Leveraging Tripwire to Implement the Defense-in-Depth Approach

Protecting the security of an industrial site depends on the organization’s ability to detect attacks quickly and efficiently. Intrusion detection systems (IDS) monitor network traffic and detect malicious activity. When the IDS detects a threat, it notifies the network administrator quickly so that appropriate remediation steps can be taken before disruption occurs. Therefore, an IDS is a crucial part of the defense in depth approach to cybersecurity, which aims to harden industrial networks and increase network uptime.

How do Intrusion Detection Systems work?

Intrusion Detection Systems employ different strategies to monitor network traffic.

• Signature-based IDS look for signatures of known attacks. One drawback is that these systems generally cannot detect new attacks.
• Anomaly-based IDS detect anomalies or deviations from normal behavior in network traffic. With this strategy, these systems can readily detect new attacks. Modern systems combine both approaches for a better detection and fewer false positives.

Different Types of IDS

• A host intrusion detection system (HIDS) runs on all computers or devices in the network. HIDS may be able to detect anomalous network packets that originate from inside the organization and malicious traffic that originates from the host itself, such as when the host has been infected with malware and is attempting to spread to other systems.
• A network intrusion detection system (NIDS) is deployed at a strategic point within the network, where it can monitor traffic to and from all the devices on the network, recognize patterns shared by multiple hosts, and see attacks before they reach the hosts.

Belden IDS Customer Benefits

• Advanced Technology
  • Monitors 100+ industrial protocols, more regularly added
  •  Regular upgrades provide performance improvements
• Ease of Use
  • Intuitive and easy-to-use interface
  •  No additional configuration required after installation
• Cost Effective
  • Lower cost compared to competitors in the market
  •  Efficient solution, custom-made for industrial networks

How Does Belden IDS Work?

EAGLE40 Next-Generation Firewalls running Tripwire Industrial Visibility interface with an external Tripwire Industrial Visibility server to provide complete Iintrusion and anomaly detection functionality quickly and reliably. Tripwire Industrial Appliance Tripwire Industrial Appliance solves operational challenges through continuous threat monitoring and advanced logging intelligence.

Once plugged into the network, the Tripwire Industrial Appliance passively analyzes network traffic to gather threat data that could threaten the safety and availability of OT environments.

• Unmatched Threat Monitoring— Defend your uptime and find known and unknown threats with continuous threat detection and monitoring.
• The Deepest ICS Visibility Available— As a Belden company, Tripwire is experienced in ICS. Industrial operators count on Tripwire Industrial Visibility to decipher over 80 of the most common industrial protocols— more than any other ICS visibility solution.
• Flexible Deployment Options—Can be deployed as a virtual or hardware appliance.

How Does Belden IDS Work in Your Network?

The following example shows how the EAGLE40 firewall works with Tripwire Industrial Visibility to protect a new PLC.

1. A new PLC is added to the network and sends data to its HMI
2. EAGLE40 firewall detects a new device and notifies Tripwire Industrial Visibility
3. Tripwire Industrial Visibility identifies a new threat, vulnerability or unsecure protocol and alerts the administrator
4. Operator adds a firewall rule to block potential threat
5. PLC is secure from threats

How Does Tripwire Industrial Visibility Offer Holistic Protection?

Visibility

Tripwire Industrial Visibility dissects ICS network communications, protocols and behaviors. It provides in-depth visibility into the existing network infrastructure, identifying assets across industrial networks gathering detailed, informative and actionable data for those devices. It profiles all the communications between assets, generating high fidelity baselines to detect anomalies, create virtual zones, and discover threats. OT/Asset Inventory holds information regarding a site’s operational activities, and provides visibility into the operational lifecycle of a site.

Threat Detection

Tripwire Industrial Visibility leverages advanced anomaly detection capabilities and other indicators that reveal malicious presences in a network. It delivers superior threat intelligence by providing alerts across the full “cyber kill chain”—from early reconnaissance activity to later stage attacks designed to impact control systems and processes. It enables unparalleled threat hunting capabilities for a range of threats, including ICS-specific malware. It displays the threats on a dashboard, allowing security teams to identify and respond to critical events.

By identifying known vulnerabilities and possible exploits, Tripwire Industrial Visibility enables you to take security countermeasures. You can identify the vulnerable devices and possible exploits, and create alerting and notification rules.

Reporting

Reports can be scheduled to run periodically and viewed in a consolidated format. Custom reports can be created to view insights, alerts, and assets. The Risk Assessment Report provides a Network Overview that details various control process devices and shows how they communicate within and across the network.

The Risk Assessment Report also provides an overall Network Hygiene score with a list of actionable insights or key findings that can help improve network hygiene. This report can be used as a Key Process Indicator (KPI) to track progress as part of a security program, as an executive brief, and as a list of recommended changes.