GREYCORTEX has released the latest version of its Mendel Network Detection and Response solution. Version 3.7.0 brings important features and improvements. The main features in Mendel 3.7.0 include CISCO ISE user identity integration and response, CISCO Firepower incident response, SNMP appliance monitoring & SNMP trap, or AWS, MS Azure and Google cloud deployability.

ENHANCED INTEGRATION WITH YOUR INFRASTRUCTURE

Better visibility on user identity

For use cases when Mendel has no direct access to AD/LDAP server or with limited permissions then user identity could be provided via integration with CISCO Identity Service Engine (ISE).

Active response to threats

For situations where it is necessary to respond to emerging threats, we will ensure appropriate steps through integration with CISCO network elements. If this is unavoidable, you can block endpoint communication, isolate part of the network, etc.

SNMP Appliance Monitoring

With incorporation of SNMP agent and trap functionality you are able to oversee MENDEL appliances with your current infrastructure monitoring solution.

MORE EFFICIENT OPERATIONS 

New upgrade management to all your appliances

Upgrade the whole Mendel deployment through a single point  = collector’s UI. Choose either “One click” multi upgrade or upgrade each sensor individually. Upgrade is performed by two step method, to keep sensor running for maximum time and shorten the maintenance time.

Mendel installation on common cloud services 

Amazon Web Services, Microsoft Azure and Google Cloud are now supported for deployment of Collector or Central Event Management (CEM).

Utilization of high-speed disks within MultiTier storage and optimized database queries

Use your fast disks not only for the operation of the system itself, but also for a much faster response of the user interface when displaying the „hot“ data and views of them. If your deployment does not have multi-tier storage with fast disks, we still bring you a faster response in the GUI by optimizing the database queries.

False Positives for limited time period

Hide events only for the time that is relevant and related to the maintenance of your infrastructure, tests, etc. Apply false positives with specific time frame and/or recurrence.

Conditional PCAP recording

Data captures can be triggered on-demand or by specified conditions (user-defined & event-based).

OT/ICS/SCADA

Asset discovery 

Ability to discover devices in network using various OT protocols to get asset details such as firmware versions, and many others.

Policy monitoring

We introduce a new script approach in IDS rules which allows you to define custom policy rules to monitor allowed values and perform whitelists/blacklists operations inside OT protocols like IEC104, MMS and many others.

ALL FEATURES – IT

CISCO ISE user identity integration and response
CISCO Firepower incident response
SNMP appliance monitoring & SNMP trap
Upgrade management over appliances
AWS, MS Azure and Google cloud deployability
High-speed disk utilization within multi-tier storage
False positives for limited time period
Trigger based PCAP recording
Processing netflow data with NAT information
Switch flow errors  from flags to real calculation
Connect Mendel sensor to secondary collector (HA)
Deactivate inactive Sensor on Collector
User Documentation available via GUI
Time validity of false positives
Connect Mendel sensor to secondary collector (HA)
Deactivate inactive Sensor on Collector 

FEATURES – OT / ICS

Asset Discovery
Parsing MQTT, COAP and Profinet protocols
Detection of LoRaWAN protocol

ENHANCEMENTS

Process VMware ESXi NSX-T IPFIX format
Add support for storing Suricata Variables in DB
Enhance update server update data sources
Semi-automated restoration of SMB backup
IDS signatures using the detected application
Display the logged-in user name on all pages
False positive change Priority field Default text
False positive not applicable into past by default
Import new JA3 hash codes from ja3er.com
Add description field into data exports
Hide user from managerial/security reports and email
Added assignee, reporter and date of last updated to Incident exports (PDF)
Reworked Firewall settings with new location in UI
Better explanation over data transfer between hosts in peers graph
Evaluate and add IPv6 multicast address into monitored subnets
System logs in mshell
CAT tool for ME localization 

OFFICIAL MENDEL PRODUCT SUPPORT

With release of version 3.7.0 full-service support will be provided for the versions 3.7.x and 3.6.x. Limited service support is provided for previous version 3.5.x. Versions 3.4.x and older are no longer supported, end-users with valid support and maintenance or active SW subscription can upgrade to the supported version(s).

What a person encrypts, a person can also decrypt. This was true a couple of years ago. Nowadays, cyber-criminals use advanced technologies and their attacks are much more sophisticated and targeted, and consequences are much worse. “Not only the good guys (i.e. cyber protection companies) but also the bad guys are evolving. Attacks are aimed at weak points and human errors,“ says Petr Chaloupka, CEO of GREYCORTEX, a company that focuses on IT and industrial network security. The story of this company that succeeded among the fastest growing tech companies began long before its foundation. It is a story about passion, vision, skills and a ton of humour. And, in a way, it is connected to the beginning of computerisation in Czechoslovakia.

Maybe you too still have a vivid memory of this history chapter and maybe you remember 8-bit computers – or maybe you don’t. Luckily, there is Petr Chaloupka, the founder and CEO of GREYCORTEX, and his memories of a contest from the ’90s, a text game passed around on cassettes and floppy disks that were created very long ago for 8-bit computers. Cassettes and floppy disks were… well, just google it, kids! “This game was protected by a password that was announced on a certain day in the newspaper, on the radio and on TV to give everyone the same fair start. However, my friend and I didn´t feel like waiting and so, after several hours of reverse engineering, we identified the password and came to the conclusion that what a person encrypts, a person can also decrypt. And that is maybe where my lifelong passion for cybersecurity started and this seemingly innocent story signalled my future professional career“.

A STORY OF A COMPANY STANDING ON THE FRONT LINE IN THE BATTLE AGAINST HACKER ATTACKS

The first chapter of the GREYCORTEX story began around 2005. “I was working on an antivirus for Linux, which was a completely insignificant platform for cybercriminals back then and for which there was no malware. There were only a few lab experiments for proving that there could be one. My colleague Michal Drozd used to hack banking systems using social engineering and customised malware“, reminisces Petr Chaloupka about the beginnings with a smile. The group includes another Petr – Petr Chmelař. “Back then, he was working on machine learning principles that would be capable of finding video signal anomalies. A strong technology for which there may have been another use. What about transferring it from the video world into a computer network“? asks Petr Chaloupka rhetorically with a good portion of irony.

However, you are probably more curious about the ending of the first plotline, about Michal Drozd and his bank story. There was no shocker – Michal Drozd stood on the right side and banks paid him to do what he did. We would say today that he was an ethical hacker. “However, if he had decided to become a cybercriminal, he would be very rich by now,“ adds Petr Chaloupka.

But let’s be more serious now. Fast forward fifteen years later. Petr Chaloupka sums up that Linux is a common and widespread platform, interesting enough for cybercriminals to attack. GREYCORTEX is now a well-established company focusing on the development of security products for network protection, machine learning and AI research, and the second fastest growing tech company in the Rising Stars category of the Deloitte Technology Fast 50 competition.

“Were we visionaries back then? I don’t know. Maybe we were just the three right people at the right place, and if we had never met, nothing would have happened. Literally. But we did meet, a couple of good questions were asked and we started to look for answers together.“

THOROUGH AND COMPLETE SECURITY

The second chapter of the GREYCORTEX story was about visionary questions in the end; for example, how can someone manage to break into a bank or any other company without having to leave their home? And how come they don’t get caught? Then the right answers came and with them the first specific solution.

“Somewhere around 2014, things blended really well and when five more friends and colleagues joined us at the end of 2015, everything was ready to establish a company and start our business. It needs to be said that all founders are still with us in different roles in the company, helping it grow.“

Four years later, the company became five times as big. “Our product ‘Mendel’, which can uncover hidden threats in the network, from unknown devices to advanced attacks, has matured. After overcoming some childhood diseases and puberty, it is becoming a model for others – we helped introduce another branch of cyber security into the world! It used to be called NTA (Network Traffic Analysis) in the past; now it is called NDR (Network Detection and Response),“ says Petr Chaloupka.

Don’t worry if you are getting a little lost in all the information, you have a right to that and you deserve an explanation: NDR combines deep visibility into infrastructure with the capability to detect known and unknown attack and malware types and to react to them in real time. So, it is clearer now, isn’t it? Same as the fact that “the world is changing, technologies are changing and we are changing with them. It is important that we have done our bit and continue to give cybercriminals a hard time and ruin their filthy and immoral business,“ remarks Petr Chaloupka.

What was the worst in the beginning? “Even in our case, it holds true that all theory is grey, but the golden tree of life springs ever green, so we do everything in a completely different manner than we used to. However, the most important thing is that we learned to understand what it means not only to have a good product but also to sell it and persuade clients that they need it. You could say that we are selling insurance or that we are like Eastern medicine – we ensure that the client does not become infected and he pays us for not getting ill.“

To sum it up, Petr Chaloupka views success and failure as communicating vessels. “A functioning and growing company is a success, even though it arose from humble financial background and was basically only a dream of a few founders some 6 years ago. From the beginning, we had a vision of building a global company and so our plans now are clear – to strengthen our position in the territories in which we already operate and gradually add other locations to reach our goal. It is definitely important to find balance between this dream goal and the need to have both feet on the ground (or at least one foot).“

This article was originally published here. 

Brno, November 19, 2020

GREYCORTEX has won second place in the Rising Stars category in the prestigious ratings organized by Deloitte, where many Czech tech companies strove to be nominated as the fastest-growing tech company in the Deloitte Technology Fast 50 CE. The Tech Stars, Rising Stars, and Impact Stars categories present both the maturest and newest fast-growing companies in the Central European region as well as those companies that have had a revolutionary social or environmental impact on the market.

Petr Chaloupka, CEO at GREYCORTEX, said: “I am very pleased to have achieved international success in the 21st year of the Deloitte Technology Fast 50 CE competition and to have won second place in the Rising Stars category. In this category, seven out of 10 places were occupied by Czech companies, showing that the Czech Republic is still a cradle of technological innovation and that we have a good standing in this international competition. I wish to congratulate all the other companies and wish them success in further building their internationally competitive status”.

In the header of your blog there’s written “In the head of a Network Administrator: Thoughts, ideas, insights” – that brings up a question: what have you been dealing with in terms of security at your clients in the past few months?

That’s a pretty good question. I’ve been thinking about changing the header recently into something in the sense of “IT security lies in thorough and honest work”, which corresponds the most with what we come across during audits in companies.
IT departments often try to do “rocket science”. They consider advanced and expensive technologies, such as sandboxing and SIEM, skipping basic and simple concepts. For instance, they update servers twice a year, they use just a few passwords (as they haven’t adopted a password manager), they administer everything under the domain admin account and they haven’t performed a test disaster recovery from backup yet.
Don’t get me wrong. Sandboxing and SIEM are really useful technologies. It’s just that they belong to “add-on” technologies, and it’s necessary to get the network tidy first – get to know it inside out, be aware of all devices, setup the firewall and antivirus correctly. Basically, it’s important to focus first on activities that will contribute to security the most with the least effort.

You mention sophisticated attacks and chaotic arrangement of the infrastructure – what kind of impact might they have on organizations and companies? And what risks do you as an expert link with them?

When investigating attacks, I’m often taken aback by how fast the attackers manage to perform a “lateral movement”. It’s the stage of attacks in which attackers have a device under control, and they attempt to extend it to as much of the network as possible. In many cases they manage within a few hours. For example, in one case they managed to get a backdoor to a Director’s PA’s computer using spear-phishing. On Friday night they connected to it and within three hours they took over the domain administrator account and took control of the whole network. That’s a very short time and it’s really difficult for a company without 24/7 network security monitoring to react in time.
It’s critical to invest more time in securing the internal network to make “lateral movement” harder for the attackers and get time to detect and stop them.
Most administrators I meet put all their effort into protecting the “perimeter”. They see the security black and white – the Internet’s full of the bad, while the internal network seems safe to them. That’s a pity as the perimeter’s usually very well secured and the extra time invested has little effect. On the other hand, the internal network tends to be neglected security-wise, so every single day spent securing it is noticeable.

I understand there’s not a single correct approach that would protect all users. In your opinion, though, is there a “must” for the companies to protect their data nowadays? Something that’s changed in this respect in the past 10 years, e.g. new technologies or tools?

The thing is that security will probably never be 100 %. There will always be some zero-day vulnerabilities, human errors, and it won’t be possible to apply all security technologies (e.g. they won’t be compatible with business requirements). That’s why every company should have an efficient back-up system, resistant to hacker attacks. Thanks to that they’ll be able to get their data back without having to pay a ransom.
The development of the cloud and fast Internet has helped a lot in this area. It’s possible to make off-site backups in the cloud for a reasonable price, where the backups are protected against deleting (thanks to snapshotting, i.e. preserving a state of the storage where backups are located to a particular point in time) and natural disasters.
That doesn’t mean, though, that it isn’t necessary to deal with security anymore. A successful attack still means a downtime for days or weeks for companies as well as the risk of making their private data public.

So, it’s not just about eliminating the causes, but prevention – it’s clear that as an expert on IT security you often face misunderstanding from budget holders. What arguments or real-life cases do you use at such moments?

Exactly, the prevention is paramount. It’s cheaper to prevent problems than to deal with their consequences. Thanks to the media attention paid to the recent cyber attacks (on hospitals) the budget holders now realize the need to deal with security. The money is there. The issue is its effective allocation. Almost every IT company now “does” security. There’re also a lot of vendors of security SW / HW solutions. Security’s not a commodity, though, and the quality of individual solutions differs diametrically. The price isn’t a reliable indicator, either. Our strategy is to educate the public in the area of security. And we want Czech companies and institutions to have good security.

So far, the year 2020 seems to be a year full of changes and the need to be prepared even for the most unbelievable moments, which applies to cyberattacks, too. After all, some may be considered more likely a target than others. For example, in the USA there’ll be the presidential election, the Olympics in Tokyo (postponed to 2021), the world economics has shaken due to the coronavirus, and a lot of companies “go online”, which poses enormous risk in itself. Are there any other events or circumstances this year that, in your opinion, may carry a higher risk of attack?

Talking about the Olympics, I’ve read an article about a cyberattack on the 2018 Winter Olympics in PyeongChang, South Korea. It was a very interesting and sophisticated attack which didn’t turn into a fiasco only thanks to a coincidence and a bit of luck. I definitely recommend reading “The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History”.
It’s hard to say whether companies “going online” will have any influence on cybercrime. Most companies were already ready for home office and remote work. On the other hand, there are still a lot of companies on the market that are only about to modernize and digitize their processes. Due to the lack of IT people on the market, it’s possible that some implementations of changes won’t be done very thoroughly.

Given the direction hacker attacks have taken recently – where do you see the future of security tools?

Good question. Apart from imposing restrictions, it’s also crucial to have an overview of your network. That’s the only way how to recognize that the “restrictions” have been overcome and there’s an intruder in the network. Systems such as IDS / IPS will help you with that, as well as honeypots, network traffic analyzers, or SIEM systems. The choice of the system depends on the needs and possibilities of each company, though.


Apart from an early warning about a network issue, the systems are also necessary for backward incident investigation. With their help, it’s possible to find out how far the attackers got, which accounts and devices were compromised, which techniques and programs they used during the attack, which data they took out, how long the network was compromised, or the intrusion vector (the route of the attack). Without such systems the investigation of attacks is strenuous and inaccurate. Especially nowadays, when ransomware groups not only encrypt the data, but also steal parts of it and subsequently publish it (unless paid), such systems are needed more than ever before. Without them it’s almost impossible to find out whether any of your data got stolen during the attack, or not. 


Due to the decreasing price of network analyzers, their constant debugging, and the increasing importance of IT, I expect their adoption to grow. These technologies have a very good price / performance ratio. 

Martin Haller is a co-owner of PATRON-IT and a technician with all his heart. He specializes in cyber security and has experience as an ethical hacker. He believes it’s necessary to be able to break the network first in order to secure it well. On his blog martinhaller.cz he shares updates from the field of IT security as well as his own real-life insights. He also runs his own YouTube channel – you’ll find there e.g. what a webcam attack looks like.