|
 |
|
|
|
Interview with Lëtzebuerger Gemengen,translation by itrust consulting.
While the NIS2 Directive requires European organisations to achieve a significantly higher level of maturity in terms of security monitoring, SMEs face a disproportionate challenge: meeting detection, remediation and documentation requirements while operating with limited resources. In this context, itrust Abstractions Lab and itrust consulting are introducing an open technology stack based on two complementary systems developed as part of the CyFORT project: IDPS-ESCAPE (Intrusion Detection and Prevention System - Enhanced Security through a Cooperative Anomaly Prediction Engine), dedicated to intrusion detection and prevention, and SATRAP-DL (Semi-Automated Threat Reconnaissance and Analysis Powered by Description Logics), focused on cyber threat intelligence (CTI), contextualisation, correlation and incident management.
The three key subsystems — SONAR and RADAR for IDPS-ESCAPE, DECIPHER for SATRAP-DL — form a continuous chain from collection to analysis, from CTI enrichment to remediation, to the creation of structured cases in the open source flowintel platform, which offers tight and robust integration with the MISP ecosystem developed by CIRCL in Luxembourg, among others. This philosophy extends the one that guided the creation of IDPS-ESCAPE and SATRAP-DL: to provide free, transparent and auditable solutions to help organisations comply more easily with NIS2 obligations at low implementation costs and promoting internal control.
A dual architecture to meet all NIS2 requirements
IDPS-ESCAPE was initially designed as a platform combining sensors, an AI engine and automation to reduce false positives and help critical and important entities fulfil their continuous monitoring obligations. SATRAP-DL now complements this suite by adding an essential dimension: structured analysis of cybersecurity threats, comprehensive incident handling, and the ability to automatically link detection to an institutionalised, documented response that complies with regulatory expectations.
In practice, IDPS-ESCAPE provides technical monitoring and active response, i.e. the ability to identify, classify and prioritise anomalies using rules, statistical models and multivariate algorithms, as well as activate defensive actions. SATRAP-DL, with DECIPHER, provides the management layer, i.e. enrichment, advanced CTI analysis, case creation, correlation, escalation and documentation. This separation provides organisations with greater clarity: IDPS-ESCAPE deals with ‘what is happening’, while SATRAP-DL deals with ‘what is being done about it’. Together, they meet both the detection and incident management requirements of NIS2.
RADAR: SOAR execution within IDPS-ESCAPE
RADAR is the executive component of IDPS ESCAPE, transforming alerts into real action. It is based on SOAR principles: orchestrate, automate and respond. Orchestration is based on Ansible, enabling automated and consistent deployment of Wazuh, its agents and all detectors within distributed infrastructures. Automation comes from the active response mechanism, which is capable of executing scripts without human intervention, whether to send a notification, block an IP address, restart a service or deactivate a user. Detection is based on a hybrid mechanism combining a signature-based approach and an anomaly detection solution based on the RRCF machine learning algorithm.
This operation is part of a risk management approach. Each detection is first qualified by a dynamic score that distinguishes between low, medium, and high scenarios. An anomaly deemed low gives rise to a simple notification sent to the analyst. A medium risk triggers a notification accompanied by the automatic creation of a case in Flowintel. A high risk can lead to more direct actions, such as taking a component out of service or applying stricter temporary countermeasures. The ability to modulate the response limits unnecessary interruptions while ensuring active defence.
SONAR: multivariate analysis that enhances IDPS-ESCAPE
The detection intelligence comes from SONAR, another subsystem of ESCAPE-IDPS. Where Wazuh rules detect known threats and Amazon's OpenSearch RRCF statistical algorithm identifies isolated atypical behaviour, SONAR adds a deeper dimension: multivariate detection based on time series, powered by a deep learning machine learning algorithm. Microsoft's MTAD-GAT algorithm is at the heart of SONAR, enabling it to simultaneously correlate a set of signals from Wazuh alerts to identify subtle patterns of compromise.
SONAR is lightweight and integrates seamlessly into the existing monitoring environment. It analyses alerts that have already been collected to identify those that are truly out of the ordinary. This approach significantly reduces the number of unnecessary signals and highlights situations that deserve immediate attention, helping teams focus on what matters most.
DECIPHER: CTI intelligence and incident management in SATRAP-DL
DECIPHER, within SATRAP-DL, intervenes after this initial detection to provide context. When RADAR flags suspicious activity, DECIPHER searches for additional information, such as whether the address or behaviour has already been associated with known attacks. This allows for a more accurate assessment of the severity of an alert and a tailored response.
A key element is direct integration with the open-source tool flowintel, which is used to document and track incidents. DECIPHER can automatically create a complete incident file, gathering useful information for the analyst. Thanks to this automation, every significant incident is recorded and can be handled in a structured manner. This capability is essential under NIS2, which requires traceability and systematic documentation of important events.
SATRAP-DL thus acts as a link between the technical signals detected by IDPS-ESCAPE and the operational management of incidents based on advanced analysis. It provides organisations, including SMEs, with a comprehensive and consistent process without the need to set up a costly dedicated team.
Seamless integration between IDPS-ESCAPE, SATRAP-DL and flowintel
The integration between IDPS-ESCAPE, SATRAP-DL and flowintel is seamless. IDPS-ESCAPE first identifies suspicious activity. SATRAP-DL, via DECIPHER, analyses it and extracts the elements necessary for risk assessment. If necessary, an incident is automatically opened in flowintel. The organisation can then monitor, escalate or resolve the case. This continuity makes it possible to quickly understand what happened, how it was handled and why certain measures were taken, which greatly facilitates NIS2 compliance.
A sustainable adoption model for SMEs
The approach taken by itrust Abstractions Lab and itrust consulting goes beyond simple open-source publication. In exchange for three to four days of monitoring per month, ideally carried out by an internal IT specialist from the organisation adopting our solutions, the design team provides approximately two weeks of support, training and technical advice. For a limited period, this service is co-financed by the Ministry of Economy as part of its objective to promote the deployment of open cybersecurity solutions. This model allows small organisations to gradually strengthen their maturity while retaining the autonomy necessary to operate the stack on a daily basis. It is important to emphasise that an intrusion detection project does not replace the IT function, but rather complements it independently, reassuring management that the IT environment is functioning properly, that there are no major vulnerabilities and, in the event of an attack, that an immediate response will be initiated to limit its impact.
Publication and perspective
IThe SONAR, RADAR and DECIPHER subsystems, integrated into IDPS-ESCAPE and SATRAP-DL respectively, are available on GitHub. They provide advanced detection capabilities, automated response and rigorous incident management, all within a fully open, transparent framework that complies with NIS2 requirements. In addition, the technology stack ensures native integration with Flowintel and MISP, optimising workflows for entities already using this widely recognised platform.
For more information, contact info@abstractionslab.lu or visit: https://abstractionslab.com/index.php/products/
