The Operations Behavior Anomaly Detection strengthens security resilience and operation stability by leveraging Cyber-Physical System Detection and Response (CPSDR). It collects behavioral patterns in the OT environment and identifies any unexpected changes or abnormal behaviors that could impact the operation.
This feature primarily defends against unexpected changes that may impact operational stability by comparing daily operation processes and behaviors with a unique baseline of each agent-device and performing comprehensive behavioral analysis not only via identifying baseline deviation but also using TXOne Networks' exclusive industrial application repository and ransomware detection engine.
Navigate to the target agent or group, and then go to its Policy page. For instructions on how to go to the Policy page, see Go to the Agent View for a single agent or Go to the Group Policy Screen for a group of agents.
Scroll down and find the Operations Behavior Anomaly Detection pane.
The Operations Behavior Anomaly Detection for StellarProtect (Legacy Mode) provides four normal modes for two pillars of protection. In addition, there is a special mode under two of the normal modes. For more information, please see the details below.
-
Learn: In this mode, StellarProtect (Legacy Mode) collects behavioral patterns from the monitored agent-devices to establish baseline fingerprints.
Important:TXOne Networks recommends setting the target agents to the Learn mode first to establish their own baseline fingerprints before they can perform automated behavioral analysis in the Detect or Enforce mode. See Operations Behavior Anomaly Detection for StellarProtect - Use Case for more details.
-
Detect: In this mode, StellarProtect (Legacy Mode) identifies and sends alerts for any unexpected changes and security threats by analyzing current behaviors against the fingerprints at the agent-device and central management levels.
-
Strict mode: This special mode appears when you select the Detect mode. Enabling the Strict mode reduces the level of the fingerprint deviation allowed; in other words, it performs stricter comparison between the established baseline and currently-running operational behaviors. In more dynamic operating environments where devices and access behaviors are more subject to change, this may generate more events.
-
-
Enforce: In this mode, StellarProtect (Legacy Mode) takes preventative action on detected fingerprint deviations to defend operation stability and security.
-
Strict mode: This special mode appears when you select the Enforce mode. Enabling the Strict mode reduces the level of the fingerprint deviation allowed; in other words, it performs stricter comparison between the established baseline and currently-running operational behaviors. In more dynamic operating environments where devices and access behaviors are more subject to change, this may generate more events and require more preventative actions to be taken.
-
-
Disable: The Operations Behavior Anomaly Detection can also be disabled if needed, but it is recommended to have this function enabled to maintain security against behavior anomalies.
Learning time:
When Detect or Enforce mode is selected, the Learning time option becomes available. You can specify the learning period for the target agents/group from the Learning time menu. The agents that have not established their own baselines will then start learning and once the learning period ends, they will automatically switch to the predefined Detect or Enforce mode.
See Setting the Learning Time and Setting the Learning Time - Use Case for more information.
-
User Login: Defends the endpoints against credential-based attacks when enabled. By comparing the list of user accounts and login activities in the baseline with those used for daily operations, unrecognized user accounts or unexpected login activities will be detected as anomalies and trigger incident notifications.
-
Approved Login Accounts in Baseline: Click this link to go to the Situational Awareness page for viewing the approved user accounts and relevant details stored in the baseline at the agent level. See Approved Login Accounts for more information
-
Policy-based Approved Login Accounts: Click this link to manually add approved user accounts and relevant details used in operations and processes to avoid false alerts. See Policy-based Approved Login Accounts for more information.
-
-
Application Behavior: Safeguards the endpoints against malicious application attacks. By comparing the list of applications and application behaviors in the baseline with those running for daily operations, unrecognized applications or unexpected application behaviors will be detected as anomalies and trigger incident notifications.
-
Approved Applications in Baseline: Click this link to go to the Situational Awareness page for viewing the approved applications and relevant details stored in the baseline at the agent level. See Approved Applications for more information.
-
Policy-based Approved Applications: Click this link to manually add approved applications and relevant details used in operations and processes to avoid false alerts. See Policy-based Approved Applications for more information.
-
For more details on how the Strict mode works for the three pillars, see Strict Mode and Strict Mode - Use Case.
The following table illustrates how the two pillars work in the Learn, Detect, and Enforce modes.
|
Operations Behavior Anomaly Detection |
User Login |
Application Behavior |
|---|---|---|
|
Learn |
Stores the login account listed below in the baseline: For example:
|
Stores the application behavior listed below in the baseline: For example:
|
|
Detect |
Sends events for the unexpected change: For example: Username: admin1 |
Sends events for the unexpected changes: For example: Behavior: 2 |
|
Enforce |
Sends events for the unexpected change: For example: Username: admin1 |
Sends events for the unexpected changes: For example: Behavior: 2 |