Belgian-headquartered private rail freight operator, Lineas, wanted to better identify threats and improve its ability to monitor its entire network and analyse attacks. Christophe Rome, Chief Information Security Officer at Lineas, tells us why having a robust cybersecurity culture is important for the company, and how SentinelOne’s solution allows it to future-proof operations.
Lineas is Europe’s largest private rail freight operator. With its innovative logistics solutions, it convinces companies to shift the transport of their goods from road to rail, thereby improving their supply chain and reducing their negative impact on the climate and mobility. Rail services provide a crucial link in the supply chain for all kinds of companies, across all sectors. It is therefore imperative that Lineas is able to ensure the availability of its operations at all times. In order to achieve that goal, it implemented SentinelOne’s endpoint security platform.
Christophe Rome, Chief Information Security Officer at Lineas, said: “We no longer believed in the effectiveness of signature-based antivirus. Attackers are not deterred by traditional antivirus tools. They easily find a way to get around that.”
Now that malicious code is much better hidden and is often only running in memory, it is increasingly difficult to identify threats. New technologies and methodologies must provide a solution for this, for example with behavioural analysis, AI and Machine Learning. In addition, Lineas wanted more options to better monitor the entire network, including endpoints, and to analyse attacks.
“We wanted to focus on added-value tasks such as threat hunting, rather than having to check every single alert,” said Rome. “The whole approach had to be arranged in a smarter way.”
Security based on behavioural analysis
Lineas therefore went in search of a security platform that works on the basis of behavioural analysis in order to protect against known and unknown threats. During the proof of concept, SentinelOne stood out, characterised by a high-degree of automation for the protection of endpoints thanks to the use of AI and Machine Learning.
“We particularly liked the remote shell capability, which allows us to investigate incidents without granting elevated privileges to the engineer conducting the investigation,” said Rome, commenting on the additional features of the SentinelOne platform. “In addition, the vulnerability management feature was a very big help because it allowed us to take a huge step forward in keeping our endpoints and servers up-to-date without having to purchase additional products.
“The properties of the platform ensure that our qualified people can actually do qualified work. SentinelOne has taken care of the tedious, time-consuming manual work. This makes it a great partner, a partner in crime-fighting.”
Christophe Rome, Chief Information Security Officer at Lineas, tells us how the solution has offered improved visibility to better monitor the entire network, among its other benefits.
Can you give us an overview of the company and why having a robust cybersecurity culture is important?
Our staff, the Freight Force, is about 2,100 people strong. It consists of two large groups. On the one hand, there are the employees working in an office environment. They are used to working with computers on a daily basis. On the other hand, we have a lot of ground personnel and drivers who spend their day outside in the field and only use mobile devices. We see a different level of cybersecurity awareness between and within these groups. Where maturity is lagging, we take action to catch up. Their daily job consists of being in the field. They are only using mobile devices. The difference in cybersecurity maturity between both groups is a fact. That’s not to say office staff are cybersecurity experts. The train business as a whole is lagging behind from that perspective and a catch-up is certainly necessary. That low cybersecurity maturity of our human capital is indeed dangerous. No security programme can succeed without the support of all staff. Technology alone will not save us. That’s why we are heavily focusing on creating cybersecurity awareness across all levels of the company.
As Europe’s largest private rail freight operator, how vital is it for Lineas to ensure the availability and security of operations at all times?
We often play a crucial role in the supply chain of our customers. If our IT systems stop working, that immediately has a knock-on effect on the ground, impacting our trains and our customers. We simply cannot afford any downtime.
What are some of the common cyberattacks you witness within the transport industry and how do you ensure you can protect against these?
We have not experienced any specific attacks besides the types of attacks we are all suffering from. We did experience a successful attack at the beginning of the year. You may remember the widespread panic around the Citrix Netscaler vulnerabilities around the year end. We had successfully and swiftly patched the vulnerabilities when they had been announced. Or at least we thought. Apparently, we had missed one instance which got compromised. Luckily, this was detected rather quickly, followed by an isolation and eventually removal of the affected host. Further analysis showed no fallout. This again is evidence that technology alone will not save us. A proper compliance check after patching was omitted. The proper processe needs to support the technology we are using.
How has the solution offered improved visibility to better monitor the entire network?
SentinelOne sits at the core of our security operations. The agent is running on all endpoints and servers. The visibility we get in relation to malicious activity across the network is invaluable. With new features where hosts without an agent or even IoT are being detected and reported, this takes the visibility aspect to the next level.
What are some of the overall business benefits you’ve seen since implementation?
In our case, the number one cybersecurity priority is to keep the trains running. The focus is on cyber-resilience. We adopted the ‘assume breach’ mentality a while ago. That doesn’t mean we no longer invest in the protection of our environment, but we rather focus on the detect and respond side of things. Whatever we do, a breach or compromise will happen. We just don’t know when. But we’d rather be prepared by making sure we have the visibility combined with proper detection capabilities so we can contain as fast as we can when it happens.
How does the solution allow you to future-proof your operations, especially as the future is so uncertain?
That’s exactly why we need to focus on being cyber-resilient. We don’t know what the future will bring. What we do know is that with enough resources and time, any kind of attack will succeed. If you are being targeted, you will be compromised. Just make sure you are ready to detect, contain and rebound in the shortest amount of time possible.