Detect, SHARE, Protect

Similar documents
Cyber Security in Europe

Supporting CSIRTs in the EU Marco Thorbruegge Head of Unit Operational Security European Union Agency for Network and Information Security

Achieving Global Cyber Security Through Collaboration

How To Write An Article On The European Cyberspace Policy And Security Strategy

EU Priorities in Cybersecurity. Steve Purser Head of Core Operations Department June 2013

Virtual Appliance Instructions for ENISA CERT Training TLP WHITE APRIL European Union Agency For Network And Information Security

Security and privacy standardization for the SME community

Actionable information for security incident response

Information Sharing Use Cases

Knowledge based energy management for public buildings through holistic information modeling and 3D visualization. Ing. Antonio Sacchetti TERA SRL

Prof. Udo Helmbrecht

Coordinating Attack Response at Internet Scale (CARIS)

Cooperation in Securing National Critical Infrastructure

ENISA and Cloud Security

The demand of Cloud Computing in Europe: drivers, barriers, market estimates

Cyber Europe Key Findings and Recommendations

The New ROI: Results Oriented Intel. David Amsler, Founder

NIS Direktive und Europäische sicherheitsrelevante Projekte Udo Helmbrecht Executive Director, ENISA

Boosting Productivity and Innovation Through. Public Sector Compliant Cloud Services

Memory Forensics & Security Analytics: Detecting Unknown Malware

ICS-SCADA testing and patching: Recommendations for Europe

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

How To Understand And Understand The European Priorities In Information Security

Cloud and Critical Information Infrastructures

ENISA and Cloud Security

The MANTIS Framework Cyber-Threat Intelligence Mgmt. for CERTs Siemens AG All rights reserved

EU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015

FAQ to ENISA s report on technologies to improve the resilience of communication networks

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

Cloud Computing - Cyber Security Challenges for the Finance Sector

Attachment 16.1 SA Power Networks: Customer Data Quality Plan September 2014

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

WHITE PAPER: THREAT INTELLIGENCE RANKING

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

Threat Intelligence Buyer s Guide

ITIL: Service Operation

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security #RSAC

Cyber Security Incident Management

National-level Risk Assessments

Cloud for Europe lessons learned

Cloud Computing. by Civic Consulting (research conducted October 2011 January 2012)

Intelligence Driven Security

Good practice guide for CERTs in the area of Industrial Control Systems

ENISA TRAINING. Tentative agenda for workshop. Supported and co- organised by: TLP WHITE JANUARY 2016

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Summary Report Report # 1. Security Challenges of Cross-Border Use of Cloud Services under Special Consideration of ENISA s Contributions

Financial Services Core Competences

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Third EU Health Programme

ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012

Performing Advanced Incident Response Interactive Exercise

The Third Rail: New Stakeholders Tackle Security Threats and Solutions

Into the cybersecurity breach

Service Road Map for ANDS Core Infrastructure and Applications Programs

The MANTIS Framework Cyber-Threat Intelligence Mgmt. for CERTs Siemens AG All rights reserved

CYSPA - EC projects supporting NIS

Security issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers

Achieving Global Cyber Security Through Collaboration

Towards Threat Wisdom

Evolving e-government benchmarking to better cover citizen participation and recent technology developments

Analysis of Network Beaconing Activity for Incident Response

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Project acronym: Open Source software usage by European Public Administrations

Cyber Security for Railway Signalling

OUTCOME OF PROCEEDINGS

Analyzing Targeted Attacks through Hiryu An IOC Management and Visualization Tool. Hiroshi Soeda Incident Response Group, JPCERT/Coordination Center

Who s Using Cyberthreat Intelligence and How?

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

high level event 2015 Cyber 7 Seven messages to the Edge of Cyber-Space

Cloud for Europe trusted Cloud Services for the European market for public administrations

The RFID agenda of the European Commission. Florent Frederix European Commission Directorate General Information Society and Media

The European Commission's European Innovation Partnership "Smart Cities & Communities" Member State Information meeting, Brussels 27 September 2013

Information on the move

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

EFFECTS+ Clustering of Trust and Security Research Projects, Identifying Results, Impact and Future Research Roadmap Topics

Connected Cities Research Program

Job Description. No of Direct Reports : 0. Titles of Direct Reports: 0. Size of Department: 5. Budget Responsibility (direct) :

IBM QRadar Security Intelligence April 2013

Roadmap for Implementation of the Next Generation Energy Information Management Solution

National Cyber Security Policy -2013

IDG Connect DDoS Survey

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Long-term preservation in Europe. The strategy of the Alliance for Permanent Access

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

ProSUM Prospecting Secondary raw materials in the Urban mine and Mining wastes

Government Communication Professional Competency Framework

Massachusetts MA 201 CMR Best Practice Guidance on How to Comply

EU-WISE: Enhancing self-care support for people with long term conditions across Europe

ISA Work Programme SECTION I

All about Threat Central

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Medicines and Healthcare products Regulatory Agency

A Primer on Cyber Threat Intelligence

Master Move in Mastering the Online Multi-Channel. Mark Craig Business Development Manager

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

INTRUSION PREVENTION AND EXPERT SYSTEMS

ENISA s contribution to the development of Network and Information Security within the Community

Cyber Threat Intelligence: Has to Be a Better Way

Transcription:

Detect, SHARE, Protect Solutions for Improving Threat Data Exchange among CERTs European Union Agency for Network and Information Security www.enisa.europa.eu

Agenda Objectives Methodology Overview of Communication Practices Barriers to Information Sharing Requirements for a Common Platform Overview of Existing Solutions Recommendations European Union Agency for Network and Information Security www.enisa.europa.eu 2

Objectives: What we wanted Take stock of existing communication solutions and practices among European CERTs Promote best practices for threat intelligence exchange Identify the functional and technical gaps to threat intelligence exchange between CERTs in Europe Outline recommendations for improved communications interoperable with existing solutions European Union Agency for Network and Information Security www.enisa.europa.eu 3

Objectives: What we didn t want We do not want yet another report on secure communication (a-z). We don t want to come up with new, revolutionary and unrealistic solutions. We don t want to get stuck in unsolvable issues (legal, data protection, trust ) European Union Agency for Network and Information Security www.enisa.europa.eu 4

Previous ENISA Work on Data Sharing 2010 Proactive detection of network security incidents, report http://www.enisa.europa.eu/activities/cert/support/proactivedetection/proactive-detection-report 2011 A flair for sharing - encouraging information exchange between CERTs http://www.enisa.europa.eu/activities/cert/support/fightagainst-cybercrime/legal-information-sharing 2011 Secure Communication with the CERTs & Other Stakeholders http://www.enisa.europa.eu/activities/cert/otherwork/files/secure-communication 2012 Proactive detection of security incidents II Honeypots http://www.enisa.europa.eu/activities/cert/support/proactivedetection/proactive-detection-of-security-incidents-ii-honeypots European Union Agency for Network and Information Security www.enisa.europa.eu 5

Methodology Survey (27 Teams) Interviews (12 Stakeholders) Face-to-face Workshop (14 Participants) European Union Agency for Network and Information Security www.enisa.europa.eu 6

Overview of Communication Practices European Union Agency for Network and Information Security www.enisa.europa.eu 7

Barriers to Information Sharing European Union Agency for Network and Information Security www.enisa.europa.eu 8

Focus: The Many Technical Issues Format changes without prior notice when dealing with automatic reporting Too many formats/format standards Mapping of IP addresses to ASN or country (and history of changes!) Find contact information for IP addresses European Union Agency for Network and Information Security www.enisa.europa.eu 9

Requirements for a Communication Platform If there is a need European Union Agency for Network and Information Security www.enisa.europa.eu 10

How to overcome barriers: Mapping of standardisation and solutions for response, incident and IoC information sharing European Union Agency for Network and Information Security www.enisa.europa.eu 11

We recommend 1 ENISA should facilitate the adoption of essential tools for the CERT community. CERTs interested in working together on RT/RTIR/AH upgrades and improvements should synchronise their efforts. CERTs can seek funding from the EU s research and technology programs for updates and upgrades. ENISA can provide training sessions at ENISA CERT workshops or via other arrangements. European Union Agency for Network and Information Security www.enisa.europa.eu 12

We recommend 2 Security feeds providers should improve the stability of existing incident information feeds, while now the feed formats are often changed by their publishers without prior notice. Wider adoption of some of the best standards of data format for the automated sharing of indicators of compromise (IODEF, STIX, OpenIOC, etc.) Wider adoption of 'good community citizen' behaviour, like establishing a minimal notification period for sharing feed format updates ENISA will further investigate these areas and provide adequate and appropriate support for CERTs and their projects. European Union Agency for Network and Information Security www.enisa.europa.eu 13

We recommend 3 CERTs should enhance functionalities of existing tools for more effective data sharing within their community. First and foremost, interoperability for cross-hub and crossplatform sharing Correlation engines for incident analysis Advanced analytics and visualisation for massive numbers of incidents Automatic prioritisation features This is the subject of an ENISA project this year European Union Agency for Network and Information Security www.enisa.europa.eu 14

We recommend 4 A central body at the cross-border level (enjoying trust in the CERT community) should develop a common incident information repository with the integration of current data exchange efforts. Such a repository would include CERTs' contact information to facilitate incident detection and information correlation (DNS, ASN, and IP ranking) It would also include a repository for past incident information, with options for sorting and filtering the database of archived information. Role for TI? In 2014, ENISA will carry out a project aiming at providing better support to CERTs in the area of exchanging and processing of actionable information. European Union Agency for Network and Information Security www.enisa.europa.eu 15

We recommend 5 Bridge Sharing CERT Communities in Europe The 'perfect' scenario for enhancing sharing practices in the CERTs community would include building a bridging platform that would extend existing communities. Such a cross-hub exchange would require: Local adoption of interoperable standards of data formats (e.g. IODEF, STIX, etc.) The definition of diffusion policy standards (e.g., CDXI Information diffusion policy), thus enabling more complex schemes than Traffic Light Protocol (TLP) Coordination at international level At the EU level, this inter-exchange effort could be entrusted to the CERT community and supported by ENISA. European Union Agency for Network and Information Security www.enisa.europa.eu 16

Thank you for your support to this report! In case of additional comments or suggestions relating to information sharing among CERTs, do not hesitate to contact us! cert-relations@enisa.europa.eu Follow ENISA: European Union Agency for Network and Information Security www.enisa.europa.eu

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information