The Ardagh Group, a worldwide leader in packaging solutions, utilised an AI-powered network detection and response platform from Vectra to provide crucial visibility into its global network.
The Ardagh Group is a leading global supplier of metal and glass packaging solutions for many of the world’s leading brands.
The company has a turnover of about US$8 billion, with around 120 plants in 40 countries and employs more than 23,000 people.
There are several cyber-risks that have to be managed by the Ardagh Group’s CISO, David Whelan, in order to prevent financial and reputational risk to the company and its customers.
One of the key challenges is the geographical distribution of the company, as it operates from several remote locations, outside of urban areas.
Whelan said: “Even visiting a plant has logistical issues around it. The challenges are really around not trusting the perimeter and how you go about putting in different layers of defence around that.”
Another challenge is the move to the cloud which, Whelan says, has introduced new risks due to reduced visibility.
Email is also another target for cybercriminals, with senior executives and those in finance roles targeted on a daily basis.
The Ardagh Group works with many of the world’s leading food and drink companies so as part of the supply chain the company works hard to maintain a good cyberhygiene.
“If, for example, we were used to try to take money out of those companies, if someone got onto our network and used us a way in, as part of the supply chain, it points back at us then and they would justifiably be very unhappy with the way we’ve done our business,” he said.
The Vectra Cognito AI solution was implemented in July 2018. It uses Machine Learning intelligence to identify suspected attacker behaviours and alerts security analysts.
Whelan said: “It learns what looks normal, so it’s constantly monitoring the packets and it will quickly say ‘ok, I get it, this machine talks to these five machines on a daily basis’ but if that machine suddenly starts talking to six other machines, it will flag that up.
“And it’s not intrusive on the user, we’re not looking at user behaviour, we’re looking at machine behaviour.”
It helps, he said, to ‘push the normal stuff out of the way’.
“We have a SIEM which will report in, saying a machine has been trying to log into say 500 machines in the last five minutes and it’ll usually be something on the shop floor that’s lost its controller and is looking for something to connect to,” Whelan added.
“And we can look at that and within 10 seconds say ‘we know exactly what that is’, but it’s not worrying which at the same level is much harder to filter that out and it’s harder to not listen to. So this has given us a more fine-tuned approach to identify that traffic.”
Whelan said: “We had been using a different product which had been doing a good job for us for about three years but it hadn’t really been developed. So we went looking in the space of network-based detection, for a product which had to have that level of Machine Learning in it.
“We try to be as innovative as we can so we’re always looking at new products to see what they do differently to what is already on the market.”
After running Proof of Concepts on two products, the Ardagh Group selected Vectra.
“Their back-end services have been very good and the roll-out has been great. It’s pretty much plug and play so we got it out there pretty quickly,” Whelan said.
“We couldn’t cost justify 120 plants so I think we have it in about 30 locations at this stage all feeding back into the central brain.”
Justifying the business case for the technology to the board
Whelan said: “For us, in a way, it’s easy because the re-routing of a single invoice between us and one of our big customers, could be worth millions.
“So we’re saying that we’re putting all these controls in place to make sure that bank account details don’t get changed without proper authorisation and approval.
“And if you’ve got people in finance doing things like that then we really need to manage the risk so that someone doesn’t access that data through a different path and make those changes.
“We’ve analysed what our peers are doing in this space, we analyse what’s trending out there and we’ll say ‘here’s the stats on it, the manufacturing sector is now a target so we have to assume that we are a target’.
“We have evidence to show we have been targeted even if we haven’t been caught. And this spend is a way of identifying if someone has got past stage one.
“You’re basically saying that we can’t just rely on the shell. If someone is determined to get in then they will. But at least now we have a way of detecting it earlier and maybe stopping it before it happens.
“So you’re selling it as a business risk rather than a technical risk – what the technology can bring, what risks it can address and also why we chose the locations we did instead of other locations.
“It was all based on financial risk and where the key transactions take place.
“We have intellectual property to a point but what we do isn’t that unique. Everything we see attack-wise is an attempt to extort money from the business in some way.”
The solution offers a level of visibility that the business would not otherwise be able to envisage.
Whelan said: “It’s a way of ignoring everything normal and saying, ‘that’s strange behaviour’. Probably five or six of the cyberevents we’ve seen already were perfectly harmless but were a very unusual way of things operating.
“It’s a level of visibility and the ability to react. Any organisation has that fear that someone is sitting on the network and taking their time and building up patterns and then will hit, so with that east-west traffic that your firewalls don’t pick up, you suddenly start to detect machines that don’t have a logical reason to connect to each other.
“So it’s having almost a suspicious eye over the traffic rather than the network monitors that are looking at performance issues. This is literally saying ‘that’s strange, you need to look at what’s going on’.”
A vendor’s perspective
Matt Walmsley, EMEA Director at Vectra, said: “We are trying to help our customers with the problem of time and people. It takes too long to find bad actors when they gain a foothold inside an organisation – it can take many months before that surfaces.
“We’ve built a piece of software which is fundamentally architected on Machine Learning technology which, in real time, will identify, score and surface indicators of compromise inside the organisation and give context of evidence.
“That’s a job which, if you had to do it by hand, would be very boring and repetitive and you just couldn’t do it at the scale and speed.”