Project “pEAgasus”: When System Hardening and Attack Detection are effectively intertwined

Hardening systems and detecting cyber attacks are two different components of an IT security strategy. And both are actually independent of each other. That doesn’t have to be the case! With the “pEAgasus” project, we are bringing together what belongs together.

Goal: fewer “red alarms” for the SOC team

Rest – a Security Operations Center (SOC) doesn’t really know this word. The usually highly specialized IT security specialists constantly have something to do, as alarms (so-called “events”) are continuously popping up that they have to investigate. Unfortunately, many reports are false alarms or irrelevant, but they still eat up time and often nerves.

How can this state of constant “red alerts” be reduced? With System Hardening! Why? We explain this in our article “How the Security Operations Center benefits significantly from System Hardening“.

If there are attacks on systems that have been “hardened”, the SOC, a CSIRT (Computer Security Incident Response Team) or a CDC (Cyber Defense Center) does not have to deal with them as a top priority. The cyber attacks are either prevented completely or slowed down significantly.

But how does a security team know that the systems under attack are less or not at all vulnerable due to their secure configuration? How does the SOC maintain an overview of large system landscapes consisting of hundreds or even thousands of notebooks, servers and cloud infrastructures? The “pEAgasus” project answers this big question.

What is “pEAgasus”?

Behind “pEAgasus” is a small team. It consists of FB Pro employees (mostly students who are completing a project as part of the “Project Management / PROJ” module) and our partner Trovent. Together they are trying to bring two worlds together:

At the beginning the cooperation was called “Project EA / EAGLE”, shortened to “pEA”. This eventually became the catchier name “pEAgasus”, which is reminiscent of the winged horse from Greek mythology.

The aim of the project team is to “marry” the two solutions together. The concept looked like this:

    • The MDR system recognizes that a special attack vector is being used as part of an attack on a specific system.
    • An automatic check is then carried out via the Enforce Administrator to determine whether the affected system has been hardened and this attack vector has been deactivated.
    • After the quick, automated exchange, it becomes clear that the attack is harmless, as the attack vector is no longer present thanks to the System Hardening.
    • Conclusion: There is no “red alert” at the SOC or CSIRT / CDC, the team can focus on other things.

How does the exchange between MDR and EA work?

Trovent MDR and Enforce Administrator are two independent products, but they can communicate with other systems via interfaces.

In the simplified representation, the exchange between Trovent MDR and Enforce Administrator takes place as follows:

Schaubild: Kommunikation Trovent MDR/EAGLE und Enforce Administrator (Bild: FB Pro)

This means:

    • The MDR system (EAGLE) detects attacks
    • … and sends them to the Apache Kafka Connect API, a message broker.
    • Trovent’s Analytics Engine reads the events via Kafka and processes them.
    • The newly developed PROJ code enriches the hardening information.
    • The system communicates with the Enforce Administrator via REST API.

The following flowchart provides a detailed explanation. It shows what should happen when an attack is detected.

Flowchart Projekt "pEAgasus" (Bild: FB Pro/Trovent)

Does the project work?

The theory was clear. But did the practical implementation also work? Did “pEAgasus” – metaphorically speaking – get wings and take off as planned?

Yes, the project team developed a prototype in which the combination of Enforce Administrator and Trovent MDR worked as planned. This means that, thanks to the hardening information from the Enforce Administrator, the attack detection system can better classify the detected attacks and, for example, give the all-clear within a very short time.

What happens next?

The project team has shown very well that it is possible to compare hardening information with a Managed Detection and Response system and that this can lead to the desired results. Mission accomplished!

The task now is not only to network the Enforce Administrator and the Trovent MDR for individual test scenarios, but also to make both tools fit for use on a large scale. In other words, the test balloon is to become a finished product. This is expected to be ready in the course of the year. If you are interested, you can contact us now.

Make an appointment!

Conclusion

With “pEAgasus”, two things come together that belong together: System Hardening and Attack Detection – in a solution that works fully automatically. In our opinion, such a combination of MDR and hardening tool does not yet exist on the market. The team has broken new ground. With success!

And “pEAgasus” brings the concept of “SecOps” or “Security Operations” into practice. This is because it creates transparent collaboration between different areas of cyber security.

Images: Adobe Firefly, FB Pro, Trovent

Leave a Reply