Why your cybersecurity strategy shouldn’t depend (only) on a probe
12 08 2019
Since the ANSSI qualified two detection probes in April 2019, people in the cybersecurity world have talked of little else. Could they be the silver bullet of network protection? This does not seem to be the case. Here's why.
Over the last few months, much has been made of security probes as the latest front in the fight against cyberthreats, especially in the industrial sector. This past April, the ANSSI qualified some “Made in France” probes from Thales and its rival Gatewatcher, intensifying the hostility within the cybersecurity market. On an international level, well-positioned start-ups are on the rise, including Sentryo, a French gem that was recently approached by Cisco. At the same time, there have been several big fund-raisers, notably for the Swiss-Italian company Nozomi and its Israeli competitor, Claroty.
However, the qualification of these first probes did not happen instantaneously. It took the ANSSI four years to quality the first sovereign probes, starting when this term first appeared in the 2015 Military Planning Act (Loi de programmation militaire, or LPM). Primarily intended for Operators of Vital Importance (OVI) – as well as Operators of Essential Services (OES), and based on the November 2018 European Network and Information System Security (NIS) directive –, these probes were tested for two qualities: robustness and the ability to guarantee confidentiality.
But not everything that's called a “probe” has the same uses.
What is a probe?
“It's a bit of a catch-all term that's used in many different ways,” warns Stormshield Offers Manager Robert Wakim, before adding: “In terms of cybersecurity, we need to talk about network monitoring probes. These are passive tools that monitor network traffic and report information or raise alerts based on where they are installed”.
This equipment should be able to detect the weak signals created by a cyberattack. Unlike an anti-virus program or a firewall, these probes let all data pass by them unrestricted.
For it to work, the network monitoring probe needs to be installed transparently, using port mirroring with a listening port, rather than restricting data flows. This means creating supplementary networks: each data flow is duplicated and sent to the probe. If there is an attack on the original network, the probe will identify and report it in the anomaly log.
Probes cannot contain or quarantine infected machinesRobert Wakim, Stormshield Offers Manager
If a network probe detects an anomaly, one of two things will happen.
- If your company has an SOC (Security Operations Center). Alerted by the probe (after it has taken the time to calculate the probability that infection has taken place), the SOC will take charge of the situation and halt the attack as quickly as possible.
- If you don't have an SOC The good news? The probe has informed you that your network has been attacked. The bad news? If the aim of the attack was to destroy your infrastructure, it's already too late.
“Ticks are a good metaphor for talking about how network monitoring probes work. When a tick bites you, you may receive that information from several sources – either your fingers finding a little bump that wasn't there before, your skin beginning to itch, or you may spot it with your eyes. However, none of these alerts can prevent diseases from entering your blood. It's exactly the same thing with a probe. They cannot contain or quarantine infected machines,” insists Robert Wakim.
Detection vs. Protection
Probes have also received good press, especially in the industrial sector, because they can be installed easily into a listening port. Even as recently as a few years ago, many industrial networks went unprotected because they were isolated from the outside world and its threats. With the rise of Industry 4.0, however, IT-OT Convergence has led to industrial networks being connected with the outside world. Now facing cyber-threats, they needed to install appropriate security measures.
If an attack on the network is detected, it may shut down production entirely, leading to serious economic consequences. The risk with security equipment that restricts data flows is that it may have a negative impact on production, not because of a cyberattack, but because an anomaly or “false positive” is found, i.e. a network behaviour that is falsely believed to be part of a cyberattack.
“Probes are reassuring for industrial clients because they only detect, there's not risk of shutting down production,” shares Julien Paffumi, Stormshield Product Management Leader. “In an ideal world, you would have a data-blocking firewall with an integrated IPS to block detected cyberattacks with certainty and a parallel network probe to identify and signal suspected threats.”
The need for a qualified firewall
With the LPM in France, and the European NIS directive, OVIs in France have a regulatory obligation, and OESs in Europe are strongly recommended to implement qualified probe solutions. However, the ideal toolkit for companies and municipalities also includes qualified firewalls alongside these probes. Alongside detection, which is a probe's primary purpose, they also offer concrete protection for networks by blocking cyberattacks.
But how can such equipment be installed using a data-blocking connection? Some, like our SNi40 firewall, can operate in IPS/IDS mode: if there is a significant failure, they let data flows pass (fail-safe). Finally, “there's always a solution to counterbalance the inconvenient aspects of data-blocking equipment” highlights Julien Paffumi, “for example, there are High Availability boxes that are synced and that establish backup connections if there is a problem”.