Industrial Internet Security Framework v 1.0 | Page 99

Security Framework

10: Security Monitoring and Analysis

Predictive monitoring and analysis systems gather and analyze data identify trends suggesting
that new attacks are about to occur, or that IIoT systems have changed in ways that might make
them more susceptible to future attacks. Examples of data that may suggest new attacks are an
increase in the frequency of audit function shutdowns, system configuration changes and
unexpected user account creation. These may suggest a system has become vulnerable to attacks
and that proper policies and procedures are not being followed.
10.2.2 TYPES OF SECURITY ANALYTICS SYSTEMS
Security analytics traditionally tend to be either behavioral or rules-based. These are also known
as anomaly-based or signature-based systems, respectively.
Behavioral/anomaly-based systems first learn the characteristics of “normal” operation. Once
complete, the system generates alerts when tracked characteristics deviate significantly from
that learned normal operation. Anomaly-based network intrusion detection systems and file
system monitoring systems are examples of behavioral analytics. Safety-critical and reliabilitycritical systems are good candidates for behavioral analysis because they change slowly.
Rule/signature-based analytics rely on a library of rules or signatures to identify suspicious
behavior. When a set of security values is received that matches a rule, an alert is raised.
Both kinds of analytics may result in false negatives (when the analytic engine fails to recognize
an attack), or false positives (when the engine incorrectly diagnoses legitimate activity as an
attack). There is a trade-off between false-negative and false-positive errors; the lower the
threshold for suspicious behavior, the smaller the risk of false negative missed alarms, but the
greater the number of false positive alarms.
Analysis should use both behavioral and rule-based indicators. Behavioral indicators detect those
events that are difficult to define with rules alone. Rule-based indicators detect those events that
are clearly never intended to occur and are difficult for the analytics to learn from training.
The rules and signatures must be kept up to date, a possible challenge. Behavioral systems may
also require management to correct or modify the training if bad behavior is perceived as good.

IIC:PUB:G4:V1.0:PB:20160926

- 99 -