauthorised access. These are related to cyberattacks, for example. Through this feature, anomaly detection has the potential to detect cyberattacks in an early state.
In its report on monitoring and anomaly detection, the Alliance for Cyber Security listed a number of examples of unusual activity on networks. For example, anomalous events include the connection of a new device to the network or traffic from an unknown IP address that is outside one's network. Other events that require analysis include traffic over an unusual protocol or sudden high bandwidth usage.
What role does network monitoring play in anomaly detection?
Network monitoring is one of the key techniques used to detect anomalies. Monitoring involves recording all activities within a network. This includes information about data connections, network utilisation or active communication protocols. Monitoring collects this information centrally and makes it available for analysis. In doing so, the monitoring monitors the entire area of the company network. This includes wired and wireless networks as well as network areas in the cloud.
These systems provide the information necessary to detect unusual activities in real time. In some cases, these monitoring programmes are capable of issuing alerts on unusual incidents. However, a manual check is still necessary to analyse whether a cyberattack or other threatening action is behind a process. Based on this analysis, IT security then initiates concrete measures, such as deactivating accounts or blocking IPs from which illegal access originates.
What is the importance of anomaly detection in ICS networks?
In its report, the Alliance for Cyber Security explicitly addresses the so-called Industrial Control Systems (ICS) and security in these networks. These are industrial control and regulation systems. This technology often operates outside of IT standards with proprietary protocols. However, in the course of digitalisation and IoT, ICS have often been integrated into IT networks to allow easy access to control or sensor data.
The Alliance for Cyber Security points out that modern production networks are particularly vulnerable due to these features. ICS themselves have little or no defence mechanisms against cyber attacks. Accordingly, it is difficult to detect illegal access directly at the control and regulation systems. For this reason, special methods are needed to ensure security. Especially since such industrial control and regulation systems are used in critical infrastructure, for example in power generation.
Network monitoring plays a central role here, according to the Alliance for Cyber Security. An IT security early warning system based on anomaly detection makes it possible to identify unauthorised access to these systems and prevent it as quickly as possible. These cyberattacks on IC systems usually take place via regular IT technology and the connected networks. The monitoring of network activities makes it possible to detect and log accesses.
Which activities does an IT security early warning system recognise as an anomaly?
There are a number of actions that such an IT security early warning system identifies. Basically, these are all activities that deviate from the norm. Modern network monitoring tools may also use artificial intelligence (AI). This evaluates the processes and decides whether a certain activity is suspicious or not. Such anomalies include access at unusual times or conspicuous events such as a port or address scan. In ICS networks, these are also deviations from the regular protocol or unusual sensor data.
Which solutions are suitable for network monitoring and anomaly detection?
The implementation of the two concepts requires two components. On the one hand, there is the technical solution. On the other hand, it is also the resources. Only if both points are fulfilled, fast reactions are possible. Network monitoring and also anomaly detection miss their point if no quick action is guaranteed. In practice, a Security Operations Centre (SOC) is often used for implementation. The SOC is a special department of IT security. It monitors the activities in the network as well as the incoming messages and warnings 365 days a year and at any time of day. The establishment of a SOC is associated with a correspondingly high level of effort. For small and medium-sized enterprises, it is usually unthinkable to set up such a SOC and to assign several people to set up an IT security early warning system.
The technical aspect can be implemented with software. There are many programmes for network monitoring. These programmes analyse the processes in the network in real time and provide corresponding reports. However, personnel is required for the analysis. The software alone does not provide any security. It only provides clear information about the activities in the network. An IT security expert monitors and analyses this report. He becomes active immediately if there are suspicious activities. If there is no complete control of the incoming messages in real time, the IT security early warning system is not effective. Hackers then have enough time to infiltrate the network undisturbed and launch the cyber attack.
To prevent this and to be independent of the use of own resources, a managed security service such as Active Cyber Defense from secion is a good choice. The service automatically and continuously monitors all network activities. Companies that use the Active Cyber Defense Service as an IT security solution are not responsible for setting up or monitoring network activities. These tasks are taken over by secion as a service provider. During operation, the Active Cyber Defense Service records all activities within the network. An evaluation of data traffic, access to the network and other factors by which anomalous activities in networks can be recognised is carried out. Thus, the Active Cyber Defense Service is also suitable for controlling access to IC networks. In the event of conspicuous activity in the network, the Active Cyber Defense Service immediately sends an alert to secion's own SOC team, which analyses the incident and takes action if necessary. This ensures a reaction in real time. The Active Cyber Defense Service from secion thus acts as an effective IT security early warning system and thus ensures active protection against cyber threats.
Two points show how acute the need for such active defence against cyber threats is: Firstly, the increasingly frequent devastating cyber attacks are proof that many networks still have glaring weaknesses. Increasingly, CRITIS operators and public institutions are also affected. Especially the dangerous attacks with ransomware make headlines in the news, as recently with the hack of the Colonial Pipeline in the USA or also the attack on the IT administration of the Anhalt-Bitterfeld district.
On the other hand, the changes in the law also show that there is an urgent need for action. The German government has now passed the IT Security Act 2.0. This is particularly dedicated to the defence against cyber threats in the area of critical infrastructure (CRITIS). Since mid-May 2021, certain companies have been required to implement systems for active attack detection. This primarily affects CRITIS operators such as organisations from the energy, transport, traffic or food sectors. The law stipulates that systems must be in place that are capable of continuously and automatically recording parameters and characteristics during operation. Real-time evaluation must also be guaranteed. These legal requirements are also a wake-up call for companies from other sectors. Without an efficient IT security early warning system, organisations are often defenceless against targeted and sophisticated Advanced Persistent Threats (APT). This opens the way for the particularly dangerous ransomware attacks. With comparatively small financial and organisational resources, however, it is already possible today to protect oneself effectively against such APTs. The Active Cyber Defense Service from secion should be mentioned as an IT security solution.
In the foreseeable future, it can be assumed that legal requirements will make methods for active defence against cyber attacks mandatory for other companies, or at least recommend them. Apart from that, it is in every company's own interest to implement an IT security strategy that protects its own network as best as possible against all potential threats. Such a strategy also includes an IT security early warning system with network monitoring and anomaly detection.
The constantly growing number of cyber attacks makes it clear that an IT security early warning system for the defence against cyber threats is becoming increasingly important. Such a system can be implemented with the help of network monitoring and anomaly detection. However, the basis for an efficient implementation is a complete control and analysis of the data. Ensuring this from one's own resources is costly and time-consuming. Therefore, it is challenging for most small and medium-sized enterprises to implement these functions with their own resources.
Outsourcing anomaly detection to an IT security service provider makes sense for this reason. Secion's Managed IT Security Service ACD provides the appropriate functions for proactive network monitoring, enabling a rapid response to unusual activity. In this way, companies build up an effective IT security early warning system without having to operate their own SOC. Especially for CRITIS and companies with ICS networks, such solutions will be necessary in the future to ensure IT security.