Operations Behavior Anomaly Detection | Trend Micro Service Central

Views:

The Operations Behavior Anomaly Detection strengthens security resilience and operation stability by leveraging Cyber-Physical System Detection and Response (CPSDR). It collects behavioral patterns in the OT environment and identifies any unexpected changes or abnormal behaviors that could impact the operation.

This feature primarily defends against unexpected changes that may impact operational stability by comparing daily operation processes and behaviors with a unique baseline of each agent-device and performing comprehensive behavioral analysis not only via identifying baseline deviation but also using TXOne Networks's exclusive industrial application repository and ransomware detection engine.

Navigate to the target agent or group, and then go to its Policy page. For instructions on how to go to the Policy page, see Go to the Agent View for a single agent or Go to the Group Policy Screen for a group of agents.

Scroll down and find the Operations Behavior Anomaly Detection pane.

The Operations Behavior Anomaly Detection provides four normal modes for three pillars of protection. In addition, there is a special mode under two of the normal modes. See the details below for more information.

Four Normal Modes:

Learn: In this mode, the agents collect behavioral patterns from the monitored devices to establish baseline fingerprints.

Important:
TXOne Networks recommends setting the target agents to the Learn mode first to establish their own baseline fingerprints before they can perform automated behavioral analysis in the Detect or Enforce mode. See Use Case for more details.
Detect: In this mode, the agents identify and send alerts for any unexpected changes or security threats by analyzing current behaviors against the fingerprints at the agent-device and central management levels.
- Strict mode: This special mode appears when you select the Detect mode. Enabling the Strict mode reduces the level of the fingerprint deviation allowed; in other words, it performs stricter comparison between the established baseline and currently-running operational behaviors. In more dynamic operating environments where devices and access behaviors are more subject to change, this may generate more events.
Enforce: In this mode, the agents take preventative action on detected fingerprint deviations to defend operation stability and security.
- Strict mode: This special mode appears when you select the Enforce mode. Enabling the Strict mode reduces the level of the fingerprint deviation allowed; in other words, it performs stricter comparison between the established baseline and currently-running operational behaviors. In more dynamic operating environments where devices and access behaviors are more subject to change, this may generate more events and require more preventative actions to be taken.
Disable: The Operations Behavior Anomaly Detection can also be disabled if needed, but it is recommended to have this function enabled to maintain security against behavior anomalies.

Learning time:

When Detect or Enforce mode is selected, the Learning time option becomes available. You can specify the learning period for the target agents/group from the Learning time menu. The agents that have not established their own baselines will then start learning and once the learning period ends, they will automatically switch to the predefined Detect or Enforce mode.

See Setting the Learning Time and Setting the Learning Time - Use Case for more information.

Three Pillars of Protection:

Script Behavior: Protects the endpoints against script-based of fileless attacks when enabled. By comparing the list of script behaviors and monitored process in the baseline with those running for daily operations, unrecognized monitored process or unexpected script behaviors will be detected as anomalies and trigger event notifications or be blocked.
- Approved Script Behaviors in Baseline: Click this link to go to the Situational Awareness page for viewing the approved script behaviors and relevant details stored in the baseline at the agent level. See Approved Applications for more information.
- Policy-based Watchlist: Click this link to manually add commonly-abused applications used in operations and processes to the Monitored Application list for strengthening security monitoring. See Policy-based Watchlist for more information.
User Login: Defends the endpoints against credential-based attacks when enabled. By comparing the list of user accounts and login activities in the baseline with those used for daily operations, unrecognized user accounts or unexpected login activities will be detected as anomalies and trigger events.
- Approved Login Accounts in Baseline: Click this link to go to the Situational Awareness page for viewing the approved user accounts and relevant details stored in the baseline at the agent level. See Approved Login Accounts for more information
- Policy-based Approved Login Accounts: Click this link to manually add approved user accounts and relevant details used in operations and processes to avoid false alerts. See Policy-based Approved Login Accounts for more information.
Application Behavior: Safeguards the endpoints against malicious application attacks. By comparing the list of applications and application behaviors in the baseline with those running for daily operations, unrecognized applications or unexpected application behaviors will be detected as anomalies and trigger incident notifications.
- Approved Applications in Baseline: Click this link to go to the Situational Awareness page for viewing the approved applications and relevant details stored in the baseline at the agent level. See Approved Applications for more information.
- Policy-based Approved Applications: Click this link to manually add approved applications and relevant details used in operations and processes to avoid false alerts. See Policy-based Approved Applications for more information.

The three pillars of protection can be individually toggled on for guarding separate vulnerability points, or you can choose to enable them all and set in the Strict mode for maximum defense.

Note:

For more details on how the Strict mode works for the three pillars, see Strict Mode and Strict Mode - Use Case.

The following table illustrates how the three pillars work in the Learn, Detect, and Enforce modes.

Table 1. An example of how Operations Behavior Anomaly Detection works
Operations Behavior Anomaly Detection	Script Behaviors	User Login	Application Behavior
Learn	Stores the approved script behavior listed below in the baseline: For example: explorer.exe→cmd.exe→ (monitored process or script)	Stores the login account listed below in the baseline: For example: Username: admin Domain: TXOne	Stores the application behavior listed below in the baseline: For example: Application: Google Chrome Behavior: 1
Detect	Sends alerts for the unexpected change: For example: cmd.exe → explorer.exe→ (monitored process or script)	Sends alerts for the unexpected change: For example: Username: admin1	Sends alerts for the unexpected changes: For example: Behavior: 2
Enforce	Blocks the unexpected change: For example: cmd.exe → explorer.exe→ (monitored process or script)	Sends alerts for the unexpected change: For example: Username: admin1	Sends alerts for the unexpected changes: For example: Behavior: 2