Security Insight

AhnLab-NAONWORKS Launched ‘CEREBRO-XTD’, with Enhanced OT Environment Visibility and Threat Response

  • Date09-08-2023

AhnLab and NAONWORKS launched ‘CEREBRO-XTD,’ an OT security solution. CEREBRO-XTD is a solution based on the previous OT visibility and threat detection monitoring solution ‘CEREBRO-IDS’ with the addition of various features such as linking with AhnLab security solutions as well as improvements on existing features. Following the launch of CEREBRO-XTD, it is expected that the ‘integrated OT security framework’ built by the two companies will be enhanced significantly.


The following is news on the launch of CEREBRO-XTD and an overview of its major features. 



AhnLab and NAONWORKS, AhnLab's operational technology (OT) security subsidiary, have released CEREBRO-XTD, with upgraded OT environment visibility and threat response capabilities. CEREBRO-XTD is a new improved solution based on ‘CEREBRO-IDS’, an OT visibility and threat monitoring product launched by AhnLab and NAONWORKS last year, with the major features strengthened.

CEREBRO-XTD is differentiated by how it links with AhnLab's OT endpoint security products, providing visibility in endpoint areas as well as malware scanning and remediation. Equipped with the deep packet inspection (DPI) analysis technology for multiple OT protocols, it also has advanced capabilities of identifying abnormal control logic and a variety of facility types. Note: DPI is a technology that allows an in-depth analysis of packets, which are units of data traversing the networks.


NAONWORKS’s CEO June-kyoung Lee said, “Amid the transition to a digital environment, CEREBRO-XTD will play a central role in protecting customers concerned about security incidents like ransomware by providing OT network visibility and threat detection.”


Chang-hee Kim, Director of AhnLab's Product Service Planning Department, noted that “Network distances from ‘attack surfaces’ to endpoints continue to widen even in OT environments and CEREBRO-XTD puts the focus on broadening the visibility of a wide variety of assets and devices within OT, as well as enhancing its analysis and detection capacity”.

User environment-based requirements for OT security fulfilled

Recently, there has been an increase in security threats targeting industrial and social foundation facilities, and the level of harm according from them is also exacerbating. In particular, as the outward-facing contact surfaces of IT and OT are increasing, vulnerable OT systems are becoming targets of various cyber-attacks. To effectively respond to security threats coming into OT networks or propagating between internal systems, a security solution tailored for OT environments and an integrated security system across IT and OT environments is needed.


AhnLab and NAONWORKS built an ‘integrated OT security framework’ that combines security threat detection and response specialties with OT technology, providing comprehensive security including ▲visibility ▲threat detection and ▲response across all levels of the OT network Purdue model. Various solutions of the two companies are provided flexibly according to customer needs and are differentiated in that there is synergy from linking with each other.


Figure 1. AhnLab-NAONWORKS ‘integrated OT security framework’

As the key solution for the ‘integrated OT security framework,’ CEREBRO-XTD provides comprehensive OT network visibility and detects security threats and anomalous behaviors in real-time. Considering the characteristics of OT environments where priority is given to availability, it runs in a ‘passive monitoring’ method which does not affect the operation of facilities, adding to operational stability.


Information on visibility and threat detection is available through an intuitive dashboard, allowing users to check the status in real-time. Also, through custom dashboard settings, information that requires additional revision by administrators can be created into separate dashboard and widget configurations.


Figure 2. CEREBRO-XTD’s dashboard


Regarding the structure, CEREBRO-XTD consists of a central server and sensors for each process. Sensors installed for each process analyze the mirrored traffic and send the detection results to the central server. The central server then analyzes the collected information and provides visibility as well as threat-related information. Also, an ‘all-in-one’ configuration is available depending on the environment, where the sensors and servers are combined.


Figure 3. CEREBRO-XTD configuration

Ordinarily, the ‘sensor/server configuration’ where sensors are configured for each process and are linked to the central server, is used in environments with multiple processes. On the other hand, an ‘all-in-one configuration’ where traffic for multiple processes is integrated into an all-in-one server is suitable for environments with a small number of processes.


Even more powerful features including endpoint security integration and reverse tracking of threats

CEREBRO-IDS provided features such as ▲integrated visibility including the network session status for major IT/OT assets and topology maps ▲detection of various security threats such as malware intrusion, harmful traffic, and vulnerabilities ▲in-depth analysis of OT protocol analysis and machine learning-based anomalous control detection and ▲linking with third-party control platforms.


The newly released CEREBRO-XTD adds to the above features by linking with AhnLab's OT endpoint security solutions. Some of the new features include ▲providing detailed asset information from the network level to the endpoint area in OT environments by linking with AhnLab EPS and ▲remote malware detection by linking with AhnLab Xcanner. The launch of CEREBRO-XTD can be seen as the establishment of a true ‘integrated endpoint-network security.’


Figure 4. CEREBRO-XTD linked with OT endpoint security solutions

By linking with AhnLab EPS, a specialized fixed-function systems security solution, visibility can be extended to OT network-connected endpoints. While most competing solutions provide in-network asset status, CEREBRO-XTD—in conjunction with AhnLab EPS—provides not only network sector data but also detailed information on endpoints such as operating system patch versions present on OT network-connected servers and workstations.


And by linking with AhnLab Xcanner, a fixed-function system-specialized diagnostics and remediation solution, it also allows the expansion of the range of malware inspection. Following an initial malware scan in the network area, malware scans can be run again on suspicious endpoint systems. Moreover, unlike similar solutions that are limited to detection, CEREBRO-XTD can actively respond to threats through remediation after scanning.


There was also the addition of an ‘issue tracking’ feature that provides threat information by reverse-tracking the distribution routes of detected threats. This feature can be used to check previous distribution sites from which attacks stemmed, allowing the identification of attack propagation and movement paths. Through this security personnel can respond to threats systematically by verifying the interconnections between threats, such as threat event distribution routes and the earliest arising assets.


Figure 5. CEREBRO-XTD’s issue tracking feature

Details on CEREBRO-XTD can be viewed on the official NAONWORKS website.

Go to the official NAONWORKS website