Meet KRITIS requirements with a state-of-the-art SIEM solution

Meet KRITIS requirements with a state-of-the-art SIEM solution

What does the IT Security Act 2.0 change for CRITIS companies?

The IT Security Act 2.0 (IT-Sig 2.0) is exemplary in the European Union and serves as the basis for the EU’s Digital Operational Resilience Act (“DORA”); in addition, certification organizations are adopting IT-Sig 2.0 requirements in their audit catalog (e.g., ISO 27001/2).

Today, many KRITIS-relevant companies face the challenge of meeting these requirements. It is not only a matter of avoiding the risk of sometimes substantial fines, but also of effectively protecting the company against cyber attacks. Shortages of skilled workers as well as technological change mean that the problem tends to become even more complex.

One of the biggest changes for CRITIS relevant companies in IT-Sig 2.0 is the explicit requirement for a centralized attack detection system.

This must meet the following requirements (§8 (1a) BSIG-E, §2 (9b) BSIG-E):

  • Identify threats through automated, continuous monitoring of appropriate parameters and
  • assist in the elimination of identified risks.

Only a few SIEM systems on the market cover the requirements of the BSI with regard to central attack detection and fully protect customers.

How do I ensure central attack detection in my infrastructure?

For centralized state of the art attack detection, it is necessary to identify anomalies in the corporate infrastructure.

The use of a SIEM provides the company with a holistic view of the security-relevant events in the IT infrastructure in real time, as well as the (ideally) automated execution of countermeasures. Here, a SIEM does not replace the IT security measures already established in the company, but complements them by providing a central overview of all individual systems and the ability to link and enrich this data.

Possible sources for this system are:

  • Log files from operating systems and applications
  • Firewall events from network firewalls
  • Alarms from intrusion detection & prevention systems (IDS/IPS)
  • Intelligent network sensors / network monitor systems with information about detected assets/devices, vulnerabilities, compliance violations or anomalous network behavior
  • Directory services & authentication services (such as Active Directory, IDM systems, single sign on)
  • Endpoint Detection & Response systems (EDR/XDR)
  • Indicators to identify attackers and attacks such as IP addresses, hashes, hostnames, etc. (threat intelligence feeds) as well as e.g. contextual information about attackers for enrichment purposes

Through the SIEM, the IT security team has the opportunity to improve the quality of the data obtained by the individual systems through targeted aggregation and correlation in order to arrive at more meaningful insights into security-related events.

In addition to their core functionality, modern SIEM systems also have options for automating the workflow for countermeasures (“SOAR”: Security Orchestration, Automation and Response).

Another useful addition can be systems that use machine learning to systematically create baselines about a company’s identities and systems and automatically check them for deviations (User and Entity Behavior Analytics (UEBA). The centralized provision of all acquired data in a SIEM system provides the analyst with a holistic picture of the company’s security situation in real time.

Operating a SIEM system poses challenges for many companies because the system, network and human resources required to run a SIEM are not insignificant. Hundreds of millions of events are often generated per day. Processing this data in real time requires sufficient computing power and network bandwidth.

In addition, operating a SIEM requires a team of cyber defense experts to add value to the organization. While modern SIEM systems bring a very good set of standard rules to the table, customizing the system to the company’s specific circumstances and analyzing the resulting alerts requires significant effort that in-house IT security teams often cannot provide themselves.

Implementation options and operating models

Modern SIEM solutions, such as ArcSight, are available as “Software as a Service”(SaaS) solutions, which significantly reduce the operating expense for the end customer.  Integration of other components such as ArcSight Intelligence (UEBA) or Cyberres Galaxy (Threat Intelligence) also offers customers great added value in the area of IT security. Customers with special protection needs can also install a SIEM solution on premise.

Overall, the following different operating models are possible:

In-house SIEM: The customer operates the system itself, if necessary with the support of an IT Security Partner who brings the missing know-how.
Managed SIEM: The IT security service provider operates the system in its data center and processes the customer’s data there.
Co-Managed SIEM: The partner operates the system or only parts of the system at the customer’s site. The data remains in the customer’s network at all times.

Conclusion

Only a few companies can meet the multitude of requirements of the IT SIG 2.0. Only a few products on the market can meet the multitude of requirements that the legislator places on a KRITIS-compliant SIEM – this is especially true with regard to audit-proof storage and the immutability of data ensuring that the entire relevant system landscape is considered.

Do you need support in implementing the requirements of the IT Security Act 2.0 in compliance with the law? Contact us – online or by phone at +49 30 5557021 11.

Share post on:

XING
Twitter
LinkedIn

Felix Gutjahr • Autor

Cyber Defense Consultant

Since May 2020, Felix has been part of the SECUINFRA team and has already taken over the support of several of our customers in the ArcSight area after a short time. There, he supports the operation and expansion of the SIEM environment, as well as the use case development.

> all articles

Marcel Röhrl • Autor

Portfolio Sales Specialist - NextGen Security Operations

Specialist in the Security Operations portfolio of Micro Focus Cyberres. Has been in IT for over 20 years, with stints in Big Data Analytics, Project Management and Cybersecurity.

> all articles
Cookie Consent with Real Cookie Banner