Enforce Your Network Security Policy

Policy-based detection is a strong, deterministic, OT-specific tool that can be leveraged to detect under-the-radar events that don’t rise above statistical noise and thus go unnoticed by anomaly-based detection. As such, policy-based detection closes the ICS network security loop against all types of threats, and complements Indegy’s anomaly detection engine.

In addition to offering predefined OT policy packs, Indegy enables users to configure their own rules using a flexible, wizard-based interface. In accordance with each company's network security policy, these rules trigger alerts about risky activities, undesired asset configuration, or deviations from compliance requirements.

icon_infographic - policy baced detection

OT Activity Policies

Comprehensive ICS context awareness allows users to define alerts based on an activity's specific network impact with blacklisting, whitelisting or value-threshold monitoring.

icon_infographic - policy baced detection

Compliance Requirements

Deterministic policies are crucial for areas where anomaly detection is inapt, such as complying with internal security policies or external regulations for ICS operations.

icon_infographic - policy baced detection

Flexible Rule Creation

Intuitive UI for defining rules based on IP ranges, automated asset classification category (e.g., controllers, engineering workstations, servers or HMIs) and logical operators.

Indegy Dual Threat Detection

Indegy's Threat Detection & Mitigation technology uniquely combines policy-based detection with anomaly detection. By leveraging both rules and statistical analysis, our technology finds more threats and risks, faster, and with less false positives. The policy detection engine strictly enforces deterministic rules based on the network security policy. This capability is complemented by the anomaly detection tool, which identifies stealthy deviations in network behavior from the statistical baseline.

Much More Than Statistics

Grid Image
Enriched alerts

It’s critical you understand exactly what happened when an alert is triggered.

Screenshot of all events detected by the Indegy system

Enriched alerts

Each deterministic alert is accompanied with meaningful detailed information and context. This lets users immediately understand what rule triggered the alert with pre-defined names together with the designed criticality level. These enriched alerts help authorized personnel get to the root cause of the alarm faster. A network traffic recording (PCAP) of the seconds before and after an alert is also provided for further analysis.

Grid Image
Pre-Defined Policies

Enforce a wide variety of policies culled from proven expertise in OT environments.

screenshot of all policies defined

Pre-Defined Policies

Indegy provides a standard package of pre-defined policies based on best practices of OT environment owners. Policies range from alerts about communication protocols that don’t match the vendor's automated discovery of control devices to rare activities that carry significant risk, such as the update of a controller's firmware version.
This package is fully customizable to each organization's specific requirements, allowing users to fine-tune existing policies or add new ones as needed.

Grid Image
Detect Evasive Attacks

Discover potential risks that don’t rise above the statistical noise.

Screenshot with all events with detail of source of event

Detect Evasive Attacks

Anomaly detection technology, as used in Indegy’s threat detection engine, can discover many irregularities in the network. However, many cyber-attacks have a very low network signature to evade anomaly detection. When protecting the crown jewels of your operational environment, you need to detect all potential risks. Policy-based detection can, for example, raise an alert each time a firmware version of a PLC or DCS controller changes, or when new hardware is added to the network.

Grid Image
Regulation & Compliance

Sometimes risk mitigation isn’t about baselining - it’s about adhering to guidelines.

List of all reports generated screenshot

Regulation & Compliance

Indegy’s policy-based detection mechanism allows users to enforce policies which are completely unrelated to anomalies, or where baselining wouldn’t be effective because the user wants to avoid the network's steady state. For example: policies that alert on any change of controller configuration locally and not from a designated workstation; alerts about any Windows machine that isn't running a specific antivirus agent; and enforcing time-of-day for specific activities or protocols in the network.

Grid Image
Trigger by Asset Type

Define policies based on the type of asset rather than defining IP ranges.

Screenshot that shows a group of assets to be used in a policy

Trigger by Asset Type

Indegy’s automated classification system simplifies configuring rules and policies by keeping track of all assets and devices. Policies can be defined based on asset groups which can be manually defined, or automatically defined by their category and classification. Once all assets are classified by Indegy, it is easy and straightforward to create policies such as “Only engineering stations can download code to controllers” or “Only PCs that are running Windows10 can communicate with the Enterprise IT network.”

Grid Image
Beyond network activity

Policies can also be used to monitor proper configuration of devices in the environment.

Screenshot of the definition of a single policy

Beyond network activity

Policies can relate to other elements besides nature and type of network activities. Rules can also be defined with respect to configuration changes or asset properties, such as “Snapshot Mismatch” on a controller, new assets that appear in the network, or assets that didn’t appear in the network for a specific timeframe. The policies can be limited to specific schedules (e.g. a new asset that was added during a work day), and/or specific asset classification.

screenshot of all policies defined

Do you know all the threats to your ICS?

If your ICS network devices are compromised, your company is vulnerable to operational disruptions and widespread damage.

Unmatched Threat Hunting

Feature Name
Feature Name
iMac Mockup
screenshot of all policies defined
Unmatched Threat Hunting

Using Policy-based detection in tandem with Anomaly Detection, you'll detect more threats faster, and keep your industrial infrastructure safe.