Situation
It was tasked with strengthening cybersecurity at selected partner organizations (ministries within the government of the Czech Republic) as well as supervising and auditing their compliance with Act No. 181/2014 Coll. on Cyber Security, which it also helps create.
The Act specifically requires public organizations to have “a cybersecurity incident detection tool” and “ a tool for the collection and analysis of cybersecurity incidents” in place.
“We needed a complex system that would allow us to collect network data from partners and detect traffic anomalies,” says Stanislav Bárta, Head of the Network Traffic Analysis Department at the NÚKIB.
To comply with these requirements, Flowmon provided the NÚKIB with standalone systems for network data collection with anomaly detection capabilities. They were deployed at the partner institutions and integrated with the Control Center operated by GovCERT.CZ - Czech government’s CERT team responsible for coordinating security incident response and prevention.
Solution
Collection and analysis
At each partner institution, the system collects data using TAPs for traffic mirroring and Flowmon Probes for the generation of L7-enriched flow data and traffic statistics. All the data generated by the Probes at a particular location is sent to a local Collector where it is stored and analyzed.
Flowmon analyzes each partner’s data locally to detect unknown and insider threats, DDoS attacks and other incidents. Most of these tasks are performed by Flowmon Anomaly Detection System - an NTA module that uses 40 detection algorithms to seek anomalies that are hidden in network traffic and would otherwise be undetectable by traditional methods.
Local activity details or the content of user communication are not collected so as to avoid the exposure of sensitive information.
Data gathering and analysis scheme
Correlation
Raw perimeter data and detected security events are sent to the Control Center via a secure link, where they are further analyzed and correlated. “Correlating the detected security events centrally allows us to uncover attacks that would not be recognized as malicious if viewed from the perspective of individual partners,” says Bárta.
After analysis, the GovCERT.CZ Control Center sends back security updates to the partners. The NÚKIB infrastructure houses an update server that shares the results of the analysis with the partners, providing them with updated blacklists and Indicators of Compromise to be utilized by Flowmon ADS. This helps them detect incidents such as anomalous outgoing data flows, connections to blacklisted IPs, or malware activity.
Protection
With Flowmon in place, the NÚKIB and the partner institutions now benefit from a robust, AI-powered system capable of uncovering security incidents and their early symptoms. The ministries can be sure that the sensitive data of the citizens of the Czech Republic is protected by a sophisticated, multi-layered system.
“Multi-layered means that the interception capability of each partner is enhanced by a global security perspective provided by us,” says Bárta. In this way, the Agency facilitates a reciprocal exchange for the ministries that allows them to improve each other’s security posture.
The NÚKIB has since been at the forefront of cyber protection in the country and has tackled many major security challenges, including assistance with dismantling a foreign spy network operating in the country in late 2019.
