Skip to content

GREYCORTEX Mendel 3.8 Now Available

We have released a new version of GREYCORTEX Mendel

You will now have even deeper insight into your IT and OT networks thanks to the customizability and versatility of GREYCORTEX Mendel 3.8.

GREYCORTEX Mendel 3.8 Features List



Dynamic monitoring of IT and OT network

Visualize your network assets in a broader context

We bring broader and clearer insights into your network with new automated or manual classification of devices and subnets into logical parts according to given criteria.
You are also able to create and assign a tag for all network assets including enhanced information. You can classify or process the tagged devices and subnetworks using other logical operations.
With individual tags, it is possible for you to monitor any changes that occur on your devices. This gives you an overview of the network in a broader context.



Better overview of network security

Keep your network security under control

Mendel interprets all events captured in your network with more clarity thanks to the MITRE ATT&CK® framework.
Events in the network are classified according to:
 —  MITRE ATT&CK® tactics and techniques
 —  Proofpoint rules
 —  Top events – you can see the most relevant events at the top

Wider options for network data retrieval

Choose your own view of your data

GREYCORTEX Mendel 3.8 is capable of deeper and more advanced data analysis than ever before. 
Thanks to the redesigned analysis module, you can  define any view over your processed and stored data using attributes, metrics and other variables.

Easier deployment of GREYCORTEX Mendel 

See all your subnets straight after deployment

Immediately after deploying GREYCORTEX Mendel 3.8 to your network, Mendel starts the process of finding and classifying all subnets by itself.
Thanks to this categorization at this early stage of deployment, you can orientate in the network quickly and clearly. 
A hidden subnet could be a potential threat to your entire network. Now you can avoid the danger using this new enhancement.

Asset Discovery

Do you know what is hiding in your OT/ICS network?

Search for information about the OT devices in your network proactively. GREYCORTEX Mendel supports many OT protocols, giving you the ability to see all devices in your network and also find detailed information about them. You will get such details as manufacturer, serial number, the last revision date of hardware or software, and much more.

GREYCORTEX Releases Security Update to Patch Apache Log4j Vulnerability

GREYCORTEX is actively responding to the reported high severity vulnerability (CVE-2021 – 44228) that was found in the Apache Log4j library. All Mendel installations deployed in the last few years are vulnerable to this vulnerability. The new version, 3.8.0, which will be released in the upcoming days, is not affected and current versions 3.7.x and 3.6.x have now been covered with security updates.

Background

A high severity vulnerability (CVE-2021 – 44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.

Log4j is used as a component of our GREYCORTEX Mendel product. More information on the vulnerability can be found in the links below.

CVE-2021 – 44228 Detail (NIST)

CVE-2021 – 44228 vulnerability in Apache Log4j library (SecureList)

Is my Mendel deployment vulnerable? 

All Mendel installations deployed in the last few years are affected by this vulnerability but the vulnerable part of the Mendel deployment is NOT exposed to a direct Internet connection.

What can I do to mitigate and resolve this issue?

GREYCORTEX has actively responded to the reported remote code execution vulnerability in the Apache Log4j 2 Java library, dubbed Log4Shell (or LogJam). We have investigated and taken action regarding our product GREYCORTEX Mendel. The new version 3.8.0, which will be released in the upcoming days, is not affected and current versions 3.7.x and 3.6.x are now covered with security updates, which are automatically distributed through the update server.

Older systems will not be patched, customers who are using older versions are strongly advised to upgrade.

Mitigations: if you are not able to upgrade to the newer version or your Mendel instance does not have access to the update server, then please restrict access to Mendel via your firewall settings. It is recommended to restrict access only to a trustworthy IP address range, also for normal operations.

How can I find out if my Mendel system or other systems of our customers have been compromised?

Mendel includes a set of detection rules that can detect whether a vulnerability in the Apache Log4j logging framework has been exploited to attack the Mendel system itself or other systems in your infrastructure. These rules are automatically available through the GREYCORTEX update server. If your Mendel instance or your customer instance is online, these signatures will be added to it automatically.

Why Hospital Cyber Protection Is a Hard Nut to Crack

There is a simple reason why hospitals are the frequent targets of cybercriminals. Hospital networks contain patients’ and research data that is highly valued on the black market. And their infrastructure specifics make protecting it difficult.

In 2020, all 16 Czech key hospitals covered that year by the Cybersecurity Act reported a cyber incident. But also smaller healthcare facilities were being attacked and protecting them was no less complicated.

There are a few complications that make hospital cybersecurity challenging: the complex architecture of hospital networks, the frequent obsolescence of operating systems and also the insufficient number of qualified security personnel.

In addition, legislative requirements place high demands on security, including:

  • GDPR
  • Your National eHealth Center’s methodological guidelines (if you have one)
  • International standards that summarize security recommendations for the use of healthcare systems and best practices (ENISA – Cyber security and resilience for Smart Hospitals, MDISS – Medical Device Innovation, Safety & Security Consortium)

Last, but not least, every organization usually has its own internal security regulations. These are based on risk analyses or the internal recommendations and requirements of the hospital’s governing board for the operation of IT in the hospital.

The Most Common Targets of Attackers

In the first stages, attackers aim usually at hospital employees’ login credentials, through which attackers try to gain access to VPNs, internal or health information systems. All these systems contain high-value data through which the attacker can hold the hospital to ransom.

Another source of income for attackers is research data that can be effectively monetized, but patient data is an especially big gain. The price for this information (data about a person and their health status) is from tens to hundreds of dollars per record on the black market. By contrast, mere contact details (for example, from a hacked e-shop) are only worth units of dollars.

And, of course, there are attacks whose primary goal is to take a hospital out of operation. In the case of compromised information systems, hospitals are unable to retrieve medical records or determine the availability of drugs and supplies. In the worst case scenario, the attack affects the operational infrastructure.

In short: the hospital cannot provide the healthcare function essential for its patients.

The Specifics of Internal Hospital Networks

Hospital internal networks have a specific and rather complicated architecture. They are the combination of not only IT elements but also include the operational technology of specialized medical departments as well as devices such as air conditioning, heating or blind controls.

There are many different types of IT networks in hospitals, for example:

  • Medical networks, in which doctors and nurses access medical records, inventories and other medical information
  • Patient networks, which are used by patients and visitors to the hospital
  • Private physician networks, which lease connectivity from the hospital and also have access to the internal network of information systems

All of this is often complicated by the frequent use of outdated systems and insufficient staff capacity to ensure the organization’s cybersecurity.

We should view these characteristics as specifics that cannot be immediately addressed but need to be kept in mind when securing health facilities. For example, some modalities (diagnostic equipment such as X-ray machines, ultrasound, etc.) were purchased by hospitals 10 to 15 years ago and their level of security corresponds to their age. Often, the manufacturer does not even provide necessary updates, so there are devices with an un-updated operating system in the network. We have seen devices running on Windows XP. Even DOS and old versions of Linux are not rare as without these operating systems, it is not possible to use these devices.

Our experience, coming from dozens of hospitals in the European Union and Asia, has shown us that there are many hospitals with a high level of cyber protection. Unfortunately, there are also those with a large number of security shortcomings that need to be solved. Fortunately, GREYCORTEX Mendel can help them all.

The Most Frequent DNS Management Errors and How to Fix Them

As an integral part of our job, we have the opportunity to look into the network communication of many different types of companies. During audits, we have come across all sorts of different misconfigurations and malicious activities. Today, we will look at what to look out for in the area of DNS.

When you type www.greycortex.com into your web browser, you assume that you are accessing our GREYCORTEX website.

What you see depends, among other things, on the DNS translation, which translates the name www.greycortex.com into the numeric form of the IP address: 91.239.201.14.

The DNS server that controls this translation also controls the destination IP address and the server to which the user is redirected. Whoever sees the DNS queries for a particular device can see what servers the device connects to – what services it uses or what it does.

The following are the most common problems we see in DNS management:

  • An open port 53 without any restrictions allows the transmission of any of your data. It can be misused not only by attackers but also by legitimate applications.
  • You’re not the administrator of your own domain – your network can then become the target of a Man-in-the-Middle attack.
  • Misspellings in DNS server IP addresses – devices that are manually configured are particularly vulnerable, for example, the prevention of security updates.

An Unlimited Open Port 53

In many networks, we see an open port 53 from the internal network to the Internet without any restrictions. This means that any device on the internal network can connect to any other device on the Internet. This is used by both attackers and legitimate applications, which can be a problem from a security perspective.

Attackers can use an open port 53 to the Internet to create a DNS tunnel. They can then send any data through it. For example, using Iodine software, they can create an IP layer on top of the application’s DNS protocol and then use port 53 to transmit arbitrary data or create a reverse SSH tunnel from the Internet to the internal network. This creates permanent access, which allows an attacker to return to the internal network at any time.

Specifically, in the case of Iodine software, the created IP layer is transmitted hidden in strings that represent a third-order domain. From the perspective of a network communications analyst, the client is communicating with a legitimate DNS server on the internal network, but a closer look at the transmitted data will show that this is not the case.

Let’s have a look at this data in GREYCORTEX Mendel. As an example, there’s a device with the IP address 10.0.2.30 that is sending DNS queries to an internal DNS server with the IP address 10.0.2.20. In the figure below, you can see an example of several queries in the application’s log data itself that query the domain name pirate.sea. The third-order domain name changes in each query and also looks very strange at first glance. Note also that the rrtype attribute contains an unusual NULL value.

When to Have an Open Port 53?

An example of a legitimate use of an open port 53 is some antivirus products. For example, one of Avast’s products has a DNS secure (now Real Site) feature. This is designed to prevent DNS hijacking attacks in which an attacker spoofs a DNS record of a user, which then leads the user to a malicious server. When the DNS secure feature is enabled, the antivirus sends DNS requests to its own DNS servers, thereby preventing DNS record spoofing.

Thus, the client device bypasses the internal DNS server and sends DNS queries to the server directly via the Internet. From a network traffic perspective, you then see outbound traffic to the external server on port 53. Since the communication is encrypted, you will not see the DNS name that the client requested resolving.

This functionality may be desirable when connecting devices to public wi-fi networks, but in a corporate environment, it can pose a problem when tracking and monitoring DNS traffic.

For auditing DNS communication and the long-term monitoring and data collection needed to address security events, we recommend you:

  • Block all outbound traffic to the destination port 53 to the Internet from networks that contain critical information systems that need to be monitored. Only create exceptions for legitimate internal DNS servers.
  • Audit devices that attempt to resolve DNS names directly against DNS servers on the Internet. The communication is either generated by specific applications or by malware trying to communicate directly to the Internet.

You Do Not Really Own Your Own Domain

During audits, we encountered a situation where two domains were being used on the internal network. This happened when it was not possible to migrate the old domain to the new systems. So, the administrators decided to create a new domain. The old domain was company.com, then the new version was created with a 2v extension: company2v.com.

At first glance, this may seem like a harmless change. However, the problem was that the administrators did not register the new domain with the domain administrator, then another entity registered it.

What implications might this case have?

One day, the administrator decides they want to see the web traffic going out to the Internet. They use a proxy server and set it up automatically using a Windows GPO (Group Policy Object). In this case, the stations start trying to connect to a server named wpad.company2v.com for their new domain. Devices with an external DNS server set up, which the firewall lets onto the Internet, redirect the device to a DNS server that is authorized for the company2v.com domain. These servers are on the Internet and are not owned by the customer.

The problem is that the actual owner of the company2v.com domain manages all DNS records for that domain. Therefore, they can ensure that devices from the internal network connect to a proxy server on the Internet when trying to obtain a proxy configuration. It is then possible to carry out, for example, a MITM attack. Now, the attacker is only one step away from delivering ransomware to this client. And the ransomware can look like an executable file that the user originally wanted to download, for example, firefox.exe.

During an audit, we recommend looking into:

  • Which domains are present on the network.
  • Whom these domains are registered to.
  • How they are used on the network.

Misspellings in DNS Server IP Addresses

We frequently encounter typos in these DNS server IP addresses:

  • Google’s publicly available servers with addresses 8.8.8.8 and 8.8.4.4 are often written as 4.4.4.4 or 8.8.6.6.
  • Addresses like 192.168.X.X usually omit the number 1 at the beginning of the IP address.

If the DNS server is configured incorrectly, the device cannot perform a DNS translation. For devices that are used daily, the problem will be quickly detected. But the problem can occur with devices where the DNS is configured manually, like cameras or sensor systems. Such a configuration error can prevent security updates of the device.

In the figure below, you can see an example from the Mendel system where it detected thirteen devices trying to send DNS queries to the IP address 8.8.6.6. However, there is no DNS server at this IP address and, therefore, the translations are unsuccessful.

It could also happen that an administrator or user manages to hit an IP address that is used on the Internet and provides a DNS service. Then internal DNS names can also be sent to a public server on the Internet.

These misconfigurations can occur at random. Therefore, constantly monitor and record the DNS traffic going through your network.

Look For Any Anomalies in Your Traffic

DNS system is one of the cornerstones of any computer network. Only a regular audit can ensure that the network is secure.

For auditing purposes,  communication needs to be recorded and stored for some period (Mendel stores data for up to several years). Since a DNS system is capable of generating a large amount of data in a single day, we recommend using a system that can look for deviations from normal traffic in this vast volume of data or is able to answer basic questions about the traffic in your infrastructure.

Why GREYCORTEX Mendel Is the Essential Member of Your Network Security Product Family

There are several basic tools for securing network infrastructure that should not be missing from any organization. Let’s take a look at the role of GREYCORTEX Mendel in all those products protecting the data and network in your company.

Antivirus software, firewalls and intrusion prevention systems (IPS) should be an integral part of any organization’s cybersecurity solution. Nowadays, however, they are often not enough. That’s where Mendel steps in.

GREYCORTEX Mendel stands on several levels:

  • It is a unique tool that sees, visualizes and analyzes everything in your network – devices, access and all communications. 
  • It is a great extension to the functionality of standard cybersecurity tools: antivirus, firewalls and network performance monitoring. They are crucial, but there are some threats that even they cannot detect. The reason is simple: attackers are often ready for these standard systems.

Mendel Sees and Visualizes in the Context of Time and Events

Imagine a tool that sees all the devices in your network, how they are communicating together, what protocols they are using and where your data is going. With Mendel, you can see all of that. You can also view the details of a specific device, its communication and where it is connected to at the moment, and also yesterday or a year ago.

With this unique analysis, you can uncover a sophisticated attack on your infrastructure before it really happens. That’s because you can relate current events to events that happened before, even in the more distant past.

Let’s take a look at an example of an attack that may go unnoticed by a standard detection mechanism: Advanced malware is not detected on the end device, but that device shows behavior that could endanger the network – for example, trying to access somewhere it has not accessed before. It could be spyware or an APT in your internal domains that is gradually spreading across your network through a domain, while the infected machines start accessing unusual devices and data sources and performing lateral movement. Mendel can identify and notify you of such unusual behavior.

More Reliable End-Point Security

Because end-points are an easy target, often provide valuable data and are an entry point for gaining deeper access to your network, they are the frequent initial targets of cyber-attacks.

Commonly known end-point attacks include:

  • network mapping
  • data exfiltration (sending data in non-standard or encrypted channels, communication with control devices)
  • Dictionary attacks, password data breaches
  • Data mining (reading important information, mining data from a database, mining users from information systems or from a domain controller)

Mendel flags such attacks as dangerous behavior and recognizes the threat that might not have been recognized by endpoint security or that is well hidden by the attacker. Even if antivirus software is deployed, Mendel monitors the communication of your devices and reveals any anomalies in it. All of that using a broad database specializing in network cyber threats that include not only known threats but also signatures of unusual behavior.

A Smarter Firewall

We can understand a few things that fall under the term firewall: standard firewalls and smart solutions known as an IPS.

Traditional firewalls stand first in the line of defense and secure broad traffic filtering. They adjust network transitions and the availability of network services and are mostly used on the external perimeter – in some cases within the internal network. They are often open or insufficiently configured.

In such cases, Mendel plays the role of an auditing tool – controlling the function of the firewall itself and checking its configuration. You can use this feature for verifying and controlling the communication matrix in your internal network and critical systems. It helps you understand who is connecting where, who is using what and who is behaving differently than they should.

Smart solutions such as IPS see more deeply into your network, can detect known threats and block them. Also here, Mendel provides you a double-check by monitoring the operation of web proxies and email gateways. This means no potential threat can pass. Even in this case, Mendel’s advantage is its extensive database of threats, consisting of multiple sources and signatures that verify not only known attacks but also security policies and potentially dangerous access to data sources, such as administrative sharing. This approach is much more effective for the detection of vulnerabilities than just a database of known threats from one vendor.

This way, Mendel shows much more – not only what needs to be blocked but also unwanted or insecure applications and access to risky services. You’ll get a much better overview of what is going on and what is going through your network and how.

The Danger of Unknown Threats

In all mentioned cases, Mendel not only deals better with detecting known threats, its strength lies in also detecting unknown threats. How? Mendel recognizes different types of actions using behavioral analysis.

Right after anomalous behavior or an unknown threat is detected, the system notifies you, for example, by email. It’s then your choice. You can either take the necessary steps or you can connect Mendel to the firewall API and it will block the unwanted communication automatically for you.

A Huge Help for Monitoring Network Performance 

At the next level, there are tools for internal system monitoring. In this case, Mendel shows a clear overview of the network – how it is loaded and used, who is accessing it, what services are operating and what the performance of applications and transmission lines is.

Imagine seeing just how loaded your information system, domain controller, Wi-Fi network or data center are!

GREYCORTEX Mendel helps you increase the reliability of your network. Even industrial control systems can get the right amount of control, so any attack or even a major network failure has no catastrophic consequences.

Antivirus software shows you current threats. A firewall displays the current settings and whether it is leaking something or not. But nothing will clearly show you events in your network an hour, a week or a year ago. In a nutshell, Mendel sees, visualizes and (thanks to data storage of up to the last several years) also analyzes current as well as past events.

GREYCORTEX Team Takes Third Place in NVIDIA Hackathon

During the 30-hour NVIDIA DPU virtual hackathon, participating teams worked on technologies for furthering advancements in AI, cloud and accelerated computing. Our GREYCORTEX team was among them, and our solution was awarded third place.

The goal of the hackathon was to validate the potential of using DPU (Data Processing Unit) accelerator cards for AI, networking, security and storage. The teams worked on developing a solution demonstrating the possibilities of using DPU in a data centre infrastructure.

In a competition made up of teams from all over Europe, the jury awarded third place to the project of the GREYCORTEX team, consisting of Petr Chmelař, Marek Brychta, Ondřej Kvasnica, Marina Volkova and Jozef Mlích. Our team used NVIDIA BlueField DPU cards for a DDoS attack detection and mitigation system.

With the DPU, Mendel will be able to process traffic faster, smarter and at a lower cost than before.

At GREYCORTEX, we are involved in a number of research projects outside of Mendel product development, trying to anticipate where market and customer needs will go. We are looking for ways to solve these problems and challenges,” says Pavel Jurka, CTO of GREYCORTEX.

One of the topics we have been working on over the past year is the processing of big data streams and their analysis using advanced methods that leverage machine learning and artificial intelligence. At the same time, we are looking at how to actively defend against such advanced attacks, which can be aided by hardware-level acceleration.

Participation in the hackathon followed our testing of the latest generation of NVIDIA BlueField DPU cards, which allowed us to demonstrate our intentions for how to use DPU in practice.

We hope that this technology will move into production deployment in the near future and we will be able to use it to provide better security for our customers,” concludes Pavel Jurka.

For more technical information, please contact our research team.

Industrial Control Systems Security: Are OT and IT Partners or Enemies?

Security incidents in industrial environments are not exceptional. There were times when it was enough to throw a lever to restart a power plant if an attack occurred. But with many organizations undergoing digital transformations, the recovery of an industrial infrastructure from cyberattacks now takes much longer.

Information technology (IT) networks and operational technology (OT) networks have many differences, as do the people who take care of these environments. But their security has some common elements as well. There’s always going to be incidents that go across the borders – incidents in IT that come from OT, and vice versa. Also with the advent of Industry 4.0, automation and intelligent control, the air-gap has become a myth. OT no longer sits alone.

In 2020, there was a ransomware attack on a water company in a mid-sized European city. At first, it was purely an IT problem. Just after the attack, the company deployed GREYCORTEX Mendel to audit their infrastructure. Mendel found out that hackers still had access to the systems and more attacks could come. And they would spread to the OT network. In that case, local people would have been lucky because they could have still drunk clean water. But nature wouldn’t be so fortunate – untreated wastewater would be discharged into the river uncontrollably. So luckily for the people and the environment, the biggest loss was for the company – it cost them ​only” three days of income.

Despite this, in GREYCORTEX, we repeatedly notice that IT and OT teams do not cooperate. And cybercriminals know it. On top of that, there are just a few experts who can sufficiently understand both areas.

But there’s good news! Both parties can benefit from each other’s knowledge and experience. It is only necessary for them to find common ground:

  • The main priority for IT experts is data and its confidentiality. They understand the use of exploits and vulnerabilities and they have an overview of security products, their abilities and market innovations.
  • OT experts, on the other hand, place an emphasis on the security and availability of assets and processes. They have a deep understanding of complicated industrial environments and devices that are programmed completely differently to ordinary computers. OT experts know what is going on in operational networks, how they work and what can happen there. They know the risks of possible security incidents very well because their impact is usually much more devastating than in an IT environment.

Identify Worst-Case Scenarios

As a complete digital transformation is taking place, we start to get into a more homogenous infrastructure. So that’s why the knowledge of IT and OT teams should be merged. And what should both teams talk about? Imagine the worst day at work you can have:

An explosion that kills several people. Industrial espionage and the leakage of unique know-how. Or maybe a few days of unplanned downtime that costs the company millions.

Starting to see the picture? So, let’s focus together on these questions:

  • What systems can cause the biggest disasters?
  • How can you reduce known risks?
  • Do you have an incident response plan or recovery plan?
  • How do you monitor required policies and configuration?

Now, you are on a good path to successful cooperation. And all the effort towards a joint discussion should be supported by a easy-to-use tool that can be used in both worlds. Because many principles of IT security can also be used in an OT environment.

Proper Security Monitoring

One of the most important key prerequisites for ensuring network security is to see and know:

  • what exactly is in your network 
  • and how are these assets connected?

As soon as you know about all devices, how they communicate with each other, what version of firmware they have installed, who their administrator is, who has access to them, what security policies are set and how they are followed, any discrepancy will easily start showing a warning signal.

This is exactly why GREYCORTEX Mendel came into being. Based on intelligent traffic analysis, Mendel can detect any anomalies. It identifies and visualizes all above, learns and detects the early stages of cyber attacks as well as infrastructure vulnerabilities that can be exploited by potential attackers.

One of the biggest difficulties of OT networks is the combination of new and old devices. Sometimes, everyone even prays that they still work. Add to that the fact that many suppliers do not follow the principles set by the manufacturer and ignore manuals. In these situations, Mendel can give you the assurance that you need.

To sum it all up, Mendel will find any shortcomings in your infrastructure that the security team would not normally detect. Thanks to the time saved, you can devote yourself to other tasks that there was no time for previously.

GREYCORTEX MENDEL 3.7 NOW AVAILABLE

GREYCORTEX has released the latest version of its Mendel Network Detection and Response solution. Version 3.7.0 brings important features and improvements. The main features in Mendel 3.7.0 include CISCO ISE user identity integration and response, CISCO Firepower incident response, SNMP appliance monitoring & SNMP trap, or AWS, MS Azure and Google cloud deployability.

ENHANCED INTEGRATION WITH YOUR INFRASTRUCTURE

Better visibility on user identity

For use cases when Mendel has no direct access to AD/LDAP server or with limited permissions then user identity could be provided via integration with CISCO Identity Service Engine (ISE).

Active response to threats

For situations where it is necessary to respond to emerging threats, we will ensure appropriate steps through integration with CISCO network elements. If this is unavoidable, you can block endpoint communication, isolate part of the network, etc.

SNMP Appliance Monitoring

With incorporation of SNMP agent and trap functionality you are able to oversee MENDEL appliances with your current infrastructure monitoring solution.

MORE EFFICIENT OPERATIONS 

New upgrade management to all your appliances

Upgrade the whole Mendel deployment through a single point  = collector’s UI. Choose either “One click” multi upgrade or upgrade each sensor individually. Upgrade is performed by two step method, to keep sensor running for maximum time and shorten the maintenance time.

Mendel installation on common cloud services 

Amazon Web Services, Microsoft Azure and Google Cloud are now supported for deployment of Collector or Central Event Management (CEM).

Utilization of high-speed disks within MultiTier storage and optimized database queries

Use your fast disks not only for the operation of the system itself, but also for a much faster response of the user interface when displaying the „hot“ data and views of them. If your deployment does not have multi-tier storage with fast disks, we still bring you a faster response in the GUI by optimizing the database queries.

False Positives for limited time period

Hide events only for the time that is relevant and related to the maintenance of your infrastructure, tests, etc. Apply false positives with specific time frame and/or recurrence.

Conditional PCAP recording

Data captures can be triggered on-demand or by specified conditions (user-defined & event-based).

OT/ICS/SCADA

Asset discovery 

Ability to discover devices in network using various OT protocols to get asset details such as firmware versions, and many others.

Policy monitoring

We introduce a new script approach in IDS rules which allows you to define custom policy rules to monitor allowed values and perform whitelists/blacklists operations inside OT protocols like IEC104, MMS and many others.

ALL FEATURES – IT

CISCO ISE user identity integration and response
CISCO Firepower incident response
SNMP appliance monitoring & SNMP trap
Upgrade management over appliances
AWS, MS Azure and Google cloud deployability
High-speed disk utilization within multi-tier storage
False positives for limited time period
Trigger based PCAP recording
Processing netflow data with NAT information
Switch flow errors  from flags to real calculation
Connect Mendel sensor to secondary collector (HA)
Deactivate inactive Sensor on Collector
User Documentation available via GUI
Time validity of false positives
Connect Mendel sensor to secondary collector (HA)
Deactivate inactive Sensor on Collector 

FEATURES – OT / ICS

Asset Discovery
Parsing MQTT, COAP and Profinet protocols
Detection of LoRaWAN protocol

ENHANCEMENTS

Process VMware ESXi NSX-T IPFIX format
Add support for storing Suricata Variables in DB
Enhance update server update data sources
Semi-automated restoration of SMB backup
IDS signatures using the detected application
Display the logged-in user name on all pages
False positive change Priority field Default text
False positive not applicable into past by default
Import new JA3 hash codes from ja3er.com
Add description field into data exports
Hide user from managerial/security reports and email
Added assignee, reporter and date of last updated to Incident exports (PDF)
Reworked Firewall settings with new location in UI
Better explanation over data transfer between hosts in peers graph
Evaluate and add IPv6 multicast address into monitored subnets
System logs in mshell
CAT tool for ME localization 

OFFICIAL MENDEL PRODUCT SUPPORT

With release of version 3.7.0 full-service support will be provided for the versions 3.7.x and 3.6.x. Limited service support is provided for previous version 3.5.x. Versions 3.4.x and older are no longer supported, end-users with valid support and maintenance or active SW subscription can upgrade to the supported version(s).

GREYCORTEX IS LIKE A DOCTOR, PREVENTING CLIENTS FROM CATCHING A CYBER-DISEASE

What a person encrypts, a person can also decrypt. This was true a couple of years ago. Nowadays, cyber-criminals use advanced technologies and their attacks are much more sophisticated and targeted, and consequences are much worse. “Not only the good guys (i.e. cyber protection companies) but also the bad guys are evolving. Attacks are aimed at weak points and human errors,“ says Petr Chaloupka, CEO of GREYCORTEX, a company that focuses on IT and industrial network security. The story of this company that succeeded among the fastest growing tech companies began long before its foundation. It is a story about passion, vision, skills and a ton of humour. And, in a way, it is connected to the beginning of computerisation in Czechoslovakia.

Maybe you too still have a vivid memory of this history chapter and maybe you remember 8-bit computers – or maybe you don’t. Luckily, there is Petr Chaloupka, the founder and CEO of GREYCORTEX, and his memories of a contest from the ’90s, a text game passed around on cassettes and floppy disks that were created very long ago for 8-bit computers. Cassettes and floppy disks were… well, just google it, kids! “This game was protected by a password that was announced on a certain day in the newspaper, on the radio and on TV to give everyone the same fair start. However, my friend and I didn´t feel like waiting and so, after several hours of reverse engineering, we identified the password and came to the conclusion that what a person encrypts, a person can also decrypt. And that is maybe where my lifelong passion for cybersecurity started and this seemingly innocent story signalled my future professional career“.

A STORY OF A COMPANY STANDING ON THE FRONT LINE IN THE BATTLE AGAINST HACKER ATTACKS

The first chapter of the GREYCORTEX story began around 2005. “I was working on an antivirus for Linux, which was a completely insignificant platform for cybercriminals back then and for which there was no malware. There were only a few lab experiments for proving that there could be one. My colleague Michal Drozd used to hack banking systems using social engineering and customised malware“, reminisces Petr Chaloupka about the beginnings with a smile. The group includes another Petr – Petr Chmelař. “Back then, he was working on machine learning principles that would be capable of finding video signal anomalies. A strong technology for which there may have been another use. What about transferring it from the video world into a computer network“? asks Petr Chaloupka rhetorically with a good portion of irony.

However, you are probably more curious about the ending of the first plotline, about Michal Drozd and his bank story. There was no shocker – Michal Drozd stood on the right side and banks paid him to do what he did. We would say today that he was an ethical hacker. “However, if he had decided to become a cybercriminal, he would be very rich by now,“ adds Petr Chaloupka.

But let’s be more serious now. Fast forward fifteen years later. Petr Chaloupka sums up that Linux is a common and widespread platform, interesting enough for cybercriminals to attack. GREYCORTEX is now a well-established company focusing on the development of security products for network protection, machine learning and AI research, and the second fastest growing tech company in the Rising Stars category of the Deloitte Technology Fast 50 competition.

“Were we visionaries back then? I don’t know. Maybe we were just the three right people at the right place, and if we had never met, nothing would have happened. Literally. But we did meet, a couple of good questions were asked and we started to look for answers together.“

THOROUGH AND COMPLETE SECURITY

The second chapter of the GREYCORTEX story was about visionary questions in the end; for example, how can someone manage to break into a bank or any other company without having to leave their home? And how come they don’t get caught? Then the right answers came and with them the first specific solution.

“Somewhere around 2014, things blended really well and when five more friends and colleagues joined us at the end of 2015, everything was ready to establish a company and start our business. It needs to be said that all founders are still with us in different roles in the company, helping it grow.“

Petr Chaloupka

 

Four years later, the company became five times as big. “Our product ‘Mendel’, which can uncover hidden threats in the network, from unknown devices to advanced attacks, has matured. After overcoming some childhood diseases and puberty, it is becoming a model for others – we helped introduce another branch of cyber security into the world! It used to be called NTA (Network Traffic Analysis) in the past; now it is called NDR (Network Detection and Response),“ says Petr Chaloupka.

Don’t worry if you are getting a little lost in all the information, you have a right to that and you deserve an explanation: NDR combines deep visibility into infrastructure with the capability to detect known and unknown attack and malware types and to react to them in real time. So, it is clearer now, isn’t it? Same as the fact that “the world is changing, technologies are changing and we are changing with them. It is important that we have done our bit and continue to give cybercriminals a hard time and ruin their filthy and immoral business,“ remarks Petr Chaloupka.

What was the worst in the beginning? “Even in our case, it holds true that all theory is grey, but the golden tree of life springs ever green, so we do everything in a completely different manner than we used to. However, the most important thing is that we learned to understand what it means not only to have a good product but also to sell it and persuade clients that they need it. You could say that we are selling insurance or that we are like Eastern medicine – we ensure that the client does not become infected and he pays us for not getting ill.“

To sum it up, Petr Chaloupka views success and failure as communicating vessels. “A functioning and growing company is a success, even though it arose from humble financial background and was basically only a dream of a few founders some 6 years ago. From the beginning, we had a vision of building a global company and so our plans now are clear – to strengthen our position in the territories in which we already operate and gradually add other locations to reach our goal. It is definitely important to find balance between this dream goal and the need to have both feet on the ground (or at least one foot).“

This article was originally published here

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

Greycortex is a top-rated company among the 50 most successful tech companies in the Deloitte Technology fast 50 CE

Brno, November 19, 2020

GREYCORTEX has won second place in the Rising Stars category in the prestigious ratings organized by Deloitte, where many Czech tech companies strove to be nominated as the fastest-growing tech company in the Deloitte Technology Fast 50 CE. The Tech Stars, Rising Stars, and Impact Stars categories present both the maturest and newest fast-growing companies in the Central European region as well as those companies that have had a revolutionary social or environmental impact on the market.

Petr Chaloupka, CEO at GREYCORTEX, said: “I am very pleased to have achieved international success in the 21st year of the Deloitte Technology Fast 50 CE competition and to have won second place in the Rising Stars category. In this category, seven out of 10 places were occupied by Czech companies, showing that the Czech Republic is still a cradle of technological innovation and that we have a good standing in this international competition. I wish to congratulate all the other companies and wish them success in further building their internationally competitive status”.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

About Deloitte Technology Fast 50 CE
Deloitte Technology Fast 50 CE is a program that identifies and rewards the 50 fastest-growing tech companies in the Central Europe region based on revenue growth over a four-year period.