With cyberattacks becoming ever-more sophisticated and aggressive, how can Danish utilities company NRGi improve its ability to protect its business systems against hackers and malware?
NRGi worked with IBM Gold Business Partner SecureDevice to deploy a central monitoring system that detects advanced threats automatically—enabling more proactive network security responses.
ImprovesNRGi’s ability to detect potential threats to its network
Alertsthe IT team to suspicious activity automatically, enabling rapid action
Freesstaff from repetitive monitoring tasks, giving them more time to investigate issues
Business challenge story
Racing against cybercriminals
It’s every company’s worst nightmare: being hit by a cyberattack that takes out key systems and leaves the organization reeling. Unfortunately for NRGi, this nightmare came true.
Michael Warrer, CIO at NRGi, recalls: “A couple of years ago, we fell victim to a targeted attack from outside and in, which used ransomware to destroy and encrypt a large number of our back-office systems. We were essentially being held hostage; the cybercriminals behind the attack had aimed to extort money in return for returning control of the affected systems.
“The attack took out 180 servers in our data center. Thankfully, we have robust backup, restore and business continuity processes in place, which meant that we were able to rebuild the servers, and get everything back up and running in 60 hours. However, the attack caused a huge amount of disruption and left 1,200 employees unable to log into our business systems during the recovery period.
“The attack was a major wake-up call—not just for us, but for the entire Danish utilities sector. We realized that we needed to be far more proactive in protecting ourselves against cyberattacks in the future.”
Previously, NRGi had several tools in place to monitor its logfiles—time-stamped records of network events produced by its applications and systems. The lack of a centralized view of network events made it difficult to detect patterns of suspicious activity. Keen to improve visibility, NRGi wanted a unified overview of its network.
Warrer elaborates: “Of course, there’s no way of stopping cybercriminals from attempting to compromise your IT systems. Instead, you have to try and stay one step ahead of them. We knew that if we had the tools in place to alert us to potential threats, we could react faster to help avoid breaches.”
Becoming more proactive
To strengthen its security posture, NRGi teamed up with IBM Gold Business Partner SecureDevice to deploy IBM® QRadar® SIEM—a centralized monitoring system that consolidates and analyzes log events from across the network.
Working closely with SecureDevice, NRGi configured the IBM solution to detect potentially illicit activity on its network. When IBM QRadar SIEM detects a suspicious pattern—such as multiple failed login attempts and firewall denies—the solution alerts NRGi to investigate further.
“When we first deployed the system, we were getting about 10,000 alerts a week—the vast majority of which were false positives,” says Warrer. “The team from SecureDevice spent nine months updating the rules and training the system to recognize the signs of a potential attack, refining the system so it only warned us about serious issues. SecureDevice also incorporated IBM X-Force® Threat Intelligence into the solution, which provides a list of potentially malicious IP addresses so that we know to look out for them. Now that we have cut out most of the false positives, we receive around five alerts a week, and can give them our full attention.”
NRGi uses IBM QRadar SIEM to monitor all web servers in its DMZ (demilitarized zone), as well as all primary servers within the parameter. Log data is sent from across the network, spanning 30 locations across Denmark. Any suspicious activity is flagged up immediately as an automated alert to the centralized dashboard, triggering action from the IT team.
Warrer adds: “SecureDevice didn’t just help us refine our rules during the deployment process—they continue to work with us to update them as the threat landscape evolves, which saves us time and effort. Support from SecureDevice has been excellent throughout the project. We were very impressed with their personal and professional approach, and the level of expertise they brought to the table.”
Prepared for anything
With IBM QRadar SIEM, NRGi gains the near-real-time overview of network events it needs to take a more proactive approach to security. Now, the IT team is automatically alerted to significant incidents, giving them an early warning about potential threats.
Warrer comments: “Using IBM QRadar SIEM is like having eyes in the back of your head. Before, we always felt like we were on the back foot when it came to security, but now we’re much more proactive. If someone tries and fails to log on to one of our user accounts from outside our network, we have all the information we need to predict accurately whether they pose a threat to our systems. For example, we can see whether the attempts are from a user’s work laptop or home PC, or from an untrusted device—which might indicate someone is trying to gain unauthorized access.
“These automated alerts tell us right away when something might be wrong. If someone is accessing hundreds of files within a couple of minutes, for instance, it might be the sign of a ransomware attack. Our early warning system gives us time to call the person associated with the user account to confirm if they’re the one accessing the files. If they’re not, we can rapidly shut out the compromised account and investigate what happened in depth.”
Working in partnership with SecureDevice, NRGi is continuously optimizing the system, refining the rules and alerts to ensure the IT team gets an early warning should cybercriminals strike. The company is also considering the possibility of enhancing its solution with cognitive capabilities.
“We’re very interested in incorporating IBM Watson® for Cyber Security into our solution,” says Michael Warrer. “We see that IBM Watson solutions could provide valuable decision-support capabilities for our analysts—helping them to screen out false positives faster, and spend more time investigating serious potential threats.”
He concludes: “Our IBM QRadar SIEM solution delivered by SecureDevice has significantly enhanced our network monitoring capabilities. The best defenses against cybercrime are vigilance, adaptation and speed—and automated alerts give us the precious time we need to take targeted action to keep systems secure.”
NRGi is Denmark’s fourth-largest electricity supplier, providing energy to more than 220,000 households across the country. The company is committed to being an active part of the national and international transition to a more sustainable energy system, and manages its own portfolio of renewable assets. Headquartered in Aarhus, NRGi employs around 1,200 people.
- QRadar Security Info and Event Management
Take the next step
SecureDevice is a leading IT security services company based in Gentofte, Denmark. An IBM Gold Business Partner, SecureDevice consultants offer deep technical expertise and have helped companies from all across Scandinavia to improve their IT security. To learn more about products and services from SecureDevice, visit: en.securedevice.dk