© Cloud Security Alliance, 2015

Cloud Cyber Incident Sharing

Center (CISC)Jim Reavis

CEO, Cloud Security Alliance

Agenda

© Cloud Security Alliance, 2015

•CSA History – CloudCERT

•White House Legislative

Announcements

•How is CSA addressing the issue

of information sharing?

•Cloud CISC Pilot Demo

•Next Steps

•Questions?

CSA History - CloudCERT

• CloudCERT was conceived of at the same time as the Cloud Security Alliance (CSA)• Broad goal is to improve defenses of the cloud ecosystem against

attackers• Emphasis was placed on developing CSA due to broader scope and

potential impact in industry

• CloudCERT initiative was formally announced 2010• Working Group has been meeting once a month since January 2011

White House Announcements

• The President signed an Executive Order “encouraging and promoting” information sharing. • Promotes private sector and government information sharing as well as

private to private via Information Sharing and Analysis Organizations (ISAO’s)• Requires DHS, DoJ, and Privacy and Civil Liberties Board to develop

disclosure guidelines

Congressional Action—the House

© Cloud Security Alliance, 2014.

• The U.S. House is expected to vote on two bills this week which will focus on enabling information sharing between companies and with the Department of Homeland Security. • The bills originate from the Homeland Security Committee (HR 1731)

and Intelligence Committee (HR 1560). The House Judiciary Committee has provided language regarding liability protections for sharing data. • The Rules Committee meets tonight to examine dozens of amendments. • Both bills are thought to be complimentary and compatible but will

require reconciliation which will probably not occur until the Senate passes its bill• The bills define cyber threat indicators as well as cyber defense

indicators.• The bills require companies to “take reasonable efforts” to redact or

encrypt sensitive information that is unrelated to a cyber attack. • Both encourage private-to-private sharing as well as sharing with the

DHS’s National Cybersecurity and Communications Integration Center.

Congressional Action–the Senate

© Cloud Security Alliance, 2014.

• The Senate Intelligence Committee passed a measure (S 754) similar to the House’s proposed bills.• It offers liability protection for sharing between companies and with the

Department of Homeland Security.• The Senate’s vote on this measure may be delayed by agreement

of extension of the Patriot Act which expires on June 1. • A deal on the Patriot Act is reportedly in the works, but privacy

advocates remain concerned.• The bottom line: the prospects are good that we will have a

law signed before Memorial Day. House and Senate leadership agree that an information sharing law is necessary. However….it is Washington….

How is addressing the issue

of information sharing?

© Cloud Security Alliance, 2015.

The Problem

© Cloud Security Alliance, 2015

• Attacks are becoming incredibly sophisticated. Knowing what happened is one thing. Knowing what to look for to see if it is happening to you – is key.

• ISAC’s have had limited success

• ISAC model is segmented by vertical (Financial Services, Energy, etc.). • View across the sectors is critical to

protecting companies today.• ISACs do not allow for a Cloud

Segment

The Problem

© Cloud Security Alliance, 2015

• ISAC Model requires sending sensitive data to a trusted third party. • Company identity is known.• Snowden incident has made sharing with

trusted third parties undesirable today.

• Need is clear – a trusted method of sharing is required. • Company identity is not known – so not

subject to subpoena’s, etc.• Incident data submission is quick and simple. • Rapid analysis of data including correlation with

other reports and open source data• Alerts sent in minutes, not days/weeks• Ability to anonymously discuss attacks with

others and share solutions.

The Solution – Cloud CISC

© Cloud Security Alliance, 2015

CSA Cloud Cyber Incident Sharing Center

Cloud adoption is progressing at an accelerating pace. We are concerned that the lack of a robust, automated incident sharing function will inhibit the timely resolution of security incidents, hamper our ability to minimize the damage caused by incidents, and could ultimately have a serious negative impact on the industry. The CSA Cloud CISC will:

• Provide a truly anonymous, global cyber security incident sharing platform for enterprises;

• Educate the public and private community on Cloud Security

• Develop vendor neutral best practices and technical standards

• Develop policies aligning Cloud CISC to industry and governmental standards on an international basis.

How to get Involved

© Cloud Security Alliance, 2015

•Work Group Co-chair• Currently seeking leadership for this

initiative• 2-3 Co-chairs (1appointed by CSA)• Co-chair Requirements

• Appointed Co-chair must be an employee of a CSA Member Company

• Additional Co-chairs are decided by vote• Time commitment required

• Contact research@cloudsecurityalliance.org for additional details and questions

How to get Involved

© Cloud Security Alliance, 2015

•Work Group Participant• Currently seeking Volunteers for the

following areas:• Sub Group to focus on Researching,

Developing & Promoting Vendor Neutral Best Practices

• Sub Group to define technical standards for information sharing

• Sub Group focused on Information Sharing Policy development and outreach

• Sub Group that will liaise with the standard development communities (SDOs)

• Contact research@cloudsecurityalliance.org if you are interested in getting involved

How to get Involved

© Cloud Security Alliance, 2015

•We need support from our CSA Provider Community to participate in Cloud CISC Pilot• CALL TO ACTION: Submit

Incident Report Data• Data Types

• Title • Date• Region• Type of Attack• Known Remediation

• Contact pilot@cloudsecurityalliance.org if you are interested in getting involved with the pilot

How to get Involved

© Cloud Security Alliance, 2015

• CISC Pilot Participant•We need support from our CSA

Provider Community to participate in Cloud CISC Pilot• CALL TO ACTION: Submit

Incident Report Data• Examples:

• Subject• Date of incident• Region• Type of Attack• Known Remediation

How the Cloud CISC Pilot Works

© Cloud Security Alliance, 2015

• Anonymous Authentication

• When users transmit sanitized reports, we execute a public anonymous authentication protocol that:

• Confirms the user is a member of the community, without disclosing the identity of the user, and

• Delivers a mathematic proof that the user has connected with TruSTAR and that TruSTAR does not know identity of the user.

A patent-pending technology that allows for easy sharing while preserving complete anonymity.

Share Unattributable

Reports

Protects company identity

2

Correlate & Analyze

Immediately correlates report with open source

and other submitted reports

3

Alerts & Review

Alerts members to new report for review along

with correlated, actionable information

4

Rate & CollaborateReports are rated to

increase relevance and members collaborate

with Cloud CISC Coordinator.

5 ScrubIncident Reports

of Identifying Information

Protects customer PII and corporate IP – mitigating

discovery concerns.

1

Powered by

CISC Pilot Demo

© Cloud Security Alliance, 2015.

Cloud CISC Next Steps

© Cloud Security Alliance, 2015

•Kick-Off Call & Develop a 4 month Information Sharing Pilot Starting in May/June 2015•Develop and deliver educational programs on Cloud Security and the need for information sharing for both the public and private sector – ongoing based on results• Identify areas of potential CSA research based on Pilot results Q1 2016• Identify best practices and need for technical standards Nov 2015 - May 2016• Identify need for policies and alignment across industries and governments. Nov 2015 – May 2016

??? ?© Cloud Security Alliance, 2015