With segmentation and core services covered, the focus now shifts to enforcing policies on usage, user behavior, and encryption to maintain visibility and ensure compliance across all layers of your network. These controls are critical for mitigating internal risks and upholding your secure communication standards.

GREYCORTEX Mendel supports this effort by providing you with clear insights, alerting you about violations, and helping your teams validate whether your policies are being followed in practice.

Missed the beginning? 
🔗 Read Part 1 to explore how Mendel helps you enforce segmentation and control your core network services.

User Access Policies and Behavioral Violations

Even trusted users and systems can introduce risk if policies are not clearly enforced. Monitoring what is allowed and what is not helps you uncover subtle violations that could otherwise go unnoticed.

Policy violation: Forbidden protocols or apps (RDP, TeamViewer, Dropbox, etc.)

Relevant for NIS2

Some organizations prohibit remote-access tools or file-sharing apps to reduce risk and maintain control over their IT environments. When unauthorized protocols are used, they may introduce new attack vectors or enable remote exploitation.

Validation with Mendel

Mendel directly detects the use of unauthorized applications. Your analysts can filter for specific protocols to confirm whether a session occurred and if it was successful, including details about session duration, data transfer volumes, and communication content. This helps you verify whether users violated your internal policies, and allows you to add legitimate usage to an exception list to avoid future alerts.

In our case, Mendel has identified and flagged multiple devices that have downloaded and used TeamViewer. Analysts can then investigate whether these hosts were authorized and, if appropriate, whitelist the IPs to prevent future alerts.

In another example, Mendel has captured a potential RDP (Remote Desktop Protocol) session. By drilling down into the event, analysts can identify the user involved and review the session duration.

Policy violation: Communication to forbidden destinations or services

Relevant for NIS2

Certain destinations, such as foreign countries, blacklisted IPs, or unauthorized services, are often restricted to reduce risks. Detecting such traffic reveals overlooked exceptions or malicious tools trying to evade controls.

Validation with Mendel

Mendel detects and alerts you about communication with blacklisted IPs. Your analysts can use predefined or custom filters to review connections by source and destination IPs, traffic volume, and packet counts. The Network Analysis tab provides you with extensive filtering and search options, enabling your teams to conduct deep investigations across the entire network.

As an example, Mendel detected a TeamViewer DNS request originating from host mx (192.168.2.42). By drilling down, analysts confirmed that a connection was successfully established, indicating a potential policy violation or unauthorized remote access.

Mendel allows your analysts to identify which user is behind suspicious traffic. This helps you verify whether access to forbidden destinations or tools was legitimate or a policy violation.

Policy violation: Excessive peer communication

Certain devices, like controllers in manufacturing or internal phone servers (PBXs), are expected to communicate with a limited set of peers. New or unusual connections may signal misconfiguration or unauthorized activity.

Validation with Mendel

Mendel enables your analysts to define peer count limits for individual hosts or entire subnets, helping you to enforce expected communication boundaries.

For example, if a PBX server communicates with more peers than its known SIP trunks and internal phones while inbound Internet traffic is restricted, Mendel will flag it for review.

Policy violation: Unauthorized communication with honeypots

Honeypots are intentionally exposed systems used to detect suspicious activity inside the network. Typically, only predefined systems such as admin tools or security scanners should communicate with them. Any other connection attempt may indicate lateral movement or internal scanning.

Validation with Mendel

Mendel allows your teams to define which systems are authorized to communicate with honeypots and alerts your analysts to any unauthorized attempts.

In the example below, only the management PC is allowed to communicate with the honeypot at 192.168.2.36. When another device (192.168.2.28) initiates a connection, Mendel triggers an alert.

The peer graph confirms and visualizes that the honeypot was accessed by both permitted and unauthorized devices.

Encryption Standards and TLS Usage

Cryptographic standards are a foundational layer of secure communication. Monitoring certificate validity and protocol versions helps you identify weak encryption before it becomes a vulnerability.

Policy violation: Expired TLS certificates in use

Relevant for NIS2

TLS certificates are a critical part of trusted communication. If a certificate has expired, systems may reject the connection, users may be exposed to spoofed services, or sensitive data may be transmitted without adequate encryption.

Validation with Mendel

Mendel alerts you when expired certificates are detected or when a certificate is approaching its expiration date.

For example, Mendel has found one internal system using a certificate that expired in May 2021.

In another case, Mendel has flagged an upcoming expiration several days in advance, giving administrators time to respond before any disruption occurs.

Policy violation: Outdated TLS versions and cipher suites

Relevant for NIS2

Obsolete TLS versions and weak cipher suites expose your encrypted traffic to known vulnerabilities. Regulatory frameworks like NIS2 urge organizations like yours to stop using TLS versions below 1.2 to reduce attack surfaces and ensure strong encryption standards.

Validation with Mendel

Mendel allows you to configure alerts when outdated TLS versions are used. To ensure secure communication, it is recommended to use TLS 1.2 or 1.3. Achieving this typically involves updating the operating system, browser, or other client software.

For example, an event has shown that one device was still communicating using TLSv1.0.

Strong Policies Require Strong Evidence

Security policies do more than reduce risk. They help you demonstrate accountability to regulators, customers, and internal stakeholders alike. As expectations rise under frameworks like NIS2, proving that internal rules are applied consistently becomes a core part of modern cybersecurity governance. It is no longer enough to assume policies are being followed. You need clarity and verifiable evidence.

Mendel helps organizations like yours move from assumption to evidence. It continuously validates how policies are enforced across the network, from encryption to identity controls, giving your team the visibility to act with clarity and confidence.

Need a second opinion on your enforcement? Request a security audit with Mendel.

 

Defining your internal network policies takes time, coordination, and effort. But once those policies are in place, the critical question still remains: are they actually being followed?

For many IT teams, verifying policy adherence and enforcing internal rules on a daily basis is a persistent challenge. Even small violations, such as unauthorized access, outdated encryption, or misused services, can lead to data exposure or non-compliance with frameworks like NIS2.

This is the first part of a two-part blog focused on the practical side of network security policy enforcement and explains how GREYCORTEX Mendel helps you detect violations of any size quickly and effectively. Part two will cover encryption, application use, and identity-based access control.

🔗 Read Part 2 to continue exploring how Mendel supports effective policy enforcement and risk mitigation.

Network Segmentation & Perimeter Control

Segmentation and perimeter access policies are fundamental to limiting exposure and maintaining control over your critical systems.  Without a clear policy enforcement process, a single compromised device can lead to lateral movement across your network.

🔗 Watch our webinar to see how Mendel helps you detect and investigate lateral movement.

Policy violation: Unallowed east–west traffic between segments

Relevant for NIS2

East–west traffic refers to communication between devices within the internal network, such as between user devices and servers. When segmentation is not properly enforced, attackers can move laterally across segments and compromise your entire company network. Limiting this traffic is essential for helping you prevent access to critical systems.

Validation with Mendel

Mendel’s peer graph, as seen below, offers you a clear view of internal communication. Your analysts can then filter internal traffic and define specific subnets to quickly verify whether unauthorized flows occur between isolated segments.

Policy violation: Unauthorized Internet access from restricted segments

Relevant for NIS2

Devices in restricted segments, such as servers or backup networks, are often not intended to communicate with the public Internet directly. In many environments, internet access must go through a proxy or DMZ, with firewalls blocking all other outbound traffic. If these controls fail, systems may be exposed to malware, data leakage, or command-and-control activity.

Validation with Mendel

Mendel allows the filtering of your outbound traffic from specific hosts, making it easy to identify devices attempting to access the Internet.

If such traffic is detected, your analysts can verify whether it passed through an approved proxy by checking the flow records. They can also confirm whether direct connections (bypassing the proxy) were blocked at the firewall level by checking the TCP flags and destination status.

Mendel lets you set policies to monitor Internet traffic from specific segments or devices. When a violation occurs, it automatically sends an alert.

Policy violation: New & disappeared IPs or MACs in controlled network

Relevant for NIS2

Controlled network segments, such as server or infrastructure zones, are often designed with static IP and MAC configurations. When unrecognized devices appear, it may indicate unauthorized access, policy misconfiguration, or a potential threat. 

Validation with Mendel

Mendel allows you to assign policies to specific subnets or hosts to monitor new or missing IP and MAC addresses.  Policies can also include limits on traffic, packets, peers, ports, duration, and flows.

If a policy is violated, Mendel will trigger an alert immediately. For automated blocking, Mendel can be integrated with third-party systems like a NAC or Cisco ISE.

Policy violation: Improper traffic between management and user networks

Relevant for NIS2

Dedicated management segments are designed to limit who can interact with your infrastructure components like switches, routers, or servers. Unauthorized access from user networks increases the risk of misconfiguration, privilege abuse, or direct exploitation.

Validation with Mendel

Mendel’s peer graph provides you with a clear view of communication between your defined network segments. Your analysts can focus on management subnets to verify whether they are properly isolated from user networks, as required by internal policies.

For example, subnet 10.0.20.0/24 was assigned as a management zone, but Mendel revealed active connections to other internal networks.

After updating firewall rules, Mendel confirms isolation by showing no communication from 10.0.20.0/24.

Network Services Policy Enforcement

Core network services like DNS and DHCP are frequent targets for misuse or misconfiguration. Ensuring that only authorized services are active helps prevent spoofing, data leaks, and disruptions to your network stability.

Policy violation: Usage of unauthorized internal/​public DNS servers

Relevant for NIS2

This policy ensures that only approved DNS servers are used for resolving domain names inside the network. Unapproved or misconfigured servers can bypass security controls, hide malicious activity, or return forged responses.

Validation with Mendel

Internal DNS usage:  Mendel allows you to filter internal DNS servers using the host tag Role/​Server/​DNS. This provides you with a clear inventory of devices offering DNS or DNS-relay services. Your analysts can review this list and drill down into individual IPs to confirm whether each DNS server is expected and approved.

For example, a device at 192.168.178.1 was identified as providing DNS services. No other services were detected, indicating a possible relay or misconfigured gateway.

Public DNS usage: By filtering outbound DNS traffic, Mendel reveals which internal devices are using public DNS servers. This allows your analysts to identify whether DNS queries are leaving the network through unapproved resolvers.

In one case, two hosts were detected using Google DNS services: one being a default gateway, and another (192.168.40.215) a standard internal client. Such cases should be reviewed against DNS usage policies to ensure compliance.

Policy violation: Unauthorized DHCP Servers

Relevant for NIS2

This policy ensures that only approved DHCP servers operate in the network. Unauthorized DHCP servers can assign incorrect configurations, enable man-in-the-middle attacks, or disrupt connectivity.

Validation with Mendel

Mendel automatically detects new DHCP servers in your network and generates an event. In addition, it lists all DHCP servers by filtering hosts with the tag Role/​Server/​DHCP, helping your analysts verify whether each one is authorized or misconfigured. Drilling down on each IP reveals additional services and host behavior for deeper inspection.

For example, device 192.168.2.254 was found running multiple services, including DHCP, NTP, DNS, SSH, TELNET, and Mikrotik Winbox. This suggests it may be a router or a misconfigured network appliance.

From Visibility to Accountability

Enforcing internal rules only matters if those rules are visible and actionable. Without continuous policy monitoring, organizations like yours risk overlooking gaps that can lead to misconfigurations or downtime. Mendel helps you by aligning internal visibility with real-time behavior, enabling your teams to improve incident response, reduce alert fatigue, and maintain control over your environment.

In the next part, we’ll explore how Mendel validates encryption policies, user identity enforcement, and application-level restrictions, which are critical areas for maintaining compliance and reducing operational risk.

Want to evaluate your own network? Request a security audit with Mendel.

IoT devices are transforming modern businesses and bringing greater efficiency, but they also deserve careful attention when it comes to security.

From medical monitors and factory sensors to smart cameras, IoT devices have become an essential part of today’s hospitals, factories, and office buildings. While they boost efficiency and enable automation, they also introduce new security risks. Many of these devices are difficult to update, lack even basic protection, and are hidden deep within the network without proper segmentation. A single compromised device can open the door to serious damage.

To help you secure your IoT environment, we’ve compiled a set of essential best practices, along with guidance on how GREYCORTEX Mendel can help you put them into action through enhanced visibility, monitoring, and detection.

Best Practices to Protect Your IoT Ecosystem with Mendel

With the right foundations in place, securing your IoT environment becomes manageable. Below, we break down key practices to strengthen visibility, control, and response, and show you how each one can be implemented and visualized using GREYCORTEX Mendel.

Map all IoT devices and assess their risks

Start by identifying every IoT device connected to your network—smart sensors, medical equipment, and other smart devices. Once you can see the full picture, assess which devices are critical, which are exposed, and what could happen if one of them gets compromised. Not all devices need the same level of protection, but all need to be accounted for.

Steps to take:

• Scan your network to identify all connected devices
• Document IPs, MAC addresses, models, locations, and owners
• Classify devices based on criticality and exposure
• Evaluate known vulnerabilities

Mendel in practice
In Mendel’s inventory tab, you get a real-time view of all active devices in your network, automatically mapped to their segments. For each device, you can see critical details like IP address, hostname, OS, and the severity of detected events. Mendel also tags hosts (e.g., AD server, printer), helping you quickly identify their role and assess their risk level.

Segment your network and control access

Use network segmentation to separate IoT devices from other networks and enforce access controls to limit unnecessary communication. A hospital X‑ray should reside in a protected clinical segment, while non-critical devices such as smart lighting must be isolated from sensitive systems like medical records or operational platforms.

Steps to take:

• Group devices into segments by purpose, location, and risk
• Define strict access policies among segments
• Use firewalls, VLANs, or SDN to enforce segmentation
• Regularly review and update access rules

Mendel in practice
Mendel provides a clear view of all internal communications, allowing you to ensure each IoT device communicates only with approved segments. This helps maintain proper isolation and enforces your segmentation strategy.

For critical network segments, Mendel lets you define custom rules to alert you immediately when an unknown device connects. This real-time visibility enables fast response and strengthens your access control.

Monitor and detect threats across your network

Even properly configured devices can become a risk. Continuous monitoring provides real-time visibility into IoT communication patterns, revealing who connects, when, and how often. With behavioral baselines in place, you can quickly detect anomalies, unauthorized access, or lateral movement attempts before they escalate.

Steps to take:

• Monitor all traffic to and from IoT devices
• Investigate anomalies like new destinations, large data transfers, or off-hours activity
• Flag port scans or sudden traffic spikes from low-profile devices

Mendel in practice
Mendel automatically detects suspicious patterns like port scanning. If an IoT device suddenly starts reaching out to unusual services or systems, Mendel alerts you to possible malware activity or an attacker mapping your network.

Mendel monitors data flows and alerts you to anomalies. If a device suddenly begins transferring large volumes of data, especially to unfamiliar destinations, it could signal a compromise. Early detection helps you respond before any damage is done.

Prepare an incident response plan

When an unauthorized IoT device appears on your network, time matters. Having a clear response plan helps you react quickly by isolating the device, understanding its behavior, and preventing further damage without losing precious time to confusion.

Steps to take:

• Establish automated alerts
• Assign roles and responsibilities for investigation and containment
• Log all actions for future analysis and compliance

Mendel in practice
When Mendel detects suspicious activity from an IoT device, you can respond immediately—either manually or through automated rules. Block malicious traffic via integrated firewalls or isolate compromised devices using your NAC system to prevent further impact.

Build a Resilient IoT Environment with Mendel

IoT devices do not have to be your weakest link. With a clear inventory, proper segmentation, and real-time monitoring, you can reduce exposure and respond to threats before they escalate.

GREYCORTEX Mendel helps you put described practices into action. It gives you a complete picture of device activity, lets you detect unusual behavior early, and supports quick, informed responses. As IoT continues to grow across industries, having this level of control makes a big difference in keeping your network stable, secure, and ready for what’s next.

Security incidents often arise from seemingly minor mistakes—misconfigurations that could otherwise be easily avoided.

Unencrypted communication, plain-text authentication, weak network segmentation, outdated operating systems and applications, and unsecured services are common yet often overlooked vulnerabilities. These misconfigurations create entry points or exploitation opportunities for potential attackers, putting your entire organization at risk.

In this article, we’ll uncover the most common configuration errors and outline practical steps to fix them, helping you build a more resilient and secure network.

Unsecured Services in the Perimeter 

Configuration error: Services like web servers, Remote Desktop Protocol (RDP), or Secure Shell (SSH) exposed to the Internet without proper protection are easy targets for attackers.

Internet-exposed services are often overlooked, making them vulnerable. Attackers exploit these weaknesses through brute force attacks, unpatched software exploits, or simple misconfigurations, using unsecured services as entry points into your internal infrastructure.

The risk is further heightened by insufficient access restrictions, such as unrestricted global IP access. Without effective logging and monitoring, such breaches can go undetected for extended periods.

Recommended actions:

• Deploy a Next-Generation Firewall (NGFW) and Web Application Firewall (WAF) to detect and block malicious activities.
• Restrict access using IP whitelisting and geolocation rules (e.g., allow only IPs from trusted regions).
• Avoid exposing services to the Internet unless absolutely necessary. Instead, manage access using Zero Trust Network Access (ZTNA) or a client VPN.

Pro tip: Regularly audit your exposed services to identify weaknesses and bolster overall protection.

Remote access via VPN 

Configuration error: Improper VPN configuration often allows access to entire network segments rather than specific services, significantly increasing the risk of lateral movement or full network compromise.

Unrestricted access and lack of user activity visibility can turn your VPN into a weak security link. Transitioning to modern solutions like Zero Trust Network Access (ZTNA) or client VPN offers a much higher level of security by providing granular access control and minimizing exposure.

Recommended actions:

• Restrict VPN access to only necessary services and resources.
• Implement monitoring tools to track VPN activity and identify suspicious behavior.
• Switch to ZTNA or client VPN for granular access control and enhanced security.

Bypassing Security Policies in Remote Access 

Configuration error: Unauthorized devices or software used by vendors to bypass access policies creates direct access to your internal infrastructure, seriously compromising network security.

A common scenario involves “rogue” routers with cellular connectivity (4G/5G) that terminate VPN tunnels directly into your organization’s infrastructure. This undermines your existing security policies and grants direct access to the internal network.

Equally problematic is the use of software tools like SoftEther, which allow VPN connections over HTTPS from any device where the software is installed. This traffic mimics regular network communication, often bypassing detection by traditional firewalls. The result is hidden access, which can be exploited by attackers or even disgruntled employees for unauthorized activities or cyberattacks.

Recommended actions:

• Conduct regular audits based on network traffic analysis to identify unauthorized devices, detect suspicious behavior, and uncover anomalous communication patterns.
• Enforce the use of approved remote access solutions like ZTNA or client VPN.
• Proactively disable unauthorized remote access devices and software.

Pro Tip: Use tools like GREYCORTEX Mendel to detect unauthorized remote access and enforce security policies.

Unauthorized Access Between Network Segments 

Configuration error: Poor segmentation and inadequate communication control between networks allow devices from less secure environments to access your internal resources, significantly increasing security risks.

One of the fundamental principles of secure network design is proper segmentation and controlled communication between network segments. However, it is common to find devices from separate networks, such as guest Wi-Fi, gaining access to internal DNS or DHCP servers. These Wi-Fi devices, which often do not meet organizational security standards, pose a significant risk if communication is not properly restricted.

Recommended actions:

• Implement strict network segmentation and block unauthorized communication between segments.
• Monitor traffic between segments to detect unauthorized communication.
• Regularly audit your network infrastructure configurations to identify vulnerabilities.

Pro Tip: Visualize inter-segment communications with tools like GREYCORTEX Mendel to identify potential weak points.

Unencrypted Communication and Plain-Text Authentication 

Configuration error: Unencrypted protocols such as HTTP, Telnet, or TFTP, along with plain-text authentication, leave organizations vulnerable to eavesdropping and credential theft.

This issue often stems from legacy systems or misconfigurations that fail to support modern encrypted protocols. Attackers can intercept unencrypted communications to access sensitive data. For legacy systems that cannot be quickly replaced, it is essential to assess the risk, implement necessary safeguards, and develop a medium-term plan for mitigation.

Recommended actions:

• Switch to encrypted protocols, such as HTTPS, SSH, or SFTP.
• Identify systems lacking encryption support and create an upgrade plan.

Pro Tip: Regularly scan your network for unencrypted communication and plain-text authentication.

Outdated or Weak Encryption Standards 

Configuration error: Outdated encryption protocols, such as TLS 1.0/1.1, leave organizations vulnerable to modern threats like eavesdropping and cyberattacks.

Outdated encryption protocols are often found in legacy systems or arise from misconfigurations. In the case of misconfigurations, switch to secure protocols immediately. For legacy systems where replacement may be challenging, document the risks and develop a medium-term plan to transition to modern encryption standards, ensuring your critical data remains protected.

Recommended actions:

• Upgrade encryption standards to secure versions, such as TLS 1.2/1.3.
• Identify systems using outdated protocols and schedule updates.
• Restrict access to systems still reliant on outdated encryption.

Pro Tip: Use tools like GREYCORTEX Mendel to identify systems using weak encryption protocols.

External DNS Requests 

Configuration error: Devices communicating directly with external DNS servers increase the risk of exposing sensitive infrastructure data and them being exploited through DNS tunneling techniques.

Devices within internal, server, or technology networks should only use organization-managed DNS servers. External DNS queries pose particular risks in environments with IoT devices or less secure endpoints, allowing attackers to exploit vulnerabilities like DNS spoofing or covert tunneling.

Recommended actions:

• Ensure internal devices communicate only with an authorized internal DNS server, which alone resolves external queries.
• Monitor DNS traffic for anomalies, such as unauthorized queries to public DNS servers.
• Block external DNS queries at the firewall level to secure your internal infrastructure.

Pro Tip: Leverage tools like GREYCORTEX Mendel to detect unauthorized DNS communication and improve network protection.

Unused IPv6 Communication 

Configuration error: Active IPv6 communication on devices without deliberate use adds unnecessary network overheads and complicates management.
In many organizations, devices are configured with both IPv4 and IPv6 addresses, even when IPv6 is not actively used. This results in redundant multicast and anycast queries, increasing your network traffic without providing value.

Recommended actions:

• Disable IPv6 on devices where it is not required to reduce traffic.
• Regularly monitor IPv6 traffic to identify inefficient flows.

Pro Tip: Ensure the compatibility of applications and devices relying on IPv6 before disabling it completely.

Effective Network Threat Prevention Begins with Proper Configuration

The misconfigurations highlighted above are not uncommon—they frequently surface during network audits across organizations of all sizes. Some issues can be resolved with simple configuration changes, while others demand a more strategic approach or infrastructure upgrades. Regardless of their complexity, early identification of these vulnerabilities is critical to preventing security incidents.

GREYCORTEX Mendel offers you a complete view of your network, detecting risks such as unencrypted communication, unauthorized access points, and problematic remote access methods. With Mendel, you can proactively identify vulnerabilities, minimize risks, and fortify your network before threats escalate.

We have released a new service version of GREYCORTEX Mendel.

Version 4.4 introduces a transition to the new CentOS operating system, enabling us to deliver more advanced functionalities in future versions, including:

• Completely redesigned user rights management with native integration to identity services, supporting SSO and MFA.
• High availability with collector redundancy (Phase 1).
• Vulnerability mapping (CVE) tailored for OT devices.
• Threat Intelligence 2.0 features a custom source definition with automated data processing.
• Redesigned NBA events, leveraging the UnTE (tagging) engine for improved correlation.
• Logical sensors optimized for MSSP deployment.
• Application data analysis for deeper operational insight and environment identification.

The rollout of version 4.4 for existing customers started gradually in February 2025.

The NIS2 Directive has introduced a new era of cybersecurity regulation across the EU. Its focus on process setup and technical requirements challenges organizations to rethink how they manage cybersecurity risks. While setting up governance frameworks is crucial, NIS2 also mandates essential technical measures like asset management, network segmentation, and incident detection.

For many organizations, these technical demands can feel overwhelming: How do we meet them effectively? Do we have the right tools in place? This is where GREYCORTEX Mendel steps in, helping you bridge the gap between process and technology. Mendel empowers organizations like yours to simplify compliance by offering you the tool to monitor, secure, and optimize their network infrastructure effectively.

In this article, we’ll show you how Mendel supports compliance with the technical aspects of NIS2, helping you strengthen your cybersecurity posture while meeting the directive’s requirements.

A Brief Overview of the NIS2 Directive

The NIS2 Directive (Network and Information Security) is a pivotal EU cybersecurity regulation introduced in December 2020. Its primary objective is to establish a uniform level of cybersecurity protection across all EU Member States by mandating specific requirements and measures. Compared to its predecessor, the NIS Directive, NIS2 represents a significant expansion of scope and ambition.

While the specific requirements may vary by country as national legislations adopt the directive, certain challenges remain universal. This is where GREYCORTEX Mendel can help. No matter the regulatory nuances in your country, Mendel provides you with practical tools and insights to address key technical requirements, ensuring your organization stays secure and compliant.

NIS2 in Practice: How GREYCORTEX Mendel Helps

Asset management

Organizations must maintain visibility of all devices and systems within their infrastructure, including their interactions. GREYCORTEX Mendel lets you simplify this process by automatically auditing assets and mapping their connections.

For instance, a regional healthcare provider discovered 15 undocumented devices using Mendel. This helped them uncover legacy systems that were vulnerable to exploitation and provided a roadmap for mitigation.

Mendel detects and stores information about every device communicating on your network. Use it to view a list of networks and subnets and see in detail the devices in these subnets. This overview is supplemented with information about the risk level of these devices and subnets, and detailed information about hostname, tags, operating system, and other parameters.

In the system, you will see a visualization of the individual connections between devices and networks as well as an overview of users. By integrating this with identity sources such as Active Directory or an LDAP server, Mendel connects specific communications to individual users.

Risk management

Understanding which systems are critical—and the impact of their failure—is fundamental. Mendel allows organizations to identify and prioritize key assets, enabling them to assess the potential consequences of disruptions.

By identifying the criticality of assets, organizations can allocate resources effectively, focusing on what truly matters to their operations and compliance efforts.

For instance, a manufacturing company used Mendel to uncover inadequate segmentation around a legacy control system. Addressing this gap protected them from a ransomware attack that could have halted production.

Mendel allows you to filter the communication clients that access a particular service or application as a basis for determining the criticality of those services and applications.

Human resource security and access control

Monitoring user behavior and access is vital to preventing unauthorized activity. Such examples are users communicating with a system to which they should not have permission to communicate, accessing a VPN with an account or remote access that should be blocked, or an external vendor having access to a company’s internal network that occurs after a contract has been terminated.

Mendel identifies unusual access patterns, such as attempts to log into restricted systems or use compromised credentials.

Our customer discovered that an employee’s credentials were being misused to access sensitive applications after hours. Mendel flagged the anomaly, enabling the IT team to act swiftly and prevent a breach.

By integrating Mendel with asset management tools or identity sources, it is possible to create a list of users and explore their communication with other users and services. This allows you to check whether there is a user on the network who should not be there.

Cybersecurity audit

Regular audits ensure that security measures align with daily operations. While traditional audits are conducted, for example, twice a year, Mendel enables you to carry out continuous verification of policies and compliance on a daily basis.

Security of communication networks

Network segmentation is a cornerstone of effective cybersecurity. With GREYCORTEX Mendel, you can easily verify the correct implementation of your network segmentation. Mendel provides clear insights into whether devices from one subnet are improperly communicating with devices in another subnet or are accessible from the Internet when they shouldn’t be.

Consider critical production devices, these are typically restricted to an internal network for security reasons but may occasionally require temporary Internet access for upgrades or remote servicing. If this access is not revoked after use, Mendel will detect and alert you to any unauthorized communication, ensuring your network remains secure.

Mendel’s capabilities go further, processing protocols like MODBUS and other OT-specific protocols to visualize communication flows for production devices. This helps verify not only where these devices are communicating but also whether the communication complies with security policies.

Additionally, Mendel simplifies the detection of illegitimate connections. For example, you can filter and monitor Remote Desktop Protocol (RDP) communications that might be restricted by company policy or identify unauthorized TeamViewer connections.

Detection of cybersecurity events

Detection is one of the key capabilities of GREYCORTEX Mendel, along with its recording and analysis. All this is key for effective incident prevention.

Mendel excels at identifying threats by analyzing network traffic and detecting both signature-based and anomalous behavior. This capability allows organizations to address issues at different stages of a cyberattack.

For example, Mendel detects command-and-control communication, a hallmark of advanced persistent threats, and brute force attacks, which are a common tactic in ransomware campaigns. Also, it detects other dangerous behaviour, such as scans or tunnels.

Event logging

One of NIS2’s key requirements is retaining cybersecurity event records for at least 18 months. GREYCORTEX Mendel lets you simplify compliance by securely recording all mandatory data and making it easily traceable over months or even years—limited only by your available storage capacity.

Mendel also supports seamless integration with other tools through its ability to upload and export PCAP files. This feature enables you to analyze records externally or import PCAPs back into Mendel for detailed investigations, ensuring your organization stays agile in handling cybersecurity events.

Analysis of cybersecurity events

Continuous and centralized evaluation of detected cybersecurity events is essential for maintaining a robust security posture. This process involves identifying correlations, assessing the relevance of sources, and generating alerts—whether automatically in real-time or through manual configuration.

With GREYCORTEX Mendel, you gain the ability to drill down into the specifics of every detected event. Mendel categorizes events using the MITRE ATT&CK Framework, providing a structured and industry-recognized approach to understanding threats. Additionally, it offers various intuitive views and filters, enabling you to analyze your data from multiple perspectives and focus on what matters most to your organization.

Cryptographic algorithms

GREYCORTEX Mendel helps you verify that your systems are using up-to-date encryption standards and eliminates the risks associated with unencrypted communications or plaintext password transmissions.
For example, Mendel flagged several plaintext password transmissions in a client’s system, enabling them to enforce encryption policies and prevent credential theft.

Additionally, Mendel checks the validity of communication certificates, ensuring that your encrypted connections are both secure and compliant with best practices.

Security of industrial assets

The NIS2 Directive places significant emphasis on securing industrial networks, an area where many organizations still face challenges. GREYCORTEX Mendel addresses these gaps by supporting industrial protocols like MODBUS, OMRON, BACnet, and others, enabling comprehensive monitoring of operational technology (OT) environments.

Beyond analyzing IT network traffic, Mendel visualizes communication between devices up to level 2 of the Purdue model, including sensors, motors, and other industrial components. With proper configuration, it can extract detailed insights about OT devices, such as furnace temperatures, centrifuge speeds, pipeline pressures, and water levels in storage vessels.

Mendel delivers critical data to ensure the reliability and security of production infrastructure, including:

• Identification of Common Vulnerabilities and Exposures (CVEs) affecting OT devices
• Configuration settings of industrial systems
• Firmware information for better version control and security assessments

Prepare in Time

Applicability, enforcement, and fines will vary from one EU Member State to another. Yet in cybersecurity, more than anywhere else, the saying “yesterday was too late” applies.

There is no need to panic, but don’t underestimate the security of your business or institution. Your organization doesn’t need to face NIS2 alone. Whether you’re just starting your compliance journey or refining existing processes, GREYCORTEX Mendel provides the visibility and control you need to succeed.

The convergence of Information Technology (IT) and Operational Technology (OT) is transforming industries. While this integration drives operational efficiency and faster decision-making, it also creates new cybersecurity challenges. GREYCORTEX Mendel offers a unified way to monitor and protect both your IT and OT environments.

As digital transformation continues, IT systems, like corporate networks and databases, are increasingly linked with OT systems, such as industrial control systems and sensors. This connection improves data sharing and process control but demands a unified approach to securing both technologies.

New cybersecurity threats are constantly emerging as the Internet of Things (IoT) and automation continue to grow. One of the biggest challenges is ensuring seamless communication between IT and OT teams, which often have distinct goals and methods. Addressing these challenges requires identifying critical assets and implementing tailored security measures.

The Core Security Requirement

A fundamental security requirement in any company is identifying and classifying assets. Understanding the value and strategic importance of each asset allows for the appropriate level of protection. Tools that enable effective monitoring and protection of both industrial and digital assets are essential in this context.

Key Differences Between IT and OT Environments

IT and OT environments differ in focus, asset life cycles, and the personnel managing them. While IT prioritizes data processing, business operations, and frequent updates, OT centers on controlling physical processes and maintaining long-term operational stability. OT systems often remain in place for decades without major updates, creating potential security gaps.

IT and OT teams also have different expertise. IT teams focus on data confidentiality and cybersecurity, while OT teams prioritize the safe operation of industrial assets, often resisting upgrades to avoid disruptions. 

Another key difference lies in the communication protocols used in each environment.

So how do you protect both environments with one monitoring solution?

NDR’s Role in Protecting IT and OT

NDR solutions are pivotal in safeguarding industrial environments, providing visibility into both your IT and OT networks. A prime example is GREYCORTEX Mendel, which passively monitors traffic across both networks to detect anomalies without interfering with system operations—a critical requirement for industrial settings.

Mendel correlates data from various sources to identify threats early, allowing analysts to investigate security events and uncover connections between them. While defining processes and security policies is critical, verifying compliance is equally important. Mendel continuously monitors these processes and notifies you about any non-compliance. Any incidents detected can also be easily exported into clear reports.

Bridging the IT-OT Divide

Better infrastructure visibility, deeper threat understanding, stronger protection of both digital and industrial assets—these are some of the key benefits that NDR solutions bring.

Mendel facilitates cooperation between your IT and OT teams. By integrating with the MITRE ATT&CK® Framework, Mendel creates a common language for analyzing threats, helping both teams collaborate more effectively.

Additionally, Mendel allows you to customize event categorization based on team needs, ensuring IT and OT professionals see the information that matters most to them—within the same solution, but with their own tailored interface.

The Future of Industrial Cybersecurity

As cyber threats evolve, the convergence of IT and OT systems requires tools that can adapt and offer comprehensive protection. GREYCORTEX Mendel meets these needs by learning and responding to new attack types, ensuring the security of both your digital and industrial assets. The continued integration of IT and OT networks necessitates a unified monitoring and response approach, where NDR solutions are central. By leveraging tools like Mendel, organizations can strengthen their cybersecurity posture, ensuring resilience and continuity in an increasingly interconnected digital landscape.

While the convergence of IT and OT has been around for several years, there still exists a disparity between the technology, tools, and resources deployed in each network type. IT teams often turn to traditional security vendors for NGFW, XDR, and NDR tools, which don’t always work effectively in OT environments due to the different needs of SCADA and ICS systems. 

GREYCORTEX has made it its mission to provide customers who have both IT AND OT networks with technologically advanced and reliable security tools. By fostering collaboration between IT and OT teams, they enable you to strengthen your security strategies and better protect yourself against cyber threats.

In addition to its robust detection and response capabilities, GREYCORTEX Mendel offers powerful real-time network analytics. This technology provides you with visibility into your network activities, whether you’re managing a small network of 100 devices or a vast, geographically dispersed network with hundreds of thousands of devices.

How It Works

GREYCORTEX Mendel sees and visualizes traffic in the context of time and events, including L2 and L3 OT protocols and application data. To identify all devices in a network and gain a comprehensive understanding of their interactions, the protocols they use, and where data flows, Mendel requires complete packet visibility. This is where Garland Technology comes in. Network TAPs are a tested and proven industry best practice for ensuring complete network visibility for security and monitoring tools.

Scenario #1: Security Monitoring for IT and OT Infrastructure

1. Within both IT and OT environments, data from the network segments are fed through Garland Technology Network TAPs. These TAPs mirror the network traffic to provide 100% visibility across the environments.
2. In OT scenarios, Garland commonly uses its specialized Industrial Network TAPs that are purpose-built for industrial, manufacturing, utility, and military environments.
3. Data from multiple Network TAPs is delivered to Garland’s PacketMAX™ Advanced Features to aggregate, filter, and load balance the mirrored traffic.
4. The aggregated traffic from each location is then delivered to GREYCORTEX Mendel. Mendel serves as both a Network Detection and Response solution for the IT infrastructure and as an advanced industrial Intrusion Detection System (IDS) for industrial environments, utilizing deep packet inspection for ICS and SCADA traffic.
5. Mendel offers a complete view of your network and business applications through active and passive asset discovery. It provides detailed asset information, including vendor details, hardware and software versions, and network configurations.

Scenario #2: Security Monitoring of Medical IoT Devices and Critical Healthcare Systems

1. Garland Technology’s compact, high-performance network TAPs provide a 100% full duplex copy of the wire data.
2. Network traffic is sent to the PacketMAX™: Advanced  Features packet broker for aggregation, filtering, load balancing, and deduplication to remove duplicate packets. The refined traffic is then sent to GREYCORTEX Mendel for detailed analysis and detection of malicious activities and advanced threats.
3. Mendel enables system analysts to investigate security and operational events effectively. It helps them find root causes and respond to threats quickly. This is possible because Mendel provides a comprehensive view of network activities, whether it’s for specialized medical devices like CT scanners, X‑Ray machines, and DICOM workstations, or for Medical Information Systems and Building Automation Systems.

Key Benefits of the Garland-GREYCORTEX Solution

• Easy to manage and cost-effective, providing comprehensive monitoring of IT, OT, and IoT environments.
• Gain 100% network visibility into your active IT and OT assets without added latency.
• Ensure security with TAPs that lack IP or MAC addresses, making them immune to hacking.
• Improve collaboration and break down silos across teams with deep visibility across all network and application layers.
• Leverage real-time network analytics and advanced detection of threats and operational issues, with the capability to respond swiftly.
• Quick to implement within strict maintenance windows.

About Garland Technology
Garland Technology is an industry leader in IT and OT network solutions for enterprise, critical infrastructures, and government agencies worldwide. Since 2011, Garland Technology has been engineering and manufacturing simple, reliable, and affordable Network TAPs and Network Packet Brokers in Richardson, TX. For help identifying the right IT/OT network visibility solutions for projects large and small, or to learn more about the inventor of the first bypass technology, visit garlandtechnology.com. 

In today’s digital landscape, a stable and secure network is crucial for businesses of all sizes. It forms the foundation of effective cyber threat protection. However, without this foundation, even the most sophisticated cybersecurity tools and systems can fall short. But how can you ensure both security and stability? 

An efficient network must be resilient, highly available, robust, scalable, and secure. While there’s no one-size-fits-all solution, implementing best practices tailored to your network environment and your business needs can set you on the right path. 

Let’s explore the key aspects of network security: data network architecture, network segmentation, and network access control.

Data Network Architecture:
Building a Strong Foundation

When defining your network architecture,it is important to consider topology, technology choices, and communication protocols, and ensure they are all tailored to fit your organization’s structure and needs. Whether you’re a small manufacturer, a global enterprise, a university, an ISP, or a data center, understanding the layers of the OSI model is crucial for building a secure network.

At the physical layer (L1), the quality of your infrastructure is paramount. Poor-quality fiber optics, inadequate cabling, or faulty network sockets can undermine network performance. We’ve all seen instances where a network faltered due to damaged cables or dirty connectors. These local problems can escalate to higher levels, potentially disrupting part or all of your network.

Moving up to the data link layer (L2), we encounter the Spanning Tree Protocol (STP). This crucial protocol prevents loops in the network, ensuring only one active path between any devices. However, STP recalculation can affect the entire L2 topology, leading to widespread network outages. To mitigate this risk, it’s essential that all devices within the STP domain support the same STP protocol and, ideally, can create STP trees across individual VLANs. Additionally, accurate configuration of the Root Bridge or the implementation of a Root Guard is highly recommended.

At the network layer (L3), issues from L2 can lead to disruptions. For instance, connecting VLANs between routers within a dynamic routing protocol can introduce problems. To minimize the impact of L2 issues, consider logical or geographical segmentation of your network at the L3 layer.

Maintaining a stable network requires continuous monitoring of all individual elements and performance metrics like Round Trip Time (RTT), Average Response Time (ART), and User Experience Time (UET). Tools like GREYCORTEX Mendel can assist you by tracking these metrics, identifying configuration issues, and reporting anomalies to ensure smooth operations.

Network Segmentation:
Protecting LAN Integrity

Network segmentation plays a crucial role in both the security and performance of your data networks.

From a performance standpoint, it’s advisable to separate individual broadcast domains into network segments using VLANs. This minimizes unnecessary broadcast and ARP queries, leading to a more stable network. Moreover, selecting the optimal STP protocol further reduces the impact on these domains.

From a security perspective, segmenting the network into smaller subnetworks simplifies access control management and eases the inspection of communication between segments. It’s important to monitor whether your current network traffic complies with your security policies.

GREYCORTEX Mendel excels in network security monitoring, providing you with clear insights into your network activities. It also verifies whether current traffic aligns with your security policies and offers a straightforward visualization of the results.

Network Access Control:
Knowing Who’s on Your Network

Effective network access control should be enforced both at the level of network devices and of end users. At the device level, several measures can prevent unauthorized devices from compromising your network:

• BPDU Guard: This security function detects BPDU (Bridge Protocol Data Unit) packets used for communication and information propagation within the STP. If BPDU packets are detected, it blocks the switch port, preventing an unauthorized “smart” switch from connecting.
• Port Security: Properly configuring port security involves defining the number of MAC addresses allowed on a single port, thereby limiting the potential use of a connected “rogue” switch. Alternatively, you can allow only a specific MAC address, preventing the connection of any devices other than those that are configuration-approved.
• 802.1x with EAP (Extensible Authentication Protocol): In dynamic environments where users frequently move and connect from different locations, 802.1x with EAP is recommended. This protocol facilitates user and device authentication, determining network access and dynamically assigning devices to specific VLANs based on organizational departments.
• Advanced Access Control: For a more detailed approach, additional attributes such as the device’s “health status”, software configuration, or specific settings can be included. This often requires an endpoint agent, which may be standalone or part of an endpoint protection client suit. The agent collects data on the device, such as the OS version, endpoint protection status, installed applications, and registry settings, integrating this information into the access control policy.

GREYCORTEX Mendel offers a clear view of network assets and their interconnections, providing insights beyond what is recorded in asset management systems.

Remote access management

Remote access management is increasingly important as users often work beyond the secure boundaries of their organization. While traditional VPN access still remains popular, it has limitations and often falls short in providing adequate security. To address this, it’s important to monitor several aspects of VPN usage: who is accessing the VPN, which devices or systems they are communicating with, the protocols in use, the services accessed, and the volume of data transferred. GREYCORTEX Mendel can help with carrying out this comprehensive monitoring.

For enhanced security, consider Zero Trust Network Access (ZTNA) solutions, which offer enhanced security by granting access only to specific applications or services, thus improving transparency and control over remote access.

Building a Secure Network Foundation

A high-performing network is the cornerstone of organizational cybersecurity. By leveraging NDR tools like GREYCORTEX Mendel and following best practices, you can ensure superior management and protection of your network infrastructure, strengthening your overall security posture.

Remember, a secure network is not just about having a perimeter defense—it’s about creating a resilient, monitored, and well-managed internal infrastructure that can withstand and respond to various cyber threats. By focusing on these key aspects—architecture, segmentation, and access control—you’ll be well on your way to building a network that’s both secure and reliable.