Why your cybersecurity strategy shouldn’t depend (only) on a probe

Cybersecurity: why a probe is not enough | Stormshield

Since the ANSSI qualified two detection probes last April, people in the cybersecurity world have talked of little else. Could they be the silver bullet of network protection? This does not seem to be the case. Here's why.

Over the last few months, much has been made of security probes as the latest front in the fight against cyberthreats, especially in the industrial sector. This past April, the ANSSI qualified some “Made in France” probes from Thales and its rival Gatewatcher, intensifying the hostility within the cybersecurity market. On an international level, well-positioned start-ups are on the rise, including Sentryo, a French gem that was recently approached by Cisco. At the same time, there have been several big fund-raisers, notably for the Swiss-Italian company Nozomi and its Israeli competitor, Claroty.

However, the qualification of these first probes did not happen instantaneously. It took the ANSSI four years to quality the first sovereign probes, starting when this term first appeared in the 2015 Military Planning Act (Loi de programmation militaire, or LPM). Primarily intended for Operators of Vital Importance (OVI) – as well as Operators of Essential Services (OES), and based on the November 2018 European Network and Information System Security (NIS) directive –, these probes were tested for two qualities: robustness and the ability to guarantee confidentiality.

But not everything that's called a “probe” has the same uses.

What is a probe?

It's a bit of a catch-all term that's used in many different ways,” warns Stormshield Offers Manager Robert Wakim, before adding: “In terms of cybersecurity, we need to talk about network monitoring probes. These are passive tools that monitor network traffic and report information or raise alerts based on where they are installed”.

This equipment should be able to detect the weak signals created by a cyberattack. Unlike an anti-virus program or a firewall, these probes let all data pass by them unrestricted.

For it to work, the network monitoring probe needs to be installed transparently, using port mirroring with a listening port, rather than restricting data flows. This means creating supplementary networks: each data flow is duplicated and sent to the probe. If there is an attack on the original network, the probe will identify and report it in the anomaly log.

Probes cannot contain or quarantine infected machines

Robert Wakim, Stormshield Offers Manager

If a network probe detects an anomaly, one of two things will happen.

  1. If your company has an SOC (Security Operations Center). Alerted by the probe (after it has taken the time to calculate the probability that infection has taken place), the SOC will take charge of the situation and halt the attack as quickly as possible.
  2. If you don't have an SOC The good news? The probe has informed you that your network has been attacked. The bad news? If the aim of the attack was to destroy your infrastructure, it's already too late.

Ticks are a good metaphor for talking about how network monitoring probes work. When a tick bites you, you may receive that information from several sources – either your fingers finding a little bump that wasn't there before, your skin beginning to itch, or you may spot it with your eyes. However, none of these alerts can prevent diseases from entering your blood. It's exactly the same thing with a probe. They cannot contain or quarantine infected machines,” insists Robert Wakim.

Detection vs. Protection

Probes have also received good press, especially in the industrial sector, because they can be installed easily into a listening port. Even as recently as a few years ago, many industrial networks went unprotected because they were isolated from the outside world and its threats. With the rise of Industry 4.0, however, IT-OT Convergence has led to industrial networks being connected with the outside world. Now facing cyber-threats, they needed to install appropriate security measures.

If an attack on the network is detected, it may shut down production entirely, leading to serious economic consequences. The risk with security equipment that restricts data flows is that it may have a negative impact on production, not because of a cyberattack, but because an anomaly or “false positive” is found, i.e. a network behaviour that is falsely believed to be part of a cyberattack.

Probes are reassuring for industrial clients because they only detect, there's not risk of shutting down production,” shares Julien Paffumi, Stormshield Product Management Leader. “In an ideal world, you would have a data-blocking firewall with an integrated IPS to block detected cyberattacks with certainty and a parallel network probe to identify and signal suspected threats.

The need for a qualified firewall

With the LPM in France, and the European NIS directive, OVIs in France have a regulatory obligation, and OESs in Europe are strongly recommended to implement qualified probe solutions. However, the ideal toolkit for companies and municipalities also includes qualified firewalls alongside these probes. Alongside detection, which is a probe's primary purpose, they also offer concrete protection for networks by blocking cyberattacks.

But how can such equipment be installed using a data-blocking connection? Some, like our SNi40 firewall, can operate in IPS/IDS mode: if there is a significant failure, they let data flows pass (fail-safe). Finally, “there's always a solution to counterbalance the inconvenient aspects of data-blocking equipment” highlights Julien Paffumi, “for example, there are High Availability boxes that are synced and that establish backup connections if there is a problem”.

Share on

For industrial systems that experience significant operational loads, SNi40 is an optimal security solution that offers protection without impacting production.
To ensure data integrity and monitor data content to prevent attacks on business data flows, alongside a detection probe, the Stormshield Network Security line provides optimal protection.

About the author

mm
Florian Bonnet
Director of Product Management, Stormshield

With over 25 years of IT experience in Research & Development, Florian joined Stormshield in October 2018 as Product Manager Director. As someone who spent many years in the field on the front lines, he promotes that same team spirit on the Stormshield Product Manager teams. And whether with his teams or outside of work, he emphasises the strong values that unite hard work and fun: respect, team spirit, and dedication.