Case Study

Anomaly Detection Protects Internal Data Traffic

Classic IT security protection with firewalls, IDS- or IPS-systems has a serious shortcoming. The systems are not able to detect a change in the communication behavior of network components that have been manipulated and, for example, send malicious code to other clients in the network. Stadtwerke Bad Reichenhall KU, a municipal enterprise, has therefore set up an anomaly detection system to defend against the threat.


Stadtwerke Bad Reichenhall KU is a regional service company that provides its customers with power, natural gas and local public transport as well as Internet, telephone and cable television. As critical infrastructure, Stadtwerke places special focus on IT security. The company is certified according to the international IT security standard 27001 and operates an information security management system (ISMS).

Shortcomings of the classic IT security systems

Regular audits and penetration tests confirmed that the security measures taken in accordance with the ISMS standard are effective. "The tests are, however, just a snapshot in time. If security gaps are exploited through social engineering and other, increasingly professional attacks, we want to be prepared. Up until now, we have been lacking anomaly detection as a permanent, real-time control that would also allow us to detect attacks in the internal data traffic early on," reports Carsten Viell, IT Director at Stadtwerke.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) for monitoring office networks have proven themselves for years. A major disadvantage of these systems is that they are not designed for anomalies in the internal data stream. A workstation that previously only had connections with the login server and file server suddenly communicating with other computers within the network is not detected. If a workstation establishes connections to many ports in a short amount of time (network scan) or a printer contacts other devices in the network and attempts to download code from the network, that also initially remains undetected. IDS- and IPS systems do not check whether these network components are authorized to do this and whether the behavior is unusual. Attackers are thereby able to take over devices in the network without it being immediately noticed.

"We looked for a solution to monitor the internal network using anomaly detection and became aware of the cognitix Threat Defender from genua. Because we have long been very satisfied with the products and services from genua, we were excited about this solution," explains the IT Director. Stadtwerke was looking for an intelligent system that independently scans the network components and analyzes their behavior. "We didn't want to enter thousands of rules by hand and then constantly update them manually," says Carsten Viell. The IT monitoring system also needed to be easy to administer for a medium-sized system such as that of Stadtwerke.

Anomaly detection as permanent real-time control

The cyber security recommendation of the BSI (BSI-CS 134) places special emphasis on anomaly detection as a means for protecting networks: "It enables the detection of atypical behavior and, thus, in addition to technical error states and incorrect configuration, the detection of previously unknown forms of attack on such networks. This distinguishes anomaly detection from other measures that are based on the detection of already-known attacks."

With its anomaly detection, the cognitix Threat Defender closes the security gap of IDS and IPS systems. It monitors all network traffic and also analyzes the behavior of the network components (assets). It sets up a monitored, secure network by recognizing the behavior patterns of the network devices and assigning defined rules. Focus is not on an individual device or an individual network connection but rather on the communication in the entire network and the behavior of all network participants. Previously separate functions, such as network analysis, intrusion detection, asset tracking and a dynamic policy engine, are thereby merged into a single system.

""The introduction of the system went surprisingly smooth. We were very well supported by genua's support staff and received direct assistance in setting up and scaling the system. Moreover, our suggestions for improvement were addressed and quickly implemented," says the IT Director, describing the introductory phase. An initial asset tracking with real-time analysis was performed at the start. During this process, an asset database with all 700 devices in the network, including WLAN networks, was created and a network status in the "base state" created. During this learning phase, it was determined what devices are in the network and what desired network traffic takes place in this base state. If new devices are added, they are immediately detected and must be released and the defined rules assigned.

Administration of a system for anomaly detection

"The anomaly detection is very stable and performs well. The system is well positioned for real-time tracking. On a separate screen, we can follow the traffic and used services in real time. We receive a warning message if anomalies are detected. Following the learning phase, the detection rate is now good and error messages (false positives) are increasingly rare," says the IT Director, who is very satisfied with the day-to-day operation. He experiences the system as easy-to-operate and self-explanatory.

Attacks and anomalies in the network traffic have not occurred up to now. The attacks produced by the administrators were correctly detected and output as warning messages. In such instances, the affected client can be immediately decoupled, e.g., to prevent the further spread of an encryption Trojan. If necessary, the administrator can also issue an alarm via mobile telephony.

Stadtwerke anticipates also using the expanded automation functions of the cognitix Threat Defender after a year of regular operation. Unusual patterns and patterns that deviate from the standard behavior (anomalies) in the data stream then result in the automatic interruption of the communication without the administrator needing to intervene.

Benefits of the solution

The IT Director of Stadtwerke gives the cognitix Threat Defender good marks in a summary: "We operate the solution on eight-year old hardware and are surprised at the system's good performance. There is little configuration work and the integration in the network was easier than expected." Due to the good experiences made in the office network, Stadtwerke has, with the control network, started work on incorporating the communication network for power supply in the anomaly detection system.

Carsten Viell confirms the good price-performance ratio of the solution: "There's a great deal of intelligence in the system. Without any additional manual effort, we have permanent 24/7 monitoring of the network traffic. Our network operation has yet again become significantly more secure against increasingly complex attacks."