Digital industrial espionage is becoming a greater threat for companies in all industries. An additional danger is presented by numerous secret services, which have long had the main aim of spying on businesses and organisations. What should the companies, the potential victims, do? They must work harder than ever to protect themselves and their data from increasingly complex attacks in order to avoid the kind of corporate disadvantage which might even threaten their very existence.
There are various forms of attack which have the declared aim of spying on business secrets. Malware is introduced into databases, applications and systems. Transmitted data is spied on and read at network connections. Trojans can make their way into companies with completely innocent software purchases. Software updates can also be used as a transmission vehicle for spying programs. If there are no proper defence mechanisms available, attackers can spy on business secrets as long as they like without the company noticing.
Attackers often stay undetected in the network for months before starting their targeted attacks with the insider knowledge they have gleaned. Traditional security mechanisms such as antivirus, firewall and network monitoring software are simply outwitted. The attackers can usually leave the network in the same way as they got in – unnoticed by the victims.
The EU published a report on industrial espionage as early as 2001. The list includes two suspected cases against France. These were in relation to the delivery of high-speed trains to South Korea. The French manufacturer Alstom (TGV) was said to have gained a competitive advantage over the competitor Siemens (ICE) by means of industrial espionage.
In 2013, France came under suspicion again. The New York Times reported on the country’s alleged industrial espionage programme, which had the aim of obtaining technical secrets from the USA.
In 2015, the newspaper “Libération” reported that approximately one hundred French companies, including all companies listed in the French stock market index CAC 40, had been spied on. The report was based on information provided in US documents supplied by Wikileaks. The German Federal Intelligence Service (BND) was also in the headlines for several weeks. It has been accused of having helped the US secret service NSA to spy on European institutions and companies.
Rethink IT Security
Although defence mechanisms such as signature-based anti-virus software, firewall and network monitoring software are still required, they are no longer sufficient.
Only a comprehensive shield can help in the face of the intensified threat. It must cover the entire company, include all the necessary security services, maintain an overview of all security incidents, be flexibly adaptable to
new threat scenarios and detect unknown forms of attack.
All these requirements must remain affordable and strategically controllable for a company.
The key characteristics of a permanently protective shield are a perfectly functioning, three-step sequence of gapless monitoring, the correlation of all log data from various sources, as well as other security-related information
and the specialist review of the data analysed.
The Latest Detection Tools
Comprehensive protection of the IT infrastructure entails the use of automated modules for risk identification, focusing on six fields of application:
- The evaluation of log data from various sources as well as risk and threat data, with the aim of obtaining solid
security information enabling rapid response to security incidents and pertinent compliance reports (Security
Information and Event Management or SIEM).
- The detection of dangerous malware, anomalies and other risks in the network traffic by means of signatureand
behaviour-based detection engines (Advanced Cyber Intrusion Detection or ACID).
- The collection, analysis and correlation of server and client logs and the immediate alerting and response as
soon as attacks, misuse or errors are detected. The file integrity of local systems must be checked, and rootkits
such as hidden attacks, trojans and viruses must be identified on the basis of system changes (Host-based
Intrusion Detection or HIDS).
- A 360-degree overview of potential security vulnerabilities in operating systems and application software, and
the monitoring of all data flows on the network anomalies (Vulnerability Assessment or VAS).
- The detection of advanced malware previously undiscovered by conventional security measures, including
advanced persistent threat (APT) systems (Advanced Email Threat Detection or AETD).
- Automatic monitoring of compliance regulations and the immediate reporting of breaches to minimise compliance
risks (Software Compliance or SoCo).
The Art of Correlation
Many current forms of attack are no longer signature-based. They therefore cannot be detected based on certain patterns but instead only via abnormal behaviour (changes in the system). The use of advanced correlation engines is required for the correlation of log data from the various sources within the IT infrastructure and other security-related data. These engines analyse both signature- and behaviour-based events and relate them to one another. This enables the identification of events due to misuse or incorrect operation.
Advanced correlation is also the requirement for recognising suspicious behaviours and hidden or unknown forms of attack.
In order for advanced correlation to properly work with subsequent risk detection or raising the alarm in urgent
cases, the system must store and constantly update rules, policies and self-learning algorithms as well as statistical models.
If the automated IT risk identification and correlation provides high-quality information, the final step required is the interpretation of this data. Experts, who constantly update their skills, continuously work to analyse, evaluate, prioritise and develop the automated responses. The IT infrastructure as well as the current business processes are viewed in the overall context. The big picture of the company’s current risk situation continues to develop and the systems are constantly adjusted to new or changing threats.
The importance of the involvement of experts is illustrated by the fact that only experts can implement fast and precise instructions to resolve the problem. In addition, it is the task of the expert team to constantly adapt the rules, policies and statistical models within the risk identification modules and advanced correlation engine in order to identify vulnerabilities or unknown types of attacks.
What Managed Security Services Offer
In view of the ambitious task area and the high human resources and financial costs, companies have to consider whether they can operate the shield permanently on their own or they should use specialist expertise and tools.
RadarServices, headquartered in Austria, offers the services from a single source. The security specialist is the European market leader in predictive IT security review and IT risk identification as managed services. The experts provide businesses with a complete package for ongoing IT security monitoring. It consists of hardware and software for the comprehensive, automated detection of security problems, and the analysis expertise of security experts. Four or five crucial pieces of information can be extracted from the several million units of securityrelated data generated on a daily basis by a medium or large company.
The companies will benefit from a highly effective, efficient and constantly updated system of IT risk detection. They always have immediate access to their company’s IT security status and what their priorities are with regard to dealing with vulnerabilities or an actual attack.
IT security which is made in Europe also offers additional benefits: the processes of RadarServices ensure that collected data always remains within your company. This ensures that a company’s security-related and therefore
highly sensitive information physically never leaves that company.
The big picture
RadarServices configures, operates and maintains the automated modules for IT risk identification and the advanced correlation engine in the respective companies. The rules, policies and statistical models are updated on average every hour. The Risk & Security Intelligence Team consolidates, evaluates and prioritises information from the tools at regular intervals or in real time.
In the Risk & Security Cockpit, crucial information from the continuous IT security audits and risk assessments is displayed: the recognised and classified IT security problems, the urgency level, the IT employees responsible for remediation and the current status of the remediation process.
Each identified risk is provided by the Security Intelligence & Risk team with a clear instruction for remediation. The team is the central contact for the employees in the company – by phone, email or in the integrated Cockpit Message/Feedback System.
Business processes at risk are identified in the integrated Business Process Risk View. Effects are clear and understandable in all contexts at the push of a button through the transfer of IT risks via the risks to IT services to business process risks.
Transparency is especially important in the event of an attack. Internal IT teams need to fully concentrate on risk elimination, while CEOs and managers are updated on progress automatically, immediately and in the appropriate level of detail. The Risk & Security Cockpit therefore contributes to efficiency and effectiveness in emergency situations and to a fundamental improvement of the internal control system in general.