Cyber intelligence exchange in business environment : a battle for trust and data

Similar documents
Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Cyber Security Evolved

1. Understanding Big Data

Addressing Cyber Risk Building robust cyber governance

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations

Global Tax and Legal September OECD s BEPS initiative a global survey Multinational survey results

ISO27032 Guidelines for Cyber Security

Into the cybersecurity breach

HR Business Partnering A Custom Approach

The enemies ashore Vulnerabilities & hackers: A relationship that works

Risk Considerations for Internal Audit

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

EMEA TMC client conference Using global tax management systems to improve visibility and enhance control. The Crystal, London 9-10 June 2015

Deloitte Risk Services B.V. Cyber & Privacy Advisory. Deloitte Cyber & Privacy Risk Services Data Breach Management

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September Co-Chair s Summary Report

Brand Ambassadors From pre-foundation to advanced recruitment process through Social Media

Securing Industrial Control Systems Secure. Vigilant. Resilient. May 2015

The Future of the Advanced SOC

Seamus Reilly Director EY Information Security Cyber Security

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Protecting against cyber threats and security breaches

CSM-ACE 2014 Cyber Threat Intelligence Driven Environments

How To Create An Insight Analysis For Cyber Security

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

2011 Forrester Research, Inc. Reproduction Prohibited

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Gaining the upper hand in today s cyber security battle

Simplification of work: Knowledge management as a solution

Securing tomorrow today Achieving enterprise technology and 'big data' solutions that support the tax lifecycle

Cyber security Building confidence in your digital future

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Internet Reputation Management Guide. Building a Roadmap for Continued Success

Analyzing HTTP/HTTPS Traffic Logs

FIVE PRACTICAL STEPS

Intellectual Property Management Why Luxembourg is a good idea

R&D and Government Incentives Tax & Legal. Financial affairs R&D tax relief opportunities for financial services companies

Zak Khan Director, Advanced Cyber Defence

Cybersecurity The role of Internal Audit

Website Security: It s Not all About the Hacker Anymore

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Credit management services Because a sale is a gift until it is paid

Internet Safety and Security: Strategies for Building an Internet Safety Wall

REPORT. Next steps in cyber security

Unique combination of Business, Academia & Technology

Security and Privacy

Symantec Cyber Security Services: DeepSight Intelligence

Public Private Partnerships and National Input to International Cyber Security

Italy. EY s Global Information Security Survey 2013

THE WORLD IS MOVING FAST, SECURITY FASTER.

Microsoft s cybersecurity commitment

CGI Cyber Risk Advisory and Management Services for Insurers

A NEW APPROACH TO CYBER SECURITY

Deloitte Discovery Caribbean & Bermuda Territory Guide

Internal Audit Landscape 2014

Central Asian Information Security Survey Results (2014) Insight into the information security maturity of organisations, with a

April 10, Ms. Melissa Hathaway Acting Senior Director for Cyberspace National Security and Homeland Security Councils. Dear Ms.

A Funny Thing Happened On The Way To OASIS: From Specifications to Standards

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Business Breakfast. Information on assets hide impossible to declare. Private client services

Cyber Security Trends Market trends from leading security analysts and consultants at TÜV Rheinland, OpenSky, and OpenSky UK

We believe successful global organisations can confront fraud, corruption and abuse PwC Finland Forensic Services

Solving data residency and privacy compliance challenges Delivering business agility, regulatory compliance and risk reduction

Cyber Security The perspective of information sharing

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Web Protection for Your Business, Customers and Data

Efficiently balance workload variability in your warehouse with Labour Management in SAP EWM.

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

Department of Homeland Security

Under control 2015 Hot topics for IT internal audit in financial services. An Internal Audit viewpoint

Integrating MSS, SEP and NGFW to catch targeted APTs

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Cloud Computing. Making legal aspects less cloudy. Erik Luysterborg Partner Cyber Security & Privacy Belgium EMEA Data Protection & Privacy Leader

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

Better Operational Agility. For more flexible, resilient and secure communications. Vodafone Power to you

Hands on, field experiences with BYOD. BYOD Seminar

Insurance captive companies in Malta Making the complex simple

National Cyber Crime Unit

NamCode. The Corporate Governance Code for Namibia

2 Gabi Siboni, 1 Senior Research Fellow and Director,

Five (5) steps to achieve a Successful Software Audit.

The Next Generation Security Operations Center

Bridging the data gap in the insurance industry. Cyber crisis management: Readiness, response, and recovery

FSB: Reinsurance Regulatory Review Summary of Discussion Paper

Overcoming Five Critical Cybersecurity Gaps

Stakeholder Engagement

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Internet Reputation Management Guidelines Building a Roadmap for Continued Success

Australia Tax Alert. Investment manager regime bill introduced into parliament. Overview of proposed requirements for IMR exemption.

CBEST/STAR Threat Intelligence

CYBER SECURITY, A GROWING CIO PRIORITY

Rosemary M. Amato, CISA Deloitte Accountants B.V.

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

Transcription:

Cyber intelligence exchange in business environment : a battle for trust and data Experiences of a cyber threat information exchange research project and the need for public private collaboration Building Belgium s Cyber intelligence knowledge capabilities Brussels, December 2 nd 2014 2014 Deloitte Belgium 1

Luc Beirens in a nutshell Joined Deloitte June 1st 2014 Director cyber security services 32 years in law enforcement 27 years in ICT 23 years in computer forensics and cybercrime combating Former head of Belgian Federal Computer Crime Unit (2001-2014) Former chair of EU Cybercrime task force (2010-2013) 2014 Deloitte Belgium 2

Contents Introduction Problem statement Objective and benefits of the Research Project Project approach Research results Evolution of the Research Project Key lessons learned Conclusions Moving forward Need for more public private cooperation 2014 Deloitte Belgium 3

CTIS Initiative Problem Statement - The Challenge The digital revolution is driving innovation and growth, yet also exposing us to new and emerging threats. New organisational goals and new ways of working are driving innovation and growth, but these expose us to new and emerging threats. 2014 Deloitte Belgium Prevention and detection must be optimized by exchange of information on cyber attacks. This is effective since actors will re-use their criminal infrastructure and mode of operation. 4

Introduction Problem statement Cyber Threat Information is critical to proactively deal with targeted attacks Need for understanding intent, tactics, and the campaigns of threat actors. However 1 2 3 4 5 6 Lack of efficient tools / channels to share this knowledge Commercial vendors not always consider sharing such information as it is not in their business interest Impacted organisations are reluctant to share information on their Indicators of Compromise Information sharing takes place in unstructured format (text) and with incomplete content which doesn't allow for automated response Cyber Threat Information is only valid if used within a very specific time frame Handling and escalation of information on a case-by-case (incident) basis is very time and resources consuming 2014 Deloitte Belgium 5

Stocktaking : what existed? On national level (with international extensions) BELNIS => government only B-Ccentre => no operational exchange CERT community (EU level & world wide) Law enforcement (Europol, Interpol, ) FS ISAC (Information Sharing & Analysis Community) No Cyber coalition (at that moment 2013) Except for financial sector : No real exchange platform for firms No public private exchange platform No intersector exchange platform 2014 Deloitte Belgium 6

Cyber threat intelligence sharing research project CTISRP Started Sept 2013 13 Members from different sectors Limited number of willing organizations One year project : checking feasibility Continues only if members agree Deloitte as facilitator 2014 Deloitte Belgium 7

Participating sectors International public organization CERT organizations Energy Banking Deloitte Insurance Military Retail Manufacturing 2014 Deloitte Belgium 8

Introduction Objective and benefits of the Research Project Objective Increase the level of protection against targeted attacks across public sector and private industry Benefits Better protection against targeted cyber attacks Creation of a trusted Community Exchange of information through a Proof of Concept platform A vision towards operational Cyber Threat Information 2014 Deloitte Belgium 9

Introduction Project streams Infrastructure & Security Establish and maintain a proper sharing infrastructure Ensure that the platform and its data are secure. Define & standardise the platform s operational processes Ensure that most value is extracted in an easily repeatable manner Operational Processes Community & Governance Establish governance structures to ensure trust and participation within the Community Coordinate streams, activities Guarantee delivery of expected outcomes Project Management 2014 Deloitte Belgium 10

Role of Deloitte Facilitator Not cyber threat intelligence provider in this project Participating member of the project Facilitating role most important Scout and motivate willing organizations Facilitate meetings Provide project management & administrative support Run platform for information exchange 2014 Deloitte Belgium 11

Activities Research Results Evolution of the CTI Research Project Ramp up Increased use of the platform Members to organise themselves internally to leverage the platform Understand MISP Technology Trust Get to know each other Time 2014 Deloitte Belgium 12

Research results TRUST is key success factor Reliance on Face to face interaction Experience Sharing Confidentiality Integrity Know who you deal with Know what they stand for Listen & (re)act Share own sensitive info 2014 Deloitte Belgium 13

Research Results - Key lessons learned Trust Physical meetings : key for trust TRUST BUILDING 14 Not NDA but sharing guidelines Regular calls : key for project 2014 Deloitte Belgium 14

Research Results - Key lessons learned Trust : attitude towards others / project No participant in the Project should claim ownership of any of the data, except for the data that have been provided by its own organization. OWNERSHIP USE OF INFO The information is only for your individual use and should under no circumstances be shared with any other party than the Community Members. TRADEMARKS Neither Community Member should use the other Community Members trademarks, service marks, logos, and/or branding in external publicity material. TERMINATION In case the Project will be discontinued or in case the Project will end and it is decided that it will not be incorporated in a permanent structure for certain reasons, participants should agree to destroy all data received. 2014 Deloitte Belgium 15

Research Results - Key lessons learned Understand, use and install MISP Project MISP instance Deloitte hosted an instance to facilitate the secure exchange of CTI within the community Documentation was provided on how to use MISP, leverage data and upload data Quick start guide Operational guidelines Admin guide MISP export/sync guide MISP private instance setup guide Use case template The ability to synchronise the centralized MISP instance to a private instance A tested and packaged image of the platform for internal use by community members, allowing members to enter information in the private node and synchronize with the central MISP node 2014 Deloitte Belgium 16

Research Results - Key lessons learned How to organise internally Raising CTI Maturity levels 4 1 2 3 MANAGED DEFINED OPTIMIZING Ability to verify IOC s on a broader set of systems Development of infrastructure and tools to automate tooling Evolving set of IOC sources & use cases Ability to create and share IOC s Initial set of specific IOC sources & use cases Upload and download of IOC s in an automated fashion Broad coverage that are monitored using IOC s Creating and sharing IOC s is an integral part of the incident response playbook Automation is key INITIAL Manually extracting IOC s from MISP and importing these into internally available tooling Ability to verify IOC s on a limited number of systems Everything happens manually. 2014 Deloitte Belgium 17

Research Results - Key lessons learned How to organise internally 2014 Deloitte Belgium 18

Research Results - Key lessons learned How to organise internally Malware analysts Incident Handling Officers Security monitoring team Network security team 2014 Deloitte Belgium 19

Research Results - Key lessons learned Ramp-up # Events shared onto the MISP platform 600 500 426 470 506 528 400 341 380 300 200 100 20 23 26 39 49 56 0 October November December January February March April May June July August September 2014 Deloitte Belgium 20

Important for success NOT VOLUME OF DATA but QUALITY OF INFORMATION Don t expect high data volume start small 2014 Deloitte Belgium 21

Research Results Conclusions At the end of the first year of CTIRP, the key achievements of the Community are: Central and secure ability to share information Established trust in a unique blend of public and private, cross-sector Community members. Sharing of best practices, concerns, discussion items by members themselves Documented outcomes usable for internal awareness on CTI We are committed to continuing this research project to further grow the community CTI capabilities and further capitalize on the trust built within this Community. 2014 Deloitte Belgium 22

Moving into the second year of the project Extensions on the objectives 2014 Deloitte Belgium 23

Moving Forward: Research project extension Enlarge community and optimize communications 1 2 3 PHYSICAL MEETINGS Bi-monthly physical meeting Bi-monthly physical technical meeting Selected members bring a technical presentation GROUP CALLS Monthly status update call Monthly technical call 1-ON-1 CALLS Continue having 1-to-1 calls throughout the year 2014 Deloitte Belgium 24

Moving Forward: Research project extension Analyse legal aspects 01 01 LEGAL CLARIFICATION 02 SENSITIVE DATA 03 INTELLECTUAL PROPERTY 04 APPLICABLE LAW Ensure the community is not accused of becoming a cartel. Enforce policy of not discussing commercial Investigate the aspects impact of of products EU and/or or services. national law does clarifying what information, in what contexts and under what conditions, can be legally processed and exchanged by actors. Investigate the risks processing CTI Indicators such as IPs, URLs and timestamps could be considered as PII in some jurisdictions contexts. Determine from which IP rights like copyrights, trademarks, patents and database rights the community could be exempt as certain information (log files) may be a breach. Determine an approach to identify applicable law (private international law) and competent law enforcement bodies/courts for cross-border incidents. 05 EU DATA PROTECTION In case full spectrum CTI shall be implemented, determine all legal interpretations of how PII is defined and which types of personal data should receive the highest level of protection. 06 LEGAL UNCERTAINTY 07 CRIMINAL PROCEDURE Implement decision process to determine whether a particular set of information can be shared at all, with whom, on what conditions and after what treatment. Determine which activities to obtain or exchange information may qualify as illegal because of tainting information for further use by investigative bodies, and opening them up to legal liabilities. 2014 Deloitte Belgium 25

Moving Forward: Research project extension CTI scope extension 2014 Deloitte Belgium 26

Moving Forward: Research project extension MISP Integration of MISP in project members infrastructure Improve automated exchange Improve operational use Integrate with other security devices Improve detection 2014 Deloitte Belgium 27

Critical success factors for this project Basis for continuation Management commitment of participating organizations Member s engagement Technical platform to support exchange Project management & support 2014 Deloitte Belgium 28

Leveraging Belgium s cyber intelligence capabilities Need for more information exchange with and within public sector 2014 Deloitte Belgium 29

Need for more public private interaction Broader public and other organizations also need protection Long standing intelligence handling experience of public sector lacks link to private sector Government s responsibility to proactively create circumstances for secure critical infrastructures Serious cyber incident crisis management Role government role of private companies 2014 Deloitte Belgium 30

BE National Cyber security strategy Domains for action Centralized and integrated cyber security approach Creation of necessary legal framework Permanent follow up of cyber threats Improve protection of ICT systems against disruption and abuse Enforce capability to react on cyber incidents Tackle cybercrime effectively Contribute to expertise and knowledge 2014 Deloitte Belgium 31

Cyber security center Belgium sector ISAC Cross sector sector ISAC sector ISAC sector ISAC sector ISAC sector ISAC 2014 Deloitte Belgium 32

How can this project experience help others? Experience building trusted community Community management Technical guidelines for MISP implementation 2014 Deloitte Belgium 33

Contact details Luc Beirens Director lbeirens@deloitte.com Deloitte Enterprise Risk Services Direct: + 32 2 800 22 24 Mobile: + 32 475 36 48 73 2014 Deloitte Belgium 34

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 200,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. 2014. For information, contact Deloitte Belgium 35

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information