Speed is the Key Factor – Not Hundred-Percent Security

In the context of classification level "German VS-NfD", the changeover to remote operation is a particularly challenging "acid test" for IT organization. Besides defense against massive cyber attacks, shortcomings in IT governance and cyber security architectures also need to be overcome. Arnold Krille, Head of cognitix Product Development at genua, details the priorities for action.

Mr Krille, in the context of German classification level "Restricted", where should those responsible for IT start in order to provide fast and effective protection for the mobile ecosystems of your organization?

Arnold Krille: "Network" and "user" are key dimensions of action. In the case of "network", it's all about gaining an overview of the infrastructures and technologies which reflects both the actual situation and enables comparison with the target situation. A central topic here is the connection of users via the Internet: Can central services from a service provider to the German federal government be used for this purpose? Or does an extra solution need to be found? In the second case, although greater flexibility is possible, it must also be assumed that a higher level of safeguarding will be necessary.

This is because every connection to the Internet makes you the target of attackers. In addition to the functionality and performance of the connecting services, technical security must therefore always be taken into consideration: How do I dial in? How is the system itself protected against attacks? How are intrusions into the infrastructure prevented? Especially since we are generally talking about several hundred or more users who are switching to working from home or require secure mobile devices compatible with classification level "German VS-NfD". From a purely organizational viewpoint, this involves a huge amount of work. Moreover, legal frameworks also have to be taken into consideration during implementation – however, it is often the case that no IT governance exists for the expansion of remote working.

In your experience, what it is needed to provide structure and clarity in this situation?

Arnold Krille: This is where the perspective of the user comes into play: Which devices, programs and access does the user need and in what quality? For example, video conferences are still not possible for some remote solutions in the public sector. However, as with everything that makes collaboration and exchange easier, they are essential for the user. As far as this requirement is concerned, it would be simpler to find the appropriate end devices and programs that are compliant with classification level "German VS-NfD", and to check whether the functional requirements match the regulatory requirements such as basic IT protection.

And once this has been achieved, the user needs a whole host of other things …

Arnold Krille: Correct, but IT should be accustomed to this by now. In the years before the pandemic, "velocity is king" was already the motto. In other words, getting more horsepower onto the street when planning and implementing IT projects in order to keep up with the innovation cycles of device and software manufacturers. But, as we know, of the three goals "security", "usability" and "fast introduction" it is only ever possible to achieve two of them at the same time. With "usability" and "security" it was often a case of "either-or": a highly secure and quickly introduced, but extremely difficult-to-use system, or a quickly implemented, user-friendly, but high-risk solution.

"Velocity is king" is now also becoming an issue in the sense that attackers also work according to this principle and shorten their innovation cycles. During the pandemic, the "industrialization" of cybercriminality was clear to see – professional hackers develop ever more sophisticated methods and tools that also enable semi-professional players to carry out successful attacks.

In the new world of work, "velocity is king" is more crucial than ever for IT security. After all, attackers also shorten their cycles when developing new methods and tools.

In the new world of work, "velocity is king" is more crucial than ever for IT security. After all, attackers also shorten their cycles when developing new methods and tools.

How do pioneers in classification level "German VS-NfD" deal with this situation?

Arnold Krille: They focus on the implementation of three objectives: Firstly, connecting employees working from home or at a mobile workplace to the internal networks according to different security scenarios. Secondly, creating security that does not put obstacles in the way of the user. And thirdly, making the whole thing scalable so that, depending on the situation, a large part of the workforce can quickly change over to working from home and then back to the company locations.

First and foremost, however, they don't underestimate the risks that every employee working from home poses. It is not enough to set up a VPN (Virtual Private Network) and provide security using basic tools and software. After all, the physical safeguards that provide additional protection at the company location – secured server rooms, lockable office doors, cameras in the foyer, and sometimes even a gatekeeper – are completely absent in a home office. Organizations with highly mature IT security can sometimes be thought of as a "virtual public authority" with not five, but in some case five hundred or more locations. And, accordingly, they intensify the protection of access to the public authority network from the home offices of their employees, but also from all levels of communication within the public authority network.

Organizations with highly mature IT security can sometimes be thought of as a "virtual public authority". Every home office, like every location, is protected according to the highest standards.

What requirements with regard to basic IT protection need to be taken into consideration for remote working to ensure compliance with classification level "German VS-NfD"?

Arnold Krille: Regardless of remote working, basic IT protection requires closer scrutiny at least of the critical points in the organization networks with anomaly or attack detection. When employees switch to remote working, the VPN node then becomes such a critical point. Not only because it can be attacked from outside. But also because the work processes and communication within the public authority are changing and now take place via these points. So it is a matter of safeguarding the technology infrastructure as well as the process infrastructure. This also makes the situation highly sensitive. Because this combination is a completely new challenge for IT, which cannot be modeled perfectly according to any guideline.

In what way do systems for anomaly and attack detection provide further assistance?

Arnold Krille: That depends on the attack scenario. A classic example is an e-mail with infected attachment sent by a supposedly known sender. By clicking on the attachment, the user gives the attacker internal access to resources, which initially is not subject to any formal, restrictive measures. When such an infection then starts to spread, it usually takes days, weeks and months before the attack is detected.

This is exactly where detection measures come in. cognitix Threat Defender could intervene here as a first step, i.e., detect the anomaly, alert an IT security officer or initiate defensive measures. Here, the response to the communication behavior of the end user can be modeled in such a way that the administrator is notified promptly and can initiate appropriate measures, without his work being hindered by false alarms. We recommend to strive for a reasonable level of prevention according to the state of technology used at the organization – but also to bear in mind that there is no such thing as hundred-percent security.

How does cognitix Threat Defender differ from IDS systems?

Arnold Krille: A fundamental problem of IDS systems is that due to the noise in the network and the variety and quality of the detection rules, these systems detect so many anomalies that more personnel are needed to deal with them. One of the reasons for this is that only certain patterns in individual data streams can usually be monitored. Nowadays, however, it is not so much a question of "detect everything that might be suspicious". But instead correlating suspicious input signals with the overall behavior of devices and defining a certain line of defense, i.e., individual thresholds at which you want to take action. And it is exactly here that cognitix Threat Defender comes into play.


If the tool detects, for example, that a signature for the most recent Windows exploit and a Chinese hacker occurs on a Linux server, it does not need to alert anyone.

With cognitix Thread Defender, you can define thresholds as of when abnormal behavior really does need to be classified as dubious.

If, however, 20 clients received this package one after the other and then suddenly begin to transmit unexpected data traffic, this is something that will trigger an alarm.

This is the beauty of the solution: On the one hand, thresholds as of when abnormal behavior really does need to be classified as dubious are defined. On the other hand, the "last line of defense" is a huge help. For example, if you discover that on Friday evening a user starts setting up communication with all servers. And then at the weekend this user suddenly begins to access services that he has never used before. This might be a very dedicated employee – but is more likely to be an unwanted guest in the system.

What happens in the event of an attack?

Arnold Krille: The first step is to verify what exactly the anomaly is. To do so, the administrator needs to have as complete an overview as possible of the situation. With the right insights and appropriate context, it is then possible to decide whether the anomaly is an attack, an operational fault or just unusual, but legitimate behavior of an employee. During this time, cognitix Threat Defender can already initiate initial responses. Depending on the organization's understanding of risk, this can be initial isolation measures, whereby the affected device is restricted in terms of communication or even completely isolated. 

A graduated response is also possible. In this case, business-critical processes can continue. All other communication, however, is restricted and the activities of a potential attacker therefore stopped, without any negative impact on the business processes. 

This approach gives the personnel and machine time to gather further information, to verify the anomaly using context information and to calmly plan the appropriate response. This avoids premature business interruptions caused by false positives – and also prevents the attackers from realizing that they have already been found out. It is often better to be able to continue monitoring the attacker for a while in order to understand what he is doing, what he has done and what his apparent objective is. The better understood the motives of an attacker are, the better the response to the attack will be, both in combatting the attacker and in restoring normal business operations after removal of the attacker from the network.