Overview of building enterprise security detection and response system

Basically, security policies of enterprises are often built through the specific identification of the types of data assets, information needed or play an important role in ensuring the stable performance of apparatus. In it, the task of detecting possible threats to this type of information asset is the role of the detection and response system.

In addition, minimizing or preventing risks from detected threats also plays an important role in preventing security risks in general - a broad, almost inclusive term. set of concepts related to enterprise security in an era when enterprise-class cyberattacks are happening unpredictably on a global scale today.

Overview of building enterprise security detection and response system Picture 1

1. The cybersecurity tools that every business should know

In general, businesses can easily respond to threats by understanding the value of the types of assets that will be threatened by malicious attacks. At this time, the detection and feedback system acts as a 'aortic' system, providing a 'vital' resource so that the company can easily implement appropriate actions to deal with the events. Network attacks as well as other information technology problems occur internally.

In addition, this security risk prevention method also allows trust feedback for security products from third party providers. (Managed detection and response management and response - This MDR) allows businesses to react faster to threats, further reducing the risk of attack and malware infection from the internet environment.

1. Top 5 trends in endpoint security

There are 2 main methods for detecting security threats: Based on signature and anomaly (anomaly), in which:

1. Identifying specific signs is to detect fraud based on screening methods and compare with predefined samples. This method gives extremely high accuracy but the downside is that only threats that have ever been recorded can be detected.
2. Identify the abnormality is to identify and record all unusual behavior that appears on the system. The advantage of this approach is that it can effectively respond to threats that have never been known.

However, it should be noted that no matter which method you use, the risk of false detection is still yes and almost inevitable, even if it is only at a low rate.

The function that enables the identification of processes in an enterprise network is called the Network-based Intrusion Detection System (NIDS). Basically, the NIDS task is to monitor communications within the corporate intranet and detect any unauthorized communication. By installing NIDS on your network, you can monitor a wide range of communication situations on different servers and clients at the same time.

Overview of building enterprise security detection and response system Picture 2

1. The 5 most notable cyber security conferences in the world take place throughout the year

There is also another feature that allows the deployment of precautions outside of NIDS 'control, called Network-based Intrusion Prevention System (NIPS). While the NIDS helps sketch the overall picture of the threats that exist on the network, NIPS is responsible for disrupting the communication process of the detected attacks, and doing everything to prevent damage that these attacks can cause.

When building an identification process in an enterprise network, you must specify between choosing a product specifically for NIDS / NIPS or multi-function product based on processing speed, accuracy in receiving aspects, and measures that need to be taken.

You need to make the right decision, because a control device can operate independently, but there are many devices that are connected by a type of network and communicate. From a security standpoint, taking measures to limit the amount of communication that is interfered with or blocked is an idea to consider. So what is the network of protected control systems?

1. Authentication tool on many enterprise VPN applications that are bypassed by hackers

In the so-called information system network (information system network), IP-based communication (IP-based communication) will be the predominantly used form, along with some used communication protocols. Other common uses. The communication protocol used in such a control system network possesses many features, whether IP-based or not, as follows:

1. The structure of the protocol is very simple, and the purpose of communication can often be understood by considering the specific bytes of the communication content.
2. There is usually no authentication or encryption mechanism available.

These communication protocols cannot be designed simply from the point of view of controlling device resources, which are often converted into IP while maintaining their structure almost simultaneously with the open line. . Therefore, networks where these communication protocols are used can become a relatively convenient environment for attackers.

From a security perspective, it can be affirmed that the current control system network is very fragile. So what should we do with the network in such a weak control system? There are three main security measures for data and communications in the network of control systems that are currently known, including:

1. Encrypt and authenticate communication
2. Limit communication
3. Communication monitoring (communication)

For such classification, it is not necessary to distinguish clearly between IP and non-IP. However, in practice, most IP-based solutions are usually available. Regarding the limit of communication, there is a product called firewall for industrial scale control system.

The industrial control system (ICS) has a very small impact on the target control system because it uses a method of monitoring the copy of the actual communication using a port called Communication mirror port incorporates switching of control system. This can be considered a great advantage when applying IDS to control control systems.

Overview of building enterprise security detection and response system Picture 3

1. Endpoint Detection and Response threats, an emerging security technology

IDS can view the communication content, which is part of the detection and feedback function, so it can perform application-based communication control (also called Access Control List - Access Control), next to the IP address. By using this feature, it is easy to detect a deviated communication from a predefined communication rule.

For example, when executing communication with the PLC (Programmable Logic Controller), consider that the main content of the PLC has the function of detecting whether a specific instruction is executed in the IDS above.

Accepting only commands from the PLC information system and not accepting commands that reduce usability, such as stopping, resetting and changing programs . can help prevent not only malicious attacks harm, but also illegal use. There is still a lot of work that control system engineers need to do to build a closely monitored process of monitoring and feedback systems, and this can also open up an opportunity. New business for the company.