Our story begins with the French Government Defence procurement and technology agency, more specifically its cybersecurity branch, who, in 2013, took the decision to fund PhD research carried out by Christopher Humphries within Cidre, a research team involving CentraleSupélec and Inria, on the theme of the visualisation of suspicious incidents. This led to the development of a prototype giving analysts a much clearer view of attempts at intrusion into systems. In order to enable this technology to be transferred to the industrial sphere, the decision was taken to create a start-up with support from Inria. This company is called Malizen. Based in Rennes, at the Cyber Excellence Hub, it has been operational since January 2020.
The software itself, meanwhile, is called ZeroKit. This is an allusion to so-called ‘zero day’ attacks, which involve the use of intrusion methods that have never been seen before and which automatic anti-virus programs are unfamiliar with. When faced with this type of malware, expert security analysts are often the last line of defence. They are the ones responsible for identifying the slightest anomaly, noticing a machine operating unusually slowly, picking up on odd network connections, etc. Sometimes, however, they have to respond to security incidents. Their first task is to understand the situation. They then have to seek out the origin of the intrusion, before assessing the scale of the problem. In many ways, it’s a lot like a police investigation.
Analysts are basically Sherlock Holmes - what we do is to provide them with the magnifying glass!
in charge of the user experience - Malizen
So, how does this tool work? By retrieving logs, i.e. the files in which the activity of a machine is recorded: displaying a web page, opening a door using a entry code, a voltage dip on an industrial site, etc. “The main display gives an overview of all events likely to be of use when it comes to quickly understanding a situation”, explains Christopher Humphries, CEO of the company. “This dashboard displays everything an expert needs, enabling them to view the overall quantity of events and how they are distributed over time. In a standard analysis system, a significant amount of configuration is needed in order for relevant information to be produced. Our tool allows analysts to work more intuitively: much more information is available to view in one place, making it easier to understand. What it is, essentially, is an accelerator. Users don’t need to dissect manuals, to seek help from colleagues” or to enter command lines using a specific language.
Using this interface, analysts will be able to see patterns emerge. This might be a lot of unusual activity on a bank’s server in the middle of the night, for example. The expert will be able to display the IP addresses, ports and so on, to identify any strange connections and to then correlate these with other incidents. A map is also displayed, showing the structure of the machines in question. On an industrial site, it is possible to analyse the production area, administrative buildings, etc
Technical director - Malizen
What is Malizen’s target market? “We will primarily be looking at organisations that are up to speed with the challenges of cybersecurity,” answers Christopher Humphries, “who already have tools for solving these sorts of problems. Most notably, this will include operators of vital importance, against which any attack could have national security implications.” (military sites, nuclear power plants, etc.) “It will also include operators of essential services, which, by law, have an obligation to be able to respond to attacks.” This category features hospitals and some sites where sensitive data is hosted.
SOC et CERTs
Beyond this initial scope, “many companies and organisations are now deploying specialist resources”, explains Simon Boche, head of IT security. “These entities have SOCs (security operations centres), which are call centres set up to handle alerts, to provide surveillance and to react. Some groups also have CERTs (Computer Emergency Response Teams). These are no longer simply help desks, but are instead mobile teams, which travel to sites to respond to alerts. Some operators, meanwhile, choose to outsource these tasks to specialist companies, such as Orange Cyberdefense or Amossys.”
A toolkit for a on-site response
In order to respond to these roving requirements, ZeroKit can be embedded into a computer server delivered in a toolkit. “In order to respond to security incidents, CERTs are often called out to production sites at the other end of France or on the other side of the world”, explains Christopher Humphries. “The issue here is that the resources needed for analysis purposes are housed at the group’s head office. This leads to multiple return journeys in order to collect the data, to bring it back and to then process it. These journeys waste a lot of time. Our response solution is designed to enable experts to work directly on-site, collecting data, beginning calculations and carrying out their analysis of the situation. It’s a lot more practical.”
Available through a license, ZeroKit is comprised of a modular base to which companies can add building blocks, inserting features or connecting other data sources. “There is a phase for adapting to the client’s information system. The situation will be different for a refinery compared to a railway network, for example. We are developing a specific block for each individual situation.”
Keeping one foot in the world of research
The software itself, meanwhile, will continue to develop. The company has taken in a Master’s student from CentraleSupélec, who is working on exploration recommendation. “This involves supplying advice to the analyst carrying out the safety inspection”, explains Romain Brisse. “ZeroKit will allow them to view the data in a certain way or to explore areas they may have missed using knowledge provided by us.” In late summer/early autumn of 2020, this student will begin a PhD funded by the company as part of the Cifre initiative.
“We are looking to keep one foot in the world of research”, concludes Christopher Humphries. “In public laboratories, there is a lot of technology that could be of interest to users, but which is often not transferred over to industry. We feel that’s a bit of a shame. Our aim is to retain ties with CentraleSupélec and Inria, which is where we started out, in order to remain on the cutting edge and to help pass these innovations on to industry.”