d9.2 risk assessment plandisiem-project.eu/wp-content/uploads/2017/10/d9.2.pdfrisk management is a...

1

ProjectDeliverable

D9.2RiskAssessmentPlan

ProjectNumber 700692ProjectTitle DiSIEM–Diversity-enhancementsforSIEMsProgramme H2020-DS-04-2015Deliverabletype ReportDisseminationlevel PUSubmissiondate 30thSeptember2017Responsiblepartner FCiências.ID(FCID)Editor AnaRespícioRevision 1.0

The DiSIEM project has received funding from the European Union’s Horizon 2020researchandinnovationprogrammeundergrantagreementNo700692.

D9.2

2

EditorAnaRespício,FCIDContributorsAnaRespício,FCIDAlyssonBessani,FCIDGustavoGonzalezGranadillo,AtosSusanaGonzalezZazosa,Atos

D9.2

3

ExecutiveSummaryThisreportpresents theriskassessmentandmanagementplan for theDiSIEMproject.Following themethodologydefined in thestandard ISO3100:2019,westart by establishing the project context, defining the adoption of a qualitativeriskassessmentapproach,thecriteriaforriskassessmentandthecorrespondingrisk evaluationmatrix, and the risk tolerance levels.To support theprocessofrisk identification, an analysis of the projectwork packages and of the criticalpathofDiSIEMactivities isperformed,aswellas identificationof thepartners’roles and responsibilities for each identified risk. In total, 50 major risks areidentifiedandanalysed, resulting in aqualitativeestimationof their individuallikelihoodandimpact.Fromtheserisks,14areconsideredofhigh impact.Riskcontrolsareenvisagedwithintheprojectimplementation.Allthisinformationiskept in a risk register from which the first version is presented. A plan forregularlymonitoring risks (during themonthly teleconferences), updating therisk register (every six months, on the internal management reports), andestablishing mitigation actions is defined, considering possible environmentalchangesandthemilestonesoftheproject.Insummary,thedeliverableprovidesthefollowingcontributionsfortheDiSIEMproject:

• DefinitionofDISIEMriskmanagementplan;• Identificationandanalysisofrisks;• Identificationofmitigationactionsandresponsibilitiesforeachrisk;

D9.2

4

TableofContents1 Introduction................................................................................................................................71.1 OrganizationoftheDocument...................................................................................8

2 Methodology...............................................................................................................................92.1 GeneralConcepts.............................................................................................................92.2 Methodology....................................................................................................................10

3 Establishingthecontext.......................................................................................................133.1 Objectives.........................................................................................................................133.2 Scopeandboundaries.................................................................................................133.3 Contextforriskmanagementestablishment....................................................143.3.1 Goalsandobjectives...........................................................................................143.3.2 Responsibilities....................................................................................................143.3.3 Assessmentapproach........................................................................................153.3.4 Organizationoftheriskmanagementprocess.......................................15

3.4 Riskcriteria......................................................................................................................163.4.1 Impactcriteria......................................................................................................173.4.1 Likelihoodcriteria...............................................................................................173.4.1 Riskevaluationcriteria.....................................................................................17

4 Riskassessmentandtreatment........................................................................................184.1 CriticalPathoftheProject.........................................................................................184.2 Riskassessment.............................................................................................................214.3 Risktreatment................................................................................................................22

5 SummaryandConclusions..................................................................................................44ListofAcronyms...............................................................................................................................45References...........................................................................................................................................46

D9.2

5

ListofFiguresFigure1–Theriskmanagementprocessextractedfrom[ISO09].............................11Figure2–TheDiSIEMmanagementstructure....................................................................14Figure3–InterdependenciesbetweenprojectWPs........................................................18Figure4-GANTTchartfortheDiSIEMproject,withdeliverables,projectreports

andmilestones.........................................................................................................................19Figure5-DiSIEMactivitiescriticalpath................................................................................19

D9.2

6

ListofTablesTable1–Listoftermsanddefinitionsextractedfrom[ISO09]...................................10Table2–Matrixforclassificationofrisks.............................................................................17Table3–Riskregister....................................................................................................................23

D9.2

7

1 Introduction

The DiSIEM project aims to address limitations of SIEM systems alreadydeployedinproduction,byextendingthem,leveragingtheirbuilt-incapacityforcustomisation,andenhancingSIEMswithdiversity-awaremechanisms.

InnovationinDiSIEMreferstothedevelopment,integration,anddemonstrationof several novel diversity-related components to existing SIEM systems. Theseinnovative components must improve the security management and threatawarenessofexistingSIEMs.Themanagementofan innovationprojectsuch isDiSIEM,involvingmultiplepartnersfromindustryandacademia,requiresariskmanagementprocessthatisbothsoundandagile.

Risk management is a process that should be integrated within the projectmanagement at all stages of the its lifecycle. Therefore, awell-established riskmanagementplanisrequiredtoaddressinherentrisksinatimelyandeffectivemanner. According to the PMBOK Guide [PMI13], riskmanagement should beaddressedproactivelyandconsistently,asthelackofsuchproactivityinprojectrisk management is likely to increase problems that arise from unmanagedthreats.Aneffectivemonitoringandcontroloftheprojecttasksandactivitiesaswell as regular reviews and communication of project risks among theprojectpartners improve the capacity of timely risk identification and rapid riskhandlingactions.TheseactivitiesareinlinewiththerecommendationsofthedefactostandardforriskmanagementISO31000:2009[ISO09]:“Allactivitiesofanorganisation involve risk, and organisations manage risk by anticipating,understanding and deciding whether to modify it. Throughout this process theycommunicateandconsultwithstakeholdersandmonitorandreviewtheriskandthecontrolsthataremodifyingtherisk.”TheDiSIEMprojectproposalanddescriptionofactionalreadyidentifiedalistofrisksandproposedmeasurestocontrolandmitigatethem.Riskmonitoringandcontrolhasbeenperformedduring the first yearof theproject execution.Thisdeliverable presents a first iteration of risk assessment. More specifically, thedocument reviews all the previously identified risks, identifies new ones andanalyses themexhaustively.All identifiedrisksaredetailedandanalysed; theirlikelihoodsandimpactsareestimated,thusprovidingafirstassessmentofrisks.SomerisksareparticularofaspecificWP,otherstransversaltotwoorthreeWP,oreventothewholeproject.Aspecialfocusisgiventoexternalriskswhichwerenotconsideredintheproposalwriting.Aplanforriskmanagementisdesigned,includingplansforreportingandcommunication.Theriskassessment includesaCriticalPathAnalysis(CPA)of themainprojectactivities, thus allowing identifying risks of non-compliance with the project

D9.2

8

work plan, and foreseeing measures to minimise the impact or likelihood ofthoserisks.

1.1 OrganizationoftheDocument

Chapter 2 presents general principles and concepts helpful to establish acommon understanding of the project risk management task, and brieflydescribesthemethodologyadoptedforriskmanagementinDiSIEM.Chapter3isdevoted to establishing the project context for risk management. Chapter 4analysesthecriticalactivitiesoftheDiSIEM,makesananalysisandassessmentof DiSIEM current risks, and proposes control and mitigation measures toaddressthem.Finally,Chapter5presentsasummaryofhowDiSIEMwillmanagetheprojectrisks.

D9.2

9

2 Methodology

2.1 GeneralConcepts

The ISO 31000:2009 risk management standard provides the following riskdefinition:“risk istheeffectofuncertaintyonobjectives”[ISO09].Thisdefinitionencloses several notes to support theunderstanding of the involved terms.Aneffect is a deviation from the expected,which canbepositive or negative. It isworthtonotethatconsideringapositiveeffectofuncertaintyonobjectiveswasanovelty from this standard, as in the past only negative effects had beenconsidered. By uncertainty we should comprehend the state, even partial, ofdeficiencyofinformationrelatedto,understandingorknowledgeof,anevent,itsconsequence, or likelihood. The standard points out that objectives “can havedifferent aspects (such as financial, health and safety, and environmental goals)and can apply at different levels (such as strategic, organization-wide, project,productandprocess)”.Therefore,objectivesarenotdefinedbythestandardbutcanbeassumedasanexpectedordesiredresult,whenconsideringthedefinitionofeffect.Moreover, the standard states that risk is often characterized by reference topotentialeventsandconsequences,oracombinationofthem.Here,aneventisthe“occurrence or change of a particular set of circumstances”, presuming that anevent can lead to one or more occurrences, can have several causes, or cancorrespond to something not happening. A consequence is the “outcomeofaneventaffectingobjectives”andcanbecertainoruncertainandhavingpositiveornegativeeffectsonobjectives.In addition, the standard identifies that risk is often expressed in terms of acombination of the consequences of an event (including changes incircumstances)andtheassociatedlikelihoodofoccurrence.Table1summarises theconceptspreviouslyexposed in this chapteraswell asothertermsanddefinitions,extractedfrom[ISO09].

D9.2

10

Table1–Listoftermsanddefinitionsextractedfrom[ISO09].

Term/expression

Definition

risk effectofuncertaintyonobjectives

levelofrisk magnitudeofariskorcombinationofrisks,expressedintermsofthecombinationofconsequencesandtheirlikelihood

consequence outcomeofaneventaffectingobjectives

likelihood chanceofsomethinghappening

event occurrenceorchangeofaparticularsetofcircumstances

riskcriteria termsofreferenceagainstwhichthesignificanceofariskisevaluated

riskmanagement

coordinatedactivitiestodirectandcontrolanorganizationwithregardtorisk

riskmanagementpolicy

statementoftheoverallintentionsanddirectionofanorganizationrelatedtoriskmanagement

riskmanagementframework

setofcomponentsthatprovidethefoundationsandorganizationalarrangementsfordesigning,implementing,monitoring,reviewingandcontinuallyimprovingriskmanagementthroughouttheorganization

riskmanagementplan

schemewithintheriskmanagementframeworkspecifyingtheapproach,themanagementcomponents(procedures,practices,assignmentofresponsibilities,sequenceandtimingofactivities)andresourcestobeappliedtothemanagementofrisk

riskowner personorentitywiththeaccountabilityandauthoritytomanagearisk

riskmanagementprocess

systematicapplicationofmanagementpolicies,proceduresandpracticestotheactivitiesofcommunicating,consulting,establishingthecontext,andidentifying,analyzing,evaluating,treating,monitoringandreviewingrisk

riskanalysis processtocomprehendthenatureofriskandtodeterminethelevelofrisk

riskevaluation processofcomparingtheresultsofriskanalysiswithriskcriteriatodeterminewhethertheriskand/oritsmagnitudeisacceptableortolerable

risktreatment processtomodifyrisk

control measurethatismodifyingrisk

2.2 Methodology

DiSIEM risk management is performed within the framework and processdescribedintheISO31000:2009[ISO09],whichisastandardproducedbyone

D9.2

11

ofthemosttrustedregulatoryandstandardizationbodies,theISO(InternationalOrganization for Standardization), and which is widely applied for riskmanagement purposes. The adoption of a standard facilitates following well-structuredrulesandprocessesdefinedbyglobally-establishedexperts inorderto effectively implement organisational activities regardless of any specificfeatures.A risk management framework provides the policies, procedures andarrangements that will implement risk management throughout the projectconsortium at all levels [IEC09]. As part of this framework, the project shouldhaveapolicyorstrategyfordecidingwhenandhowrisksshouldbeassessed.

Figure1presentstheprocessofriskmanagementaccordingtothestandard.

Figure1–Theriskmanagementprocessextractedfrom[ISO09].

By establishing the context, the project enunciates its objectives, defines theexternalandinternalprojectcontext,suchastheapproachforriskassessment,thecriteriaforriskevaluation,thecriteriaforriskacceptanceandothers.Thetargetofriskidentificationisbeingawareofpossiblerisksourcesinadditiontotheeventsandcircumstancesthatcouldaffecttheachievementofobjectives.Further,itincludestheidentificationofpossiblecausesandconsequences.Riskmanagement is integrated into the project plan at various levels throughmonitoringandreviewingprocesses.Thecontinuousriskmonitoringandreview

Establishingthecontext

Riskidentification

Riskanalysis

Risktreatment

Riskevaluation

Riskassessment

Monitoring

andreview

Comm

unicationandconsultation

D9.2

12

process allows for the early identification and control of events that cancompromisetheoutcomesoftheproject.

TheresponsibleforeachWPistheWPrisksownerand,therefore,isaccountableto monitor and treat those risks, and identify new ones. Once a new risk isidentified its owner communicates it to the other partners and to the projectcoordinator,assoonastheidentificationoccurs,byemail,tobediscussedinthemailinglistorinafollowingmeeting.Theregularmeetingsandtelcosinvolvingall partners are the main forum for risk consultation and communication.Consequently, these meetings facilitate risk identification. The identified risksare then analysed and evaluated, based on an estimation of their impact andlikelihoodofoccurrence.Moreover,theelaborationoftheDiSIEMriskmanagementplanistotallyalignedwith the riskmanagement processes proposed by the PMBOK Guide [PMI13].ThePMBOKGuide (Guide to theProjectManagementBodyofKnowledge) is arecognizedreferenceofprojectmanagementknowledge,focusingonprocesses,knowledge, and practices applicable to project management. In fact, the riskmanagement PMBOK Guide section can be seen as complementary to the ISO31000:2009.

D9.2

13

3 Establishingthecontext

3.1 Objectives

Theobjectivesof theDiSIEMprojectare toaddress limitationsofcurrentSIEMsystems already deployed in production, by extending them, leveraging theirbuilt-in capacity for extension and customisation, and enhancing SIEMs withdiversity mechanisms. These mechanisms are sustained by the followingresearch&innovationtopicsdefinedfortheproject[D22]:

1. TheintegrationofdiverseOSINT(OpenSourceIntelligence);2. The development of novel probabilistic security models and risk-based

metrics to supportdecision-makingon the infrastructure configurationsandtoincreasetheevaluationcapacityoftheorganizationsecuritystatus.

3. Thedesignofnovelvisualisationmethodstopresentthediverseliveandarchival data sets. The devised methods should better support thedecision-makingprocessbyenablingtheextractionofhigh-levelsecurityinsight from thedata thatwillbeusedby the securityanalystsworkingwithSOCs.

4. The integration of diverse, redundant and enhanced monitoringcapabilities to the SIEM ecosystem using diverse enhanced sensors andprotectiontools.

5. Theadditionof support for long termarchival of events inpublic cloudstorageservices,satisfyingthesecurityrequirementsofsuchdata(whichcontainsa lotofsensitive information)byemployingtechniquessuchassecretsharingandinformationdispersal.

Besidestheseobjectives,exploitationisrecognizedasanimportantdimensionofDiSIEM, and partners are fully aware and committed to the exploitation ofprojectresults. Thekeyobjectiveofexploitationistousetheappliedresearchand technological development results to create value within all participatingorganizations,andthusimprovetheircompetitiveadvantages.Thiscanbedonethrough the improvement of their secure operation centres (EDP andAMADEUS), creating new products or business opportunities (ATOS andDigitalMR), high-impact research targeting hot topics in security or even thecreationofstart-upsforcommercializingtechnologies(FCID,CITYandFHG).

3.2 Scopeandboundaries

The external and internal context can be defined based on the analysisperformed in the DISIEM deliverable D2.1 (In-depth analysis of SIEMsextensibility)[D21].

D9.2

14

On one side, in this deliverable, a study was done to identify the factors(technological, socialorpolitical) thatcouldaffect (asbarriersorenablers) theevolutionandfutureoftheSIEMs.Ontheotherhand,itwasalsodoneadetailedanalysisofthemostrelevantSIEMsolutionsavailableinthemarket(suchasIBMQRadar or Intel McAfee) with their strengths and weaknesses, including theSIEMsystemsselectedintheprojectforthevalidatingthedevisedcomponentsin EDP, Amadeus and ATOS environments: HPE ArchSight, Elastic Stack andSplunk,andXL-SIEM,respectively.

3.3 Contextforriskmanagementestablishment

All theriskmanagement intheDiSIEMprojectwillbeconductedinaccordancewiththeprojectmanagementstructure,depictedinFigure2.

Figure2–TheDiSIEMmanagementstructure.

3.3.1 GoalsandobjectivesThe objectives of risk management activities within the management of theDiSIEMproject are to ensure that the objectives of the project are attained orexceeded.

3.3.2 ResponsibilitiesAt a first level of action, each work-package leader is the owner of the risksexistinginhis/herWPand,therefore, isresponsible fortheir identificationandtreatment,with thehelpof other relevantpartners (e.g., a partner responsibleforadeliverabledirectlyaffectedbyarisk).Anynewrisksidentifiedshouldbe

• Overallresponsibilityfortheproject• Onerepresentativeandonedeputyperpartner• Theexecutiveorganoftheproject• Regularteleconferencessupplementedwithbiyearlymeetings• Monitorandguidestechnicalandscientificwork• Establishesprocessesandframeworks• Evaluatesperformanceandresults

COORDINATIONCOMMITTEECoordinator(FFCUL,Prof.AlyssonBessani)

• Adviceonstrategicdirections• Suggestexploitationactivities• Reviewtechnicalandscientificprogress

ADIVISORYBOARDTechnicalandbusinessadvisors

• Operationallyresponsiblefortheproject• InterfacetotheCommission• Provideandmaintaininfrastructureandprocesses• Knowledgeandriskmanagement• Qualityassurance

PROJECTMANAGEMENTCoordinatorandProjectManager(FFCUL)

WORKPACKAGEWorkpackageleaderWorkpackagemembers




• ResponsiblefortheworkwithintheWP• Reporttothecoordinationcommittee• Meetingsandteleconferencessynchronized

withcoordinationcommittee


EUROPEANCOMISSION

• Adviceonethicalissueswrt dataprotection• Reviewethicalimplicationsofprojectresults

ETHICSADIVISORIndependentdataprotectionethicsadvisor

D9.2

15

communicated to the coordinator and to the consortium, either by email orduringthemonthlyteleconferencesoftheproject.

Thecoordinatorandprojectmanager, togetherwith theexecutiveboardof theproject,areresponsibleforrisksthataretransversaltothedifferentWPsandtotakesecond-levelactionontherisksmaterializingatWP.Theirresponsibilitiesare to identify, and react to any possible risk on any of the deliverables,milestones,and,ultimately,ontheobjectivesoftheproject.

3.3.3 AssessmentapproachTheprojectadoptedaqualitativeapproach to riskassessment.Themonitoringandreviewoftheriskswillbedonecontinuouslyandindividually foreachWPseparatelybythepartnerresponsibleforeachWP.Theassessmentoftheriskswill bedonebasedon the inputs receivedduring themonthly teleconferences,the quarterly face-to-face meetings, and intermediate reports delivered bypartnerseverysixmonths.Eachidentifiedriskwillbegivenascorepriority(low,medium,orhigh)basedonitsassessmentregardingthelikelihoodandimpactitmighthaveontheprojectoutcome.Aninitiallistofthemainriskstotheprojectwas identified during the project proposal preparation and is described in theDiSIEMDescriptionofAction.A firstupdateonthis list ispresented intheriskregister,presentedinChapter4.

3.3.4 OrganizationoftheriskmanagementprocessTheDiSIEMprojectqualityplan[D91]definedmeansformonitoringandcontrolthe execution and management of the project, which includes the InterimManagement Report and realization of meetings and teleconferences. These(virtual and physical) meetings, together with a well-documented projectexecution management plan allow for anticipating the concretization of riskspreviouslyidentified,thereforedecidingonimplementingcontrolmeasures(risktreatment). Additionally, they also allow foreseeing emerging risks (riskidentification) and, whenever a new risk is identified, a new risk assessmentprocess should be accomplished and new risk control measures will beimplemented or anticipated. As the meeting and teleconferences have aregularity of at least one permonth, we can set a time span of onemonth torevise the risk assessment. Consequently, the revision and update of the riskregisterdocument[PMI13]issettoonemonth.Communication and consultation is continuouslymade, in parallel to the otherrisk management stages: establishing the context, risk assessment and risktreatment, through the meetings and the project Internal CommunicationInfrastructure:mailinglists, instantmessaging,tele-conferencesandtheprojectinternalfilesrepository[D81].Throughcommunicationandconsultationonecanensure that theexpertise fromdifferentpartners is taken intoaccount for risk

D9.2

16

analysis and different perspectives are considered for risk evaluation and riskmodification.Consultationoftheadvisoryboardallowsforidentifyingnewrisks,especially with respect to the technical objectives of the project. Finally,communication and consultation support decision making concerning specificriskmodificationactionsthatshouldbetakenbypartnersaccountableforrisks.

Monitoring and review activities are performed by risk owners and by theproject coordinator and allow ensuring that control measures are effectivelyimplemented, as well as detecting changes that can compromise the projectobjectives and consequently require revising risks, their evaluation andtreatments.

3.4 Riskcriteria

TomaximisethelikelihoodofachievingtheobjectivesoftheDiSIEMprojectitisessential to identify and understand, in advance, the significant project risks.Risk management was an integral component in the preparation andorganisationofthisprojectproposal,andhasbeenproactivelyexecutedduringthe first year of the project execution. In an innovation action project such asDiSIEM,wedifferentiateseveralrisktypes:

– Technical–technicalrisksarethosethatmayaffect theachievementofthe project technical objectives. Keymilestones and dependencies havebeen analysed for identifying the possible risks and considered whenpreparingthetimeplanandresourcesassignmentforriskmitigation.

– Schedule compliance – these risks are those thatmay cause delays oraffecttheoverallschedule:Athoroughplanningofdependenciesandtimespansneededweredone throughout theproposalplanningprocess.Ourplanning covers small- to medium-sized delays. Any major delay withimpact to our project schedule will be fully tackled by our projectprocedures.

– Cost–risksaddingcosttotheprojectorenvisionedproducts:Resourcesneeded to perform the taskswere created and verified by each partnerindependently.Ourprojectorganisation is fullycapableof takingonanyfinancial risks arising during the project duration. All partners are fullyawareoftheircommonprojectresponsibilityaccordingtoECregulations.

– Exploitation – risks that may affect the achievement of the projectexploitation results. These risks includeboth the exploitation ofDiSIEMindividual components and the exploitation of a complete product thatintegrates several components developed in DiSIEM. It considerstransferringthesuccessfulresultsoftheprojecttoappropriatedecision-makersinregulatedlocal,regional,nationaland/orEuropeansystems,as

D9.2

17

wellas,convincingindividualend-userstoadoptand/orapplytheDiSIEMresultstotheirSIEMinfrastructure.

3.4.1 ImpactcriteriaTheriskimpactisclassifiedaccordingtothefollowingqualitativescale:

– Low–Riskhasrelativelylittleimpactintheprojectobjectivesregardingtechnologicalandfinancialperformanceaswellasintheworkplan.Ifriskmaterializes, insignificant or no changes in the project objectives willoccur(e.g.,conflictbetweenpartners).

– Medium – Risk has moderate impact in the project technological andfinancialperformanceaswellasintheworkplan.Iftheriskmaterializes,moderate changes in the project objectiveswill occur (e.g., componentsfromaWPcannotbeintegratedintheSIEM).

– High – Risk has high impact in the project technological and financialperformance as well as in the work plan. If the risk materializes,significant changes in theprojectobjectiveswilloccur (e.g., componentsfromaWPthatdonottranslatetoeffectivebenefitsforSIEMusers).

3.4.1 LikelihoodcriteriaTherisklikelihoodisclassifiedaccordingtothefollowingqualitativescale:

– Low–Riskisunlikelytomaterialize.

– Medium–Riskpossibletomaterialize.– High–Riskislikelyoralmostcertaintomaterialize.

3.4.1 RiskevaluationcriteriaThecriteriafortheriskevaluationarebasedonaproductmatrixoftheimpactandlikelihoodclassificationandtherespectivevaluesaregivenbythematrixinTable 2. For instance, a riskwith a likelihood classified as low and an impactclassifiedasmediumwillbeclassifiedaslow,whileariskwithalowlikelihoodandahighimpactwillbeclassifiedasmedium.

Table2–Matrixforclassificationofrisks.

Likelihood

L(Low) M(Medium) H(High)

Projectimpact

L(Low) Low Low MediumM(Medium) Low Medium HighH(High) Medium High High

D9.2

18

4 Riskassessmentandtreatment

TomaximisethelikelihoodofachievingtheobjectivesoftheDiSIEMprojectitisessential to identify and understand, in advance, the significant project risks.ThischapterisdevotedtotheassessmentofDiSIEMrisks.

4.1 CriticalPathoftheProject

The critical pathdetermines the targeted time to complete theproject and thecriticalactivitiesthatmightbeabletothreatentheprojectobjectives.Figure 3 presents the Interdependencies between projectWPs,while Figure 4presents the project’s GANTT chart. Both these elements supported thedetermination of the critical path of DiSIEM activities, which is displayed inFigure5.

Figure3–InterdependenciesbetweenprojectWPs.

WP4– OSINTDataFusionandAnalysis

WP7

–Techno

logyValidationand

PilotDep

loym

ent

WP9– Project,RiskandInnovationManagement

WP2

–Re

quirem

entsand

Architecturefor

SIEM

Integration

WP6– InfrastructureEnhancements

WP8– Dissemination,CommunicationandExploitation

WP3– SecurityandRiskModeling

WP5–VisualAnalysisPlatform

WP1– EthicsRequirements

D9.2

19

Figure4-GANTTchartfortheDiSIEMproject,withdeliverables,projectreportsandmilestones.

Figure5-DiSIEMactivitiescriticalpath.

In the figure, critical activities are those that if delayed will compromise theachievementoftheachievementofprojectobjectivesontime,andare,therefore,the key activities of the project regarding the satisfaction of the project work

M1 M4 M7 M10 M13 M16 M19 M22 M25 M28 M31 M34 Leading

T1.1-OSINTdataprotectionrequirements D1.1 FFCUL

T1.2-Ethicsmonitoring PR1 FPR FFCUL

T2.1-In-depthanalysisofSIEMtechnology D2.1 FFCUL

T2.2-ReferenceArchitecture ATOS

T2.3-Integrationworkplan D2.2 CITY

T3.1-Multi-levelriskandsecuritymetrics D3.1 FFCUL

T3.2-Probabilisticmodellingofdiversityforsecurity D3.2 CITY

T3.3-Evaluationandvalidationofpredictioncapabilities D3.3 CITY

T4.1-OSINTdatasourcesindentificationandinformationextraction D4.1 FFCUL

T4.2-ScalablemachinelearningmodelsforOSINTanalysis D4.2 FFCUL

T4.3-Implementationofathreatpredictor D4.3 DigitalMR

T4.4-SIEMintegration FFCUL

T4.5-Supportandrefinement D4.4 DigitalMR

T5.1-Visualisationarchitecturedesignandrequirementsgathering D5.1 CITY

T5.2-Visualanalyticsformodelbuilding Fraunhofer

T5.3-Diversityvisualisationandanalysisofstreamingdata CITY

T5.4-SIEMintegration Atos

T5.5-Supportandrefinement D5.3 Fraunhofer

T6.1-Enhancedmonitoringofapplications Amadeus

T6.2-Diversemonitoringofcriticalassets CITY

T6.3-Cloudstoragemanagementandeventdatalayout FFCUL

T6.4-SIEMintegration CITY

T6.5-Supportandrefinement D6.3 Amadeus

T7.1-Validationworkplan D7.1 EDP

T7.2-EDPvalidationandpilotdeployment EDP

T7.3-Amadeusvalidationandpilotdeployment Amadeus

T7.4-ATOSvalidationandpilotdeployment ATOS

T8.1-Disseminationandcommunication D8.1 D8.2 FFCUL

T8.2-Exploitationandintellectualpropertyrights D8.3 D8.4 ATOS

T8.3-Security-relatedthreatpredictioncompetition D8.5 FFCUL

T9.1-Organizationleadandriskandinnovationmanagement D9.1 D9.2 FFCUL

T9.2-Technicalandfinancialreporting PR1 FPR FFCUL

ML1 ML2 ML3 ML4 ML5

Workplan(tasksvs.months)

WP2

WP4

WP3

WP5

D7.3D7.2

WP1

D5.2

D6.1 D6.2

WP7

ProjectMilestones

WP8

WP9

WP6

MS1 MS2 MS3 MS4 MS5

M1 M4 M7 M10 M13 M16 M19 M22 M25 M28 M31 M34M36timeline

M:monthMS:milestoneWP:workpackage

Communicationanddisseminationactivities,preparationofexploitationactivities(WP8)

Successfulprojectstart

Referencearchitecture,Integrationworkplan(WP2)

SIEMintegration(WP4,WP5,WP6)

Deploymentintestenvironment(WP4,WP5,WP6,WP7)

Developmentandimplementationofindividualenhancements(WP3,WP4,WP5,WP6)

Kickoffand

organizatio

n

Deployinproduction(WP7)

Referencearchitectureandintegrationplan

Prototypeofindividualcomponents

Validationinrelevanttestenvironment

Pilotdeploymentinoperationalenvironment

D9.2

20

plan.Critical activities aremostly reflectedbyprojectmilestones.The timelineindicates the project milestones. The analysis of critical activities helps theconsortium topredictwhether theproject canbe completedon time and as itprogresses, and to keep track of execution of tasks that ensure theaccomplishment of critical activities, thus guaranteeing that deliverables areproducedandcompletedaccordingtotheGANTTchartofFigure4.After a successful project kick-off in September 2016, DiSIEM partnersmainlyfocusedonthereferencearchitecturespecificationsofWP2.Infact,theactivitiesofthisworkpackage,concerningthedefinitionofthereferencearchitectureandthe integrationplan,arealreadycompletedanddocumented inDeliverable2.2[D22].Thedevelopmentandimplementationofindividualenhancements(components)is the critical activity that is currently in course. This activity includesdevelopments inWP3,WP4,WP5 andWP6, and is well on track, as planned.Deliverables4.1,5.1,and6.1documentsuchprogressafterthefirstyearoftheproject[D41,D51,D61].

Thenextcriticalactivity,theintegrationofcomponentswithSIEMenvironments,willstartinM22,withtheintegrationtasksinWP4,WP5,andWP6,forensuringthe devised components work well with selected SIEMs. The activities ofdeploymentofthecomponentsintestenvironmentwillalsostartbetweenM22-M24, and strongly depends on the completion of the components and asuccessful integration with the target SIEM(s). Finally, the deployment inproduction totally depends on the successful validation of the components inindustrial environments. This activity (WP7) will reveal the effectiveachievementoftheprojectobjectives.The project consortium has been preparing and publishing some scientificarticlesandpresentedtheprojecttoexternalstakeholders.Toconclude,itcanbesaid that theanalysisof thecriticalpathhelps to identify critical activitiesandconsequently discriminate associated risks. The identification of the criticalactivities allows us to envisagemitigation actions whenever required and putnecessarymeasuresintoplaceregardingthesuccessfulachievementoftheworkplan.

Risk identification is a continuousprocessof attachingawareness forpotentialrisks.Toaddressthisawarenessbest,theconsortiumdefinedtheWPleadersasriskmanagersfortheirWPs.TheWPleaderisanexpertinthefieldhisorherWPisconcentratingonandtherefore,themostcapablepersontoidentifyWPrisks.Onprojectlevel,thecoordinator(FCID)paycloseattentiontotheidentificationofpotentialrisksandisresponsibletomonitorriskstransversaltoseveralWP.This structure and distribution of responsibilities allows the continuous

D9.2

21

identification of new risks and encourages the discussion of potential riskswithinteleconferences,face-to-facemeetingsandtheWPsthemselves.

4.2 Riskassessment

Tomaintainanupdatedrecordofriskassessment,DiSIEMadoptedtheuseofarisk register, a document inwhich the results of risk analysis, risk evaluation,andenvisagedriskresponsesarerecorded[PMI13].Theriskregisterallowsallpartnerstoaddnewrisksatanytime.Additionally,thecoordinatorasksthemtopay special consideration on risks on a regular basis within the InterimManagement Reports (IMR). The risk register should contain all the relevantinformationregardingeachrisk.Riskswereanalysedandevaluatedbyestimatingtheirimpactandlikelihoodontheobjectivesoftheproject.Knowinghowariskimpactstheprojectisimportantasseveralrisksof thesametypecanbean indicationofa largerproblem.Fewmajor technical risksconnected to the individualWPandphasesofworkwereidentified in the course of this proposal preparation.As the risks are easier tounderstand in the context ofWP, they are described on aWP level in the riskassessment Table 3. To avoid possible negative impact on the project, thecorrespondingWPleaderhasproposedrisk-mitigationmeasuresforallrisksinhis/herWPtogetherwiththeconsortium.The risk assessment should be revised periodically, on eachmonthly telco forcritical risks affecting next milestones, and every six months for other risks(togetherwiththeInternalManagementReport),andupdatedaccordinglyintheDiSIEMprojectrepository.

Afirstversionoftheriskslistwasproducedduringtheproposalelaboration,anda first revisionwaselaborated for thegrant agreementdocument.The currentriskregisterpresentedinTable3,producedinSeptember2017,wasbuiltuponthis list, identifies new risks, disaggregates others, evaluates all the risks andenrichestheproposalofmitigationactions.Acomprehensivedescriptionofeachriskisgiven,theconcernedWPidentified,togetherwiththecorrespondingriskowners. Risks are evaluated using the evaluation risk criteria for likelihood,impact and risk score presented in Section 3.4. The register also includes thedateofthelastrevision,anycommentstheconsortiumfindsrelevantforfurtherassessments, if theregisterwasmaterializedornot,and informationregardingthe application of mitigationmeasures and if they were revised from the lastassessment.Intotal50majorrisksareidentifiedandanalysed,fromwhich,14areconsideredof high impact, 26 are of medium priority, and none of high priority. Theseresults reveal that at least 50% of the major risks identified require strict

D9.2

22

monitoringandcontrol toavoidriskmaterialization.Mitigationmeasureshavebeen takenwheneverneeded to reduceor, at least,maintain risk likelihoodorimpact.Regardingrisksofpositiveeffect,nonewasidentifiedinthecurrentassessment.

4.3 Risktreatment

Four strategies are commonly used to handle negative risks: avoidance,mitigation, transference, and acceptance [PMI13]. Avoidance corresponds toeliminate the threat that origins the risk or its impact. Usually, this strategyinvolveschangingtheprojectplanorscope.Thetransferencestrategycomprisesshifting the risk ownership and impact to a third-party. Finally, mitigationconsists of modifying, by reducing, the risk likelihood or impact. Consideringredundancy is away of implementingmodification, and taking early action tomodifyrisksisacommonstrategytoavoidlaterrepairingofdamagestriggeredby risks materialization, typically by using contingency measures. Acceptancecorrespondstotakenoactionunlesstheriskmaterializes.Nevertheless,evenifarisk is accepted, a contingency can be set to handle the risk in case of itsmaterialization.Inaddition,acontingentresponsestrategycanbeappliedonlyifcertaineventshappen,suchasthematerializationofahighimpactriskthatcaneffectivelycompromisetheprojectobjectives.

InDiSIEM,continuousmonitoringandcontrolisperformedoverallriskstoavoidincreasingrisksimpactandriskslikelihood.The project adopted a mixed strategy for risk treatment. For all major risksidentified,mitigationmeasureswereidentifiedandappliedwherevernecessary.Risksclassifiedasmediumrequirestrongermonitoringandcontrolandfurtherevaluationclosertomilestonestodecideifacontingencymeasureisjustifiableineconomic grounds. In these cases, contingency plans could be set to eliminatefurthercriticalimpactontheprojectobjectives.

Wheneverariskisclassifiedashighrequireimmediateavoidanceorcontingencyresponse actions. Examples of such these responsesmay include, for instance,changing the work plan to avoid the materialization of the risk, changing theresources allocation to be able to meet expected milestones or even replaceleadership.AccordingtotheassessmentshowninTable3,therearenohighrisksatthispointintheDiSIEMproject.

As designed, the current plan considers a contingency reserve of slack timeallocatedtotaskstohandlesmalldelaysincompletionofactivities.

D9.2

23

Table3–Riskregister.

RiskID Descriptionofrisk WP(s)

involvedRisk

Owner Proposedrisk-mitigationmeasures

Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore

Didriskmater-ialized?

Comment

Weremea-sures

applied?

Updateof

measures

R1Underperformingpartners

WP1-WP9

FCID

ClosecontactisestablishedbetweentheWPleadersandProjectCoordinator.Shortfeedbackloopsandpersonalcontacts(atregularCoordinationCommitteetelcos,physicalmeetings,etc.)helptoputunderperformingpartnersbackontracktoguaranteeoverallprojectperformance.

M13 H L M No

Coordinationmeetingshavebeenheld.Closecontactbetweenpartners.Allpartnersparticipateinconf.call.Starttogeneratecontributions.WP2isconcluded.

Yes No

R2Conflictsbetweenpartners

WP1-WP9

FCID

Manypartnersintheconsortiumhavealreadyworkedtogethersmoothlyandsuccessfullyinpastcollaborativeprojects.Moreover,mostofthesecurityexpertsinvolvedknoweachotherpersonally,collaboratingextensivelythroughjointpublications,programcommittees,organisationofinternationalconferences,etc.Shouldanydifficultiesarise,astrongmulti-levelprojectmanagementgovernancestructurehasbeensetuptotackleissuesimmediately(atWPlevels,involvingtheProjectCoordinator,theCoordinationCommittee,ortheAdvisoryBoard,for“forcemajeure”cases)toavoidtheissuespreadingandputtingtheoverallprojectatrisk.Toavoidsuchsituations,conflictmanagementisputinplaceallalongtheprojectlife-cyclethroughcloseandgoodcontacts,frequenttelcoandphysicalmeetings.

M13 L L L No

WP2isconcluded.Noissueshavebeenidentified.Theface-to-facemeetingshelptogetacquaintancewithpartnerteams.

Yes No

D9.2

24


involvedRisk


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R3RTDeffortsarenotreachingtechnicaltargets

WP2-WP7

FCID

Continuousinternalqualityandprogresscontrolisperformed(e.g.,throughInternalManagementReportseverysixmonths).TheProjectCoordinatorispresentinalltechnicalmeetings.Hereliesontheknowledgeandskillsofkeyexpertsintheproject,someofthembeingalsoWPleaderstosteertheworktowardsthetechnicaltargets.WPmeetingsshouldhelptofindworkaroundsincaseofsignificantdeviations.Greaterdeviationsmaybesolvedaccordingtothegovernancestructuredefinedintheproject.Forinstance,additionalexpertsmaybecalledupon,ortheadvisoryboardmaybeconsultedtoselectanadequatecourseofaction.

M13 M M M No

Continuousinternalqualityandprogresscontrolhasbeenperformed.WP2isconcluded.

Yes No

R4.4.A

ComponentsfromWP4cannotbeintegratedinArcSight.

WP4DigitalMR,

EDP

AccordingtothestudydoneinWP2(seeD2.1andD2.2),ArcSightsupportextensibilityviaconnectorinterfaces.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.

M13 L M L NoConfirmedacommonexchangeformatofSTIX2.0toavoidthis

Yes No

D9.2

25


involvedRisk


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R4.4.X

ComponentsfromWP4cannotbeintegratedinXL-SIEM.

WP4DigitalMR,

ATOS

ThereisanagreementbetweenpartnersdevelopingWP4componentsandATOSinusingacommonexchangedataformatSTIX2.0(JSON)andsendthemusingthesyslogprotocol.XL-SIEMispreparedtoreceiveeventsusingthisprotocolandtoprocesseventsinJSONformat.Specificplugin/parserwillbepreparedtodealwiththeinformationprovidedintheSTIXobjectstointegrateitintheXL-SIEMprocessing.ATOSalsoparticipatesinthedevelopmentofWP4components,sothroughperiodicalmeetingsanyintegrationissueencounteredcanbediscussed.

M13 L M L NoConfirmedacommonexchangeformatofSTIX2.0toavoidthis

Yes No

R4.4.S

ComponentsfromWP4cannotbeintegratedinSplunkand/orElasticstack.

WP4DigitalMR,Amadeus

AccordingtothestudydoneinWP2(seeD2.1andD2.2),bothSplunkandElasticstackcanreceiveinputsfromexternalcomponentsinarbitraryformats.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.

M13 L M L No

1)Splunkhasanativesupportforthreatintelligencefeedintegration,AMSOCteamhasalreadyintegratedThreatIntelSourcestoSplunk.2)DifferentapproacheshavebeenusedtointegrateThreatInteldatatoElasticStack(Logstashtranslatefilter,IndexdataandThreatIntelfeedsinthesameindices,...)StrongcontrolM20-May2018

No No

D9.2

26


involved RiskOwner Proposedrisk-mitigationmeasures

Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R4.4

ComponentsfromWP4cannotbeintegratedinanyoftheSIEMs.

WP4 DigitalMR

AllSIEMsystemsthatweareusinginthisprojectsupportextensibilityviaconnectorinterfaces.WethereforebelievethatthelikelihoodofthisriskmaterialisingisverylowduetothemitigationstepstakeninthechoiceofSIEMswewillworkwith.

M13 L H M NoConfirmedacommonexchangeformatofSTIX2.0toavoidthis

Yes No

R4.5.A


WP5Fraunhofer,

EDP

ArcSightdoesnotsupporthighlycustomizabledashboards,thereforeitisprobablethatthevisualisationcomponentswouldbeusedasseparatedserviceontopoftheSIEMdatainEDP.ThisisnotahugeproblemasEDPalreadydothatwithothersystemsintheirSOC.

M13 M M M

EDPalreadyhasacomplementarydashboardapplication,maybethecomponentscanbeintegratedthere(using,forinstance,HTML5).

Yes No

R4.5.X


WP5Fraunhofer,

ATOS

DashboardinXL-SIEMisimplementedusingweb-basedtechnologieslikethecomponentsdevelopedinWP5.Therefore,itshouldbepossibletointegratethevisualizationcomponents.Moreover,sinceATOShasaccesstotheXL-SIEMdashboardcode,changescanbedoneinthedashboardifrequiredtointegratesomeofthesecomponents.ATOSalsoparticipatesinthedevelopmentofWP5components,sothroughperiodicalmeetingsanyintegrationissueencounteredcanbediscussed.

M13 L M L No Yes No

D9.2

27



Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R4.5.S


WP5Fraunhofer,Amadeus

WP5ComponentsarebeingdesignedbasedonD3JSlibrary,whichissupportedbytheextensibledashboardofthesesystems.

M13 L M L No

BothSplunkandElasticStack'sKibanasupportD3JScustomvisualisationsandoffersflexibleAPItoconsumeeventdata.Therefore,thelikelihoodofthisriskisverylow.StrongcontrolM20-May2018

Yes No

R4.5

ComponentsfromWP5cannotbeintegratedinanyoftheSIEM.

WP5 Fraunhofer

MostoftheSIEMsusedintheprojectsupportextensibledashboardsthatsupportthesametechnologyweWP5isusinginitscomponents.TheexceptionisArcSight,butthemthecomponentscanbeusedindependentlybytheEDPSOCorbeintegratedinthedashboardstheyuse(whichiscompatiblewithWP5web-basedtechnology).WethereforebelievethatthelikelihoodofthisriskmaterialisingisverylowduetothemitigationstepstakeninthechoiceofSIEMswewillworkwith.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.

M13 L H M No Yes No

D9.2

28


involvedRisk


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R4.6.A


WP6Amadeus,

EDP

DuringWP2westudiedhowthedifferentcomponentsdevisedinWP6canbeintegratedinallSIEMsystemsthatweareusinginthisproject.ForArcSightthekeymechanismisthesupportofconnectors.Wethereforebelievethatthelikelihoodofthisriskmaterialisingisverylow,asthemechanismsanddataformatswerealreadytestedatthispoint.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.

M13 L M L No

WP6extensionswillleveragetheSIEMAPIstoreaddatafromandwriteresultstotheSIEMinquestion.AllpartnersSIEMshasaflexibleAPIforread/writeoperations.StrongcontrolM20-May2018

Yes No

R4.6.X


WP6Amadeus,ATOS

WP6componentswillprovideeventsusingsyslogprotocol.XL-SIEMispreparedtoreceiveeventsusingthisprotocol.SpecificpluginwillbepreparedtodealwiththeinformationprovidedintheWP6componentseventstointegrateitintheXL-SIEMprocessing.ATOSalsoparticipatesinthedevelopmentofWP6components,sothroughperiodicalmeetingsanyintegrationissueencounteredcanbediscussed.

M13 L M L No

WP6extensionswillleveragetheSIEMAPIstoreaddatafromandwriteresultstotheSIEMinquestion.AllpartnersSIEMshasaflexibleAPIforread/writeoperations.StrongcontrolM20-May2018

Yes No

D9.2

29


involvedRisk


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R4.6.S


WP6 Amadeus

DuringWP2westudiedhowthedifferentcomponentsdevisedinWP6canbeintegratedinallSIEMsystemsthatweareusinginthisproject.BothSplunkandElasticstacksupporttheintegrationwithsuchcomponents.Wethereforebelievethatthelikelihoodofthisriskmaterialisingisverylow,asthemechanismsanddataformatswerealreadytestedatthispoint.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.

M13 L M L No

WP6extensionswillleveragetheSIEMAPIstoreaddatafromandwriteresultstotheSIEMinquestion.AllpartnersSIEMshasaflexibleAPIforread/writeoperations.ApreliminaryversionofEnhancedApplicationMonitoringhasalreadybeenintegratedbyAMtotheElasticStack.StrongcontrolM20-May2018

Yes No

R4.6

ComponentsfromWP6cannotbeintegratedinanyoftheSIEM.

WP6 Amadeus

AllSIEMsystemsthatweareusinginthisprojectsupportextensibility.WethereforebelievethatthelikelihoodofthisriskmaterialisingisverylowduetothemitigationstepstakeninthechoiceofSIEMswewillworkwith.ShoulddifficultiesariseinintegratingdirectlywiththeSIEMs,wewillexperimentwithbuildingadditionallayersofmiddlewaretoallowourcomponentstointeractwiththeSIEMs.

M13 L H M No Yes No

D9.2

30



Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R5.4

ComponentsfromWP4arenoteasilyintegratableinotherSIEMs(beyondtheonesusedinthevalidation).

WP4,WP8

DigitalMR

InWP2ananalysisofmostrelevantSIEMsinthemarketwasmadeandthereferencearchitectureconsidersintegrationpatternsthatare,inprinciple,supportedbymostofthem.

M13 M M M No Yes No

R5.5


WP5,WP8

Fraunhofer


M13 M M M No Yes No

R5.6


WP6,WP8

Amadeus


M13 M M M No Yes No

D9.2

31



Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R6.4.E

TheWP4componentscannotbedeployedinEDPtestenvironmentonM24.

WP4,WP7

DigitalMR,EDP

Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(EDP)tomitigatethisrisk.

M13 L M L No

Currentarchitecturemakesitmoreflexibletobeintegratedwithinanysystem.SomecomponentsarebeingdevelopedtakingintoconsiderationtheearlyfeedbackfromEDPtoensureasmoothintegration.

Yes No

R6.5.E


WP5,WP7

Fraunhofer,EDP


M13 L M L No SameasR6.4E Yes No

R6.6.E


WP6,WP7

Amadeus,EDP


M13 L M L No

SameasR6.4E.EarlyandcontinuoustestingofpartiallydevelopedextensionmaybehelpfultoensureabetterprogressforthevalidationWP.

Yes No

D9.2

32

RiskID Descriptionofrisk WP(s)involved RiskOwner Proposedrisk-mitigationmeasures

Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R6.4.AT

TheWP4componentscannotbedeployedinATOStestenvironmentonM24.

WP4,WP7

DigitalMR,ATOS

ATOSparticipatesinthedevelopmentofWP4components,sothroughtheperiodicalmeetingsitcanbeidentifiedpotentialissuesordelaysforthedeploymentofthesecomponentsinitstestenvironmentandreactinconsequence.

M13 L M L No

EarlyandcontinuoustestingofpartiallydevelopedextensionmaybehelpfultoensureabetterprogressforthevalidationWP.

Yes No

R6.5.AT


WP5,WP7

Fraunhofer,ATOS


M13 L M L No


Yes No

R6.6.AT


WP6,WP7

Amadeus,ATOS


M13 L M L No


No No

R6.4.AM

TheWP4componentscannotbedeployedinAmadeustestenvironmentonM24.

WP4,WP7

DigitalMR.Amadeus

Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation.Additionalmeetingsmaybescheduledtodiscussanydeploymentissuesencountered.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(Amadeus)tomitigatethisrisk.

M13 M M M No


No No

D9.2

33


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R6.5.AM


WP5,WP7

Fraunhofer,Amadeus

Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(Amadeus)tomitigatethisrisk.

M13 M M M No


No No

R6.6.AM


WP6,WP7

Amadeus

Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(Amadeus)tomitigatethisrisk.

M13 L M M No


No No

D9.2

34



Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R7.4.E

TheWP4componentscannotbedeployedinEDPproductionenvironmentonM32.

WP4,WP7

DigitalMR.EDP

Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation,integrationwithArcSight,andvalidationinthetestenvironment.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(EDP)tomitigatethisrisk.Theslackbetweentestenvironmentandproductionenvironmentimplementationsoffersadditionalcomfortwhenconsideringthisobjective.

M13 L M L No

SameasR6.4E.Althoughtheproductionenvironmenthasitsuniquechallengescomparedtothetestenvironment,thelatterwillserveasastartingpointandwilllargelyfacilitatethedeploymentinproduction.Byhavingatestenvironmentthataccuratelyresemblestheproductionenvironment,weaimtoenableaneasierproductiondeployment.

Yes No

R7.5.E


WP5,WP7

Fraunhofer,EDP

SameasinR7.4E. M13 L M L No SameasinR7.4E. Yes No

R7.6.E


WP6,WP7

Amadeus,EDP

SameasinR7.4E. M13 L M L No SameasinR7.4E. Yes No

D9.2

35


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R7.4.AT

TheWP4componentscannotbedeployedinATOSproductionenvironmentonM32.

WP4,WP7DigitalMR,

ATOS

Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation,integrationwithXL-SIEMandvalidationinthetestenvironment.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(ATOS)tomitigatethisrisk.Theslackbetweentestenvironmentandproductionenvironmentimplementationsoffersadditionalcomfortwhenconsideringthisobjective.

M13 L M L No Yes No

R7.5.AT


WP5,WP7

Fraunhofer,ATOS

SameasinR7.4.AT M13 L M L No Yes No

R7.6.AT


WP6,WP7

Amadeus,ATOS

SameasinR7.4.AT M13 L M L No Yes No

D9.2

36


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R7.4.AM

TheWP4componentscannotbedeployedinAmadeusproductionenvironmentonM32.

WP4,WP7DigitalMR,Amadeus

Continuousprogresscontrolisperformed(e.g.,throughInternalManagementReports)toidentifyanydelaysincompletingthecomponentimplementation,integrationwithSplunk/Elasticsearch,andvalidationinthetestenvironment.Additionalprogrammingandtestingeffortmaybecommitted,withthehelpfromenvironmentowner(Amadeus)tomitigatethisrisk.Theslackbetweentestenvironmentandproductionenvironmentimplementationsoffersadditionalcomfortwhenconsideringthisobjective.

M13 L M L No

SameasR6.4E.Althoughtheproductionenvironmenthasitsuniquechallengescomparedtothetestenvironment,thelatterwillserveasastartingpointandwilllargelyfacilitatethedeploymentinproduction.Byhavingatestenvironmentthataccuratelyresemblestheproductionenvironment,weaimtoenableaneasierproductiondeployment.

No No

R7.5.AM


WP5,WP7

Fraunhofer,Amadeus

SameasinR7.4.AM M13 L M L No SameasinR7.4.AM No No

R7.6.AM


WP6,WP7

Amadeus SameasinR7.4.AM M13 L M L No SameasinR7.4.AM No No

D9.2

37



Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R8.4.E

TheWP4componentsdonottranslatetoeffectivebenefitsforEDP.

WP4,WP7,WP8

DigitalMR

AsaSIEMoperator,EDPiscloselyinvolvedinallthestagesoftheproject,fromrequirementsdefinitionsanddesigntofinalimplementationofcomponentsandtestingpriortodeployment.Hencemostpossibledeficienciesinmeetingtheexpectationsoftheoperatorswillbeidentifiedandmitigatedearlyintheprojectlife-cycle.Evenafterdeployment,wewillhaveataskopenedinWP4withthespecificaimofrefiningthecomponentsbasedonthefeedbackreceivedduringdeploymentsofthecomponentsintheindustrialpartnerssettingsinWP7.

M13 L H M No

Althoughverificationshavebeenmade(duringsynchronisations,telcos,meetings,etc.)topreventweakbenefitsforthepartner,ongoingtelcoandphysicalmeetingswilltakeplacetocontinuouslymonitorthis,aswellasfrequentreportswillbedeliveredatallstagesoftheproject:fromtherequirementdefinitiontothefinalimplementationandtesting.Feedbackwillbeimplementedateachstage.

Yes No

R8.5.E


WP5,WP7,WP8

Fraunhofer SameasinR8.4.E M13 L H M No SameasinR8.4.E Yes No

R8.6.E


WP6,WP7,WP8

Amadeus SameasinR8.4.E M13 L H M No SameasinR8.4.E No No

D9.2

38


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R8.4.AT

TheWP4componentsdonottranslatetoeffectivebenefitsforATOS.

WP4,WP7,WP8

DigitalMR

ThecurrentrequirementsdefinitionforWP4componentsandfunctionalitytobeprovidedisinlinewithATOS'interestinimprovingitsXL-SIEMtoolcapabilitiesthroughtheintegrationofthreatintelligencedata.ThroughthefirststageinM24withthedeploymentofthecomponentsprototypesinthetestenvironment,therequirementsandfunctionalitycanberefinedincaseitisobserveditdoesnotfitasexpected(thereisataskforthatinWP4).

M13 L H M No Yes No

R8.5.AT

TheWP5componentsdonottranslatetoeffectivebenefitsforATOS

WP5,WP7,WP8

Fraunhofer

ThecurrentdefinitionforWP5componentsisinlinewithATOS'interestinimprovingthevisualizationcapabilitiesofitsXL-SIEMtool.ThroughthefirststageinM24withthedeploymentofthecomponentsprototypesinthetestenvironment,therequirementsandfunctionalitycanberefinedincaseitisobserveditdoesnotfitasexpected(thereisataskforthatinWP5).

M13 L H M No Yes No

D9.2

39

RiskID Descriptionofrisk WP(s)involved

RiskOwner Proposedrisk-mitigationmeasures

Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R8.6.AT

TheWP6componentsdonottranslatetoeffectivebenefitsforATOS.

WP6,WP7,WP8

Amadeus

ThecurrentdefinitionforWP6componentsisinlinewithATOS'interesttoenhancethemonitoringofaninfrastructureextendingitscurrentXL-SIEMcapabilitieswithnewsensorstodetectanomaliesintheuserbehaviours,thedeploymentofdiversesecuritytoolsandimprovementsinthestoragetolong-termofevents.ThroughthefirststageinM24withthedeploymentofthecomponentsprototypesinthetestenvironment,therequirementsandfunctionalitycanberefinedincaseitisobserveditdoesnotfitasexpected(thereisataskforthatinWP6).

M13 L H M No Yes No

D9.2

40

RiskID Descriptionofrisk WP(s)involved

RiskOwner Proposedrisk-mitigationmeasures

Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R8.4.AM

TheWP4componentsdonottranslatetoeffectivebenefitsforAmadeus.

WP4,WP7,WP8

DigitalMR

AsaSIEMuser,Amadeusiscloselyinvolvedinallthestagesoftheproject,fromrequirementsdefinitionsanddesigntofinalimplementationofcomponentsandtestingpriortodeployment.Hencemostpossibledeficienciesinmeetingtheexpectationsoftheoperatorswillbeidentifiedandmitigatedearlyintheprojectlife-cycle.Evenafterdeployment,wewillhaveataskopenedinWP4withthespecificaimofrefiningthecomponentsbasedonthefeedbackreceivedduringdeploymentsofthecomponentsintheindustrialpartnerssettingsinWP7.

M13 L M M No

Althoughverificationshavebeenmade(throughsynchronisations,telcos,meetings,etc.)topreventweakbenefitsforthepartner,ongoingtelcoandphysicalmeetingswilltakeplacetocontinuouslymonitorthis,aswellasfrequentreportswillbedeliveredatallstagesoftheproject:fromtherequirementdefinitiontothefinalimplementationandtesting.Feedbackwillbeimplementedateachstage.

No No

D9.2

41


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R8.5.AM

TheWP5componentsdonottranslatetoeffectivebenefitsforAmadeus

WP5,WP7,WP8

Fraunhofer

AsaSIEMuserandWP5componentdeveloper,Amadeusiscloselyinvolvedinallthestagesoftheproject,fromrequirementsdefinitionsanddesigntofinalimplementationofcomponentsandtestingpriortodeployment.Hencemostpossibledeficienciesinmeetingtheexpectationsoftheoperatorswillbeidentifiedandmitigatedearlyintheprojectlife-cycle.Evenafterdeployment,wewillhaveataskopenedinWP5withthespecificaimofrefiningthecomponentsbasedonthefeedbackreceivedduringdeploymentsofthecomponentsintheindustrialpartners’settingsinWP7.

M13 L M M No

Althoughverificationshavebeenmade(throughsynchronisations,telcos,meetings,etc.)topreventweakbenefitsforthepartner,ongoingtelcoandphysicalmeetingswilltakeplacetocontinuouslymonitorthis,aswellasfrequentreportswillbedeliveredatallstagesoftheproject:fromtherequirementdefinitiontothefinalimplementationandtesting.Feedbackwillbeimplementedateachstage.

No No

R8.6.AM

TheWP6componentsdonottranslatetoeffectivebenefitsforAmadeus.

WP6,WP7,WP8

Amadeus

AsaSIEMuserandWP6componentdeveloper,Amadeusiscloselyinvolvedinallthestagesoftheproject,fromrequirementsdefinitionsanddesigntofinalimplementationofcomponentsandtestingpriortodeployment.Hencemostpossibledeficienciesinmeetingtheexpectationsoftheoperatorswillbeidentifiedandmitigatedearlyintheprojectlife-cycle.Evenafterdeployment,wewillhaveataskopenedinWP6withthespecificaimofrefiningthecomponentsbasedonthefeedbackreceivedduringdeploymentsofthecomponentsinWP7.

M13 L M M No SameasinR8.6.AM No No

D9.2

42


involvedRisk


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R9

UncoordinateddisseminationactivitiesemergeduringDiSIEMoperation

WP8 ATOS

Thepartnerswillbeurgedtocoordinatetheiractivitiesupondetectionofanyuncoordinatedormutuallycontradictoryactivities.Clearleadershipisneededandexperiencegainedfromformerprojectswillbeappliedtofostercommondisseminationactivitiesandtofunnelanydispersedactionstogetheragain.

M13 L H M No Yes No

R10Dissemination/Exploitationdeviatesfromtheplan

WP8 ATOS

TheTaskLeadermonitorsthedissemination/exploitationactivitiesandwillinterveneimmediately.TheWPmeetingsshouldfindworkarounds.Typicalactionscouldbe:toproposesomeofthemajorconferences/symposiumswhereDiSIEMdisseminationisexpectedforhigherprojectimpact;toencouragejointprojectpublications;topublishprojectfactsheetsandpressreleasesontheprojectWebsitetoincreasevisibility;tofosterdisseminationofprojectresultsinopensource;ortoencouragetransferofDiSIEMtechnology.

M13 L H M No Yes No

D9.2

43


involvedRisk


Dateoflast

evalua-tion

Likeli-hood(L,M,H)

Impact(L,M,H)

Riskscore


Comment

Weremea-sures

applied?

Updateof

measures

R11IPRconflictsbetweenpartnersorbetweengroupsofpartners

WP1-WP9

FCID

Earlydetectionoftheissuethroughcloseandgoodcontacts,frequentmeetingsandaclearandunambiguouslegalframework(ConsortiumAgreement).

M13 M H M No Yes No

R12

SIEMsevolveinawaythatmakestheprojectcomponentsalmostobsolete(External)

WP4-WP6

FCID

Inthebeginningoftheprojectanextensivein-depthstudyofthestateoftheartinSIEMswereconducted(seeD2.1).Furthermore,theprojectpartnersfollowthestate-of-the-artrelatedwiththeircomponentstoallowforearlydetectionofthepossibilityofDiSIEMcomponentsbecomingobsolete.

M13 L H M No

Itisunlikelythatinjusttwoyears(M13-M36)theSIEMlandscapechangescompletely,turningourcomponentsobsolete.

Yes No

R13

ThemarketisnotinterestedintheDiSIEMcomponents(External)

WP4-WP6

FCID

Inthebeginningoftheprojectanextensivein-depthstudyofthestateoftheartinSIEMswereconducted(seeD2.1).Thecomponentsarebeingdevelopedconsideringpracticaltechnologicalaspects,costs,andconsideringthelimitationsperceivedinexistingSIEMs.Theadvisoryboardsupportstheconsortiumtoreducethisrisklikelihood.

M13 L H M No

Itisunlikelythatinjusttwoyears(M13-M36)theSIEMlandscapechangescompletely,turningourcomponentsobsolete.

Yes No

D9.2

44

5 SummaryandConclusions

ThisdeliverablepresentedtheriskmanagementplanfortheDiSIEMproject.Ourplan is devised around five types of processes: 1) analysis, 2) assessment, 3)treatment, 4)monitoring and control, and 5) communication and consultation.ThequalityplanpresentedinDeliverable9.1[D91]oftheDiSIEMprojectdefinesmeans formonitoring and control the execution of the project,which includestheInterimManagementReportandrealizationofmeetingsandteleconferencespolicies. These physical and virtual meetings, as well as a well-documentedproject execution plan, allow for anticipating the concretization of riskspreviously identified and therefore implementing control measures (risktreatment). In addition, they also allow foreseeing new risks (risk analysis-identification) and whenever a new risk is identified, a new risk assessmentprocessshouldbeaccomplishedandnewriskcontrolmeasuresimplementedoranticipated(risktreatment).

For the risk assessment process, we followed a qualitative methodologysupportedbytheISO31000:2009standard,inwhichrisksareclassifiedaslow,mediumandhighbasedontheirimpactontheproject’sobjectivesandlikelihoodisclassifiedaslow,mediumandhigh,basedontheprobabilityatwhichriskcanoccur.A risk evaluationmatrix that confronts impact and likelihood is used toevaluateandclassifyrisks.Asaresult,risksthatareassessedaslowrequireriskmitigationmeasuresmoreorientedtoassurethattheimpactorlikelihooddonotincrease;risksassessedasmediumrequirestrongercontrolandtheirmitigationmeasures aim at decreasing their impact or likelihood, being re-evaluatedperiodically to decide if more strict treatment is financially justifiable; finally,risks classified as high are treated with high priority employing the definedmitigationprocedures(atthetimethisdocumentisbeingwritten,therearenohighrisksintheproject).

Thecentrepieceofthisdocumentisthecurrentriskregisterwhereallrisksarecorrespondingly registered and revised periodically. The register exhibits thedescriptionoftherisks,theirowners(i.e.,responsiblepartners),anassessmentofimpactandlikelihood,andproposalofactionstohandletherisks.

D9.2

45

ListofAcronyms

Acronym DescriptionCPA CriticalPathAnalysisCSF CriticalSuccessFactorEC EuropeanCommissionIEC InternationalElectrotechnicalCommissionISO InternationalOrganizationforStandardizationPMBOK ProjectManagementBodyOfKnowledgePMI ProjectManagementInstituteSOC SecurityOperationCentreTC TechnicalCommittee

D9.2

46

References

[D21] DiSIEM Consortium. In-depth Analysis of SIEMs Extensibility. DiSIEMProjectDeliverable2.1.February2017.[D22]DiSIEMConsortium.ReferenceArchitectureandIntegrationPlan.DiSIEMProjectDeliverable2.2.August2017.[D41] DiSIEM Consortium. Techniques and Tools for OSINT-based ThreatAnalysis.DiSIEMProjectDeliverable4.1.August2017.[D51]DiSIEMConsortium.VisualisationSystemInfrastructureandRequirementAnalysis.DiSIEMProjectDeliverable5.1.August2017.[D61] DiSIEM Consortium. Preliminary Architecture and Service Model ofInfrastructureEnhancements.DiSIEMProjectDeliverable6.1.August2017.[D81] DiSIEM Consortium. Internal and External IT CommunicationInfrastructure.DiSIEMProjectDeliverable8.1.November2016.[D91]DiSIEMConsortium.ProjectQualityPlan.DiSIEMProjectDeliverable9.1.November2016.[ISO09] ISO (2009). ISO 31000:2009, Risk management – Principles andguidelines,InternationalOrganizationforStandardization.[IEC09] IEC (2009). IEC 31010:2009, Risk management — Risk assessmenttechniques,InternationalOrganizationforStandardization.[PMI13] PMI. (2013). A Guide to the Project Management Body of Knowledge(PMBOK®Guide)(FifthEdition).ProjectManagementInstitute.

d9.2 risk assessment plandisiem-project.eu/wp-content/uploads/2017/10/d9.2.pdfrisk management is a...

Documents