The explicit requirement of a central system for attack detection is the core topic of the IT Security Act 2.0 (IT-Sig 2.0), which will come into force in May 2023. The BSI defines "KRITIS" - companies belonging to the critical infrastructure in Germany - very broadly.

Meet KRITIS requirements with a state-of-the-art SIEM solution

What does the IT Security Act 2.0 change for CRITIS companies?

The IT Security Act 2.0 (IT-Sig 2.0) is exemplary in the European Union and serves as the basis for the EU’s Digital Operational Resilience Act (“DORA”); in addition, certification organizations are adopting IT-Sig 2.0 requirements in their audit catalog (e.g., ISO 27001/2).

Today, many KRITIS-relevant companies face the challenge of meeting these requirements. It is not only a matter of avoiding the risk of sometimes substantial fines, but also of effectively protecting the company against cyber attacks. Shortages of skilled workers as well as technological change mean that the problem tends to become even more complex.

One of the biggest changes for CRITIS relevant companies in IT-Sig 2.0 is the explicit requirement for a centralized attack detection system.

fazitanfang

This must meet the following requirements (§8 (1a) BSIG-E, §2 (9b) BSIG-E):

  • Identify threats through automated, continuous monitoring of appropriate parameters and
  • assist in the elimination of identified risks.

fazitende

Only a few SIEM systems on the market cover the requirements of the BSI with regard to central attack detection and fully protect customers.

How do I ensure central attack detection in my infrastructure?

For centralized state of the art attack detection, it is necessary to identify anomalies in the corporate infrastructure.

The use of a SIEM provides the company with a holistic view of the security-relevant events in the IT infrastructure in real time, as well as the (ideally) automated execution of countermeasures. Here, a SIEM does not replace the IT security measures already established in the company, but complements them by providing a central overview of all individual systems and the ability to link and enrich this data.

Possible sources for this system are:

  • Log files from operating systems and applications
  • Firewall events from network firewalls
  • Alarms from intrusion detection & prevention systems (IDS/IPS)
  • Intelligent network sensors / network monitor systems with information about detected assets/devices, vulnerabilities, compliance violations or anomalous network behavior
  • Directory services & authentication services (such as Active Directory, IDM systems, single sign on)
  • Endpoint Detection & Response systems (EDR/XDR)
  • Indicators to identify attackers and attacks such as IP addresses, hashes, hostnames, etc. (threat intelligence feeds) as well as e.g. contextual information about attackers for enrichment purposes

Through the SIEM, the IT security team has the opportunity to improve the quality of the data obtained by the individual systems through targeted aggregation and correlation in order to arrive at more meaningful insights into security-related events.

In addition to their core functionality, modern SIEM systems also have options for automating the workflow for countermeasures (“SOAR”: Security Orchestration, Automation and Response).

Another useful addition can be systems that use machine learning to systematically create baselines about a company’s identities and systems and automatically check them for deviations (User and Entity Behavior Analytics (UEBA). The centralized provision of all acquired data in a SIEM system provides the analyst with a holistic picture of the company’s security situation in real time.

Operating a SIEM system poses challenges for many companies because the system, network and human resources required to run a SIEM are not insignificant. Hundreds of millions of events are often generated per day. Processing this data in real time requires sufficient computing power and network bandwidth.

In addition, operating a SIEM requires a team of cyber defense experts to add value to the organization. While modern SIEM systems bring a very good set of standard rules to the table, customizing the system to the company’s specific circumstances and analyzing the resulting alerts requires significant effort that in-house IT security teams often cannot provide themselves.

Implementation options and operating models

Modern SIEM solutions, such as ArcSight, are available as “Software as a Service”(SaaS) solutions, which significantly reduce the operating expense for the end customer.  Integration of other components such as ArcSight Intelligence (UEBA) or Cyberres Galaxy (Threat Intelligence) also offers customers great added value in the area of IT security. Customers with special protection needs can also install a SIEM solution on premise.

Overall, the following different operating models are possible:

In-house SIEM: The customer operates the system itself, if necessary with the support of an IT Security Partner who brings the missing know-how.
Managed SIEM: The IT security service provider operates the system in its data center and processes the customer’s data there.
Co-Managed SIEM: The partner operates the system or only parts of the system at the customer’s site. The data remains in the customer’s network at all times.

fazitanfang

Conclusion

Only a few companies can meet the multitude of requirements of the IT SIG 2.0. Only a few products on the market can meet the multitude of requirements that the legislator places on a KRITIS-compliant SIEM – this is especially true with regard to audit-proof storage and the immutability of data ensuring that the entire relevant system landscape is considered.

Do you need support in implementing the requirements of the IT Security Act 2.0 in compliance with the law? Contact us – online or by phone at +49 30 5557021 11.

fazitende

Felix Gutjahr · Author

Cyber Defense Consultant

Seit Mai 2020 gehört Felix zum Team von SECUINFRA und hat bereits nach kurzer Zeit die Betreuung mehrerer unserer Kunden im Bereich ArcSight übernommen. Er unterstützt dort beim Betrieb und Ausbau der SIEM-Umgebung, sowie bei der Use-Case Entwicklung.

Felix hat mit seiner Ausbildung zum Fachinformatiker für Systemintegration den Grundstein für seine Karriere in der Informatik gelegt. Er durchlief dort unterschiedlichste Themengebiete und konnte in mehreren Projekten wertvolle, praktische Erfahrungen sammeln, insbesondere auch in der Kundenberatung. Während dieser Zeit entdeckte er seine Leidenschaft für IT-Security und entschied sich, seine Karriere in diesem Bereich fortzusetzen. Seit Mai 2020 gehört Felix zum Team von SECUINFRA und hat bereits nach kurzer Zeit die Betreuung mehrerer unserer Kunden im Bereich ArcSight übernommen. Er unterstützt dort beim Betrieb und Ausbau der SIEM-Umgebung, sowie bei der Use-Case Entwicklung. Durch seinen engen Kontakt zum Hersteller Micro Focus hat Felix die Rolle des ArcSight Product Leads innerhalb unseres Unternehmens übernommen.

Cyber Defense Consultant

Since May 2020, Felix has been part of the SECUINFRA team and has already taken over the support of several of our customers in the ArcSight area after a short time. There, he supports the operation and expansion of the SIEM environment, as well as the use case development.

Felix laid the foundation for his career in information technology with his training as an IT specialist for system integration. There, he went through a wide variety of topics and was able to gain valuable, practical experience in several projects, especially in customer consulting. During this time, he discovered his passion for IT security and decided to continue his career in this field. Since May 2020, Felix has been part of the SECUINFRA team and has already taken over the support of several of our customers in the ArcSight area after a short time. There, he supports the operation and expansion of the SIEM environment, as well as the use case development. Through his close contact to the manufacturer Micro Focus, Felix has taken on the role of ArcSight Product Lead within our company.

Marcel Röhrl · Author

Portfolio Sales Specialist - NextGen Security Operations

Spezialist für das Security Operations Portfolio von Micro Focus Cyberres. Seit über 20 Jahren in der IT unterwegs, mit Stationen in Big Data Analytics, Projektmanagement und Cybersecurity.

Spezialist für das Security Operations Portfolio von Micro Focus Cyberres. Seit über 20 Jahren in der IT unterwegs, mit Stationen in Big Data Analytics, Projektmanagement und Cybersecurity.

Portfolio Sales Specialist - NextGen Security Operations

Specialist in the Security Operations portfolio of Micro Focus Cyberres. Has been in IT for over 20 years, with stints in Big Data Analytics, Project Management and Cybersecurity.

Specialist in the Security Operations portfolio of Micro Focus Cyberres. Has been in IT for over 20 years, with stints in Big Data Analytics, Project Management and Cybersecurity.
Beitrag teilen auf: