intelligence led security - information technology presentations... · intelligence led security...

INTELLIGENCE LED SECURITY

Patrick Curry – MACCSA - [email protected]

Multinational Alliance for

Collaborative Cyber Situational Awareness

MACCSA proprietary - [email protected]

https://jecs.jfcom.mil/j9/projects/mne/6/Lists/comm/DispForm.aspx?ID=2


































MACCSA AT A GLANCE

• To enable the implementation and operation of the Information Sharing Framework for CCSA

• Not-for-profit, self-regulating body, registered in UK


• Multinational Experiment 7 (MNE7 - 16 nations & HQ NATO; 2 years) requirement to implement the Information Sharing Framework for Collaborative Cyber Situational Awareness

• Increasing national and international need for cyber information sharing.

• Oct 2013 – Formed (in Incheon)

• Dec 2013 – Management Meeting – 60 orgs

• Mar 2014 – Steering Group - 8+ orgs

• Scope increased to include:

• Incident management

• All cybersecurity

• Implementations

• Diverse activities

3

• Neutral & international approach

• International organisations

• UNIDIR, ITU, ITU-IMPACT, NATO ACT, EU (8 orgs)

• FS-ISAC, TM Forum, FIRST, ACDC, ITU-T, CSA, eCSIRT

• Nations (22 govs, 33 nations)

• Industry sectors (65+ organisations)

• Research

Aim

Who helped to create itWhy

Progress

WHAT DO YOU NEED TO KNOW?

1. Context

• Bigger picture

• What’s changing

• Why

2. How this is going to affect you (your organisation)

3. The information do you need to have

4. The information you need to get and to share

5. How you can share it

6. The essentials for collaboration

7. You should be part of a herd. Outliers tend to be the early prey

4MACCSA proprietary -

[email protected]

CYBERSPACE IS GREAT, BUT…

Today’s internet is a place where you can do…

Truly dumb things

On an epic scale

Very quickly

With little chance of recovery

And you can’t guarantee the outcome…

Laws of Physics Policy compliance absent instant systemic

enforcement doesn’t work


EU CYBER SECURITY STRATEGY - 28 FEB 14

V-P Kroes

• Democracy must talk to technology. We are making a transition to a data driven world

• About simple things, people trusting that their personal data is protected, SMEs understanding cloud protection, citizen understanding eID. Without security there is no privacy.

• Cyber breaches happen for multiple reasons. Over 3/4 of SMEs and 93% businesses suffered at least one breach, each costing up to 50M euros.

• Merkel call for secure EU network. Central to our competitiveness, single digital market, strengthen security of services, no to data protectionism and yes to data protection. We want to use big data.

• Trust is key. Weak link is the whole network, weak directive will let us down.

• Cyber security strategy is providing the right building blocks. Strong cyber security domain is important to Europe. Without it, democracy would fail to manage technology. Make EU the safest place for digital.


7

ID Fraud = a top EU crime enablerMcAfee: $1 trillion/year cybercrime (rising $2 trl)

UK fraud > £73bnEU fraud > €500bn

If we are not winning, we must be losing

TOP THREAT – ID FRAUD


INCREASING ATTACK SURFACE• More users

• More devices – internet of things…

• More mobile

• More cloud(s?)

• More BYO Disaster

• More sensitivity – my info, health

• More critical systems – smart metering, big data

• Weak cyber borders >> internet governance under strain

• Increasing expectations and temptations unwise decisions

• UK – 50M smart meters by 2020 in 30M buildings (HMG)

• 76% of financially active organisations in UK are not registered in UK or at all (& can’t tell the difference). (HMG)

• 65% of IP theft is by insiders (SANS)


Just Surface Web

….add

Deep web

Dark Web

Process

Information

Application

Data

Infrastructure

Organisation A

Process

Information

Application

Data

Infrastructure

Organisation B

Competition

Collaboration

Cyber world collaborates to support normal Business use of cyberspace

Business World

Node A Node B

Process

Information

Application

Data

Infrastructure

Process

Information

Application

Data

Infrastructure

Competition

Collaboration

Cyber World


STRATEGIC DRIVERS – INDUSTRIES & GOVERNMENT

1. Business is becoming more collaborative and international

2. Increasing legal, regulatory and commercial requirements for accountability and information protection in regulated industries

3. Information protection requires access control

4. Access control requires identity, authentication and authorisation, which are the basis of trust

5. Trust across multiple organisations requires federation

Organisations have to be considered trustworthy to trust each other

Organisations need a common language of business to understand each other

6. Federation requires collaborative governance and agreed Common Policy

7. US and European federation bodies are pressing ahead and setting federation standards, leveraging national ID activities

8. Nations need industry governance bodies for federated trust across their industries


LEVELS OF ASSURANCE

We need to identify ourselves to others, and vice versa, in a wide range of situations and particularly for electronic activities.

We require different Levels of Assurance.

1. LoA 4. Extra measures. 3 factor authentication (with second biometric). Strong hardware token. Optional federated Physical Access Control. Used in highly secure situations.

2. LoA 3. High confidence in identity. Legally robust non-repudiation. 2 Factor Authentication E.g. employee authentication, digital signature, ID based encryption, secure email.

3. LoA 2. Some confidence of Identity. Expect some failures. Financial liability model E.g. credit cards, Know Your Customer.

4. LoA 1. Self assertion. E.g. [email protected].


British Business Federation Authority [email protected]

Citizen

Consumer

Employee - Gov Employee - Industry

9/11

HSPD 12

FIPS 201 - PIV

PIV - Interoperable

ITU-T/ISO24760/29115

Supply chain collaboration

CertiPath/SAFEBioPharma

Kantara InitiativeIdentity Assurance Framework

Borders

Police

NATO

SESAR

Legal

Energy

Pharma

Aero space

?

34

34

12

Hardly used = weak business case?

OIXGoogle

Facebook1

1

Credit cards

HACC?NFC??

2

3

23

NSTIC ?

Good Federation

HIGHLIGHTS - BIG PICTURE“BUILDING THE WALL”

Risk Assessment Risk Treatment

Risk Transfer

Risk Mitigation

Cyber controls

frameworks

EU NISD

NIS Platform

International

Standards – ISO,

EU

Cyber insurance

models

Assessment tools

Assurance

Schemes

Approved

assessors

Managed risk

Collaborative Cyber

SA

Incident

management

Collaborative Crisis

Management

Counter-fraud

Incident

Notification

Red team/ serious

games


Federated

ID & Access

management

MACCSA is enabling in every area plus development of:

• New capabilities

• New data sources and registers

CCSA & INCIDENT MANAGEMENT

Collaborative Cyber

SA

Hubs & Nodes

Incident

management

Collaborative Crisis

Management

Counter-fraud

1. Identify

2. Protect

3. Detect

4. Respond

5. Recover

Others

ROLO

OrgID registers

PANCRAS

Defeat fake docs and

products

Red team/ serious

games

Federated ID & access

management

Cyber controls

frameworks

Triage & Analysis

Processes

Taxonomies &

Automation


Priority Info

Requirements

Intel led

Layered proactive defence

Rumsfeld-based

Incident Management Lifecycle

External Organisations, International Allies and Industry Partner Communities

Detection

Event

Normality

Mitigation Plan

Monitoring

Analysis

Triage

Prioritise

Act to Restore

Normality

Analysis

Sta

tus In

fo

Incid

en

t In

fo

Sta

tus in

fo

Incid

en

t in

fo

Inte

l In

fo

Inte

l in

fo

Vu

lnera

bili

tie

s

Vu

lnera

bili

tie

s

Crisis

in

fo

Crisis

in

fo

Th

rea

t In

fo

Th

rea

t in

fo

Specific

Mitigations

Non-Specific

Mitigations

Known

Unknowns

Unknown

Unknowns

Push & Pull

Info

Need to Know

& Share

Process

Post

My Community

Process

State or Object

Key

COMMERCIAL PERSPECTIVE

1. Aerospace & Defence

1. Federation and collaboration tools re-used across supply chains and international airports

2. Re-used in transportation

2. Pharmaceuticals and health

1. Drug registration

2. Drug trials

3. E-Health

3. Legal

4. Education

5. Finance

6. Transport

7. Communities ……

8. Strategic necessity to share cyber information

Benefits so far

• US DoD PKI federation – 47% reduction in

hacking

• Aerospace & defence. Re-use and supply

chain agility. $3+ Bn/year improvements

• Second order benefits – compliance,

offshoring, new markets


INFORMATION SHARING FRAMEWORK V2.4

Executive Summary

Introduction

Background and Context

• Understanding Cyber

• Using Cyberspace

• Protecting Cyberspace

• Cyber Situational Awareness

• Benefits and Challenges

Scope

Aim

Information Sharing Model

• Architecture View

• Structural View

• Hub and Node Information Processing

• Information Sharing Agreements

• Information Sharing Processes

• Trustworthiness, Federation and AAA

• Taxonomies

• Information Release - Traffic Light Protocol

• Technological Evolution and Change Management

Information Management Model

• Introduction

• Information Sources

• Critical Information Requirements

• Generation and Maintenance of Cyber Situational Awareness

• Incident Management Lifecycle

• Information Preparation

• Types of Shared Information

Next Steps

Annexes


ENABLING TECHNOLOGIES AND STANDARDS1. Cloud

1. Interoperability and security issues

2. Emerging international standards

3. Trusted cloud. ISO, CSA, FISMA…

2. PKI Federation for persons. Strong authentication, digital signature, ID-linked encryption, secure email, physical access control

3. Trusted Platform Module 2.0 >700M already deployed!!!

1. Device authentication and health = “Known Good Devices”. Key for BYOD

2. Internationally acceptable

3. TPM Mobile specification

4. Essential for telco infrastructure protection and interoperability/re-use

4. Trusted applications – Security Content Automation Protocol (SCAP)

5. Location data interoperability

6. Shift into information management, analytics and metadata layers. Enables Big Data.

7. Network monitoring and detection for Governance Regulation Compliance (GRC) and cyber

8. Security automation


COLLABORATIVE CAPABILITIES & STANDARDS

Main components of the MACCSA ISF

• High Assurance federation – bridges, hubs, registers, IPV ISO 29003, 29115++

• Cyber framework tools – Cyber controls frameworks – US SP800-53, AU Top 35, 270XX, SANS, COBIT5

• Assessment and interoperability - CDCAT

• Taxonomies – IODEF/XMPP/STIX plus CIF, OpenIOC, Veris

• Transport - RID/TAXII/XMPP

• Information management and triage models – least mature

Candidate Data repositories

• Threat intelligence history

• Operational incident history for insurance

• Vulnerability information

• Other


ISO/IEC JTC1 SC27 WG5 – IDENTITY MANAGEMENT & PRIVACY TECHNOLOGIES

ISO 29100 – Privacy framework

ISO 29101 – Privacy reference architecture

ISO 29115 – Entity authentication assurance framework (contains ID definitions)

ISO 29146 – A framework for access management

ISO 29191 – Proposal on requirements on relative anonymity with identity escrow model for authentication and authorization using group signatures

ISO 24760 - A framework for identity management -- Part 1: Terminology and concepts

ISO 24760 - A Framework for Identity Management -- Part 2: Reference architecture and requirements

ISO 24760 - A Framework for Identity Management – Part 3: Practice

ISO 24761 - Authentication context for biometrics

ISO 29003 - Identity Proofing of Persons, Organisations, Devices and Software

Plus TCG Trusted Platform Module 1.2 and 2.0


HOW MUCH DETAIL IS REQUIRED?• Internet social engineering attacks

• Network sniffers

• Packet spoofing

• Session-hijacking

• Cyber-threats & bullying (not illegal in all jurisdictions)

• Automated probes and scans

• GUI intrusion tools

• Automated widespread attacks

• Widespread, distributed denial-of-service attacks

• Industrial espionage

• Executable code attacks (against browsers)

• Analysis of vulnerabilities in compiled software without source code

• Widespread attacks on DNS infrastructure

• Widespread attacks using NNTP to distribute attack

• "Stealth" and other advanced scanning techniques

• Windows-based remote access trojans (Back Orifice)

• Email propagation of malicious code

• Wide-scale trojan distribution

• Distributed attack tools

• Targeting of specific users

• Anti-forensic techniques

• Wide-scale use of worms

• Sophisticated botnet command and control attacks

• …….


CYBERSECURITY, RISK MANAGEMENT AND INFORMATION SHARING

• EU 42 CERTs (2011) 222 CERTs (2013)

• EU Network Information Security Directive (NISD) and NIS Platform

• Recommendations for Risk Management and for Information Sharing

• Surveys of 32 nations, 60+ trade associations, 200+ companies.

• 23 5 Risk Management Frameworks and one Risk Management Maturity Model

• 32 Information Sharing Schemes. NL has the most

• EU Commission requirement for collaborative industry lead into 2015+

• US Cybersecurity Framework plus NIST SP800-53 R4

Existing sharing initiatives

• EU ACDC – Advanced Cyber Defence Centre

• NATO. CDXi plans

• European Defence Agency – Cybersecurity Project

• NL Taranis

• UK CISP

• Other nations…


SUMMARYCommunities of Trust.

• Be part of the herd. Don’t be an outlier – people know you are not smart enough

• Large organisations that do not share cyber info are 90% ineffective

• 80% of major cyber incidents have real world impacts

Requires Common Policies and Collaborative Governance. High Assurance is more mature.

Privacy is a big issue everywhere, but is Europe going too far and expecting too much? Strong privacy can increase the threat to the citizen.

Internal (enterprise) and external (supply chain) security

The (policy) issues are in the information space:

• Need to know vs Obligation to share

• Partial anonymity

• Information provenance and reliability

• Retraction without liability

It’s about shared risk and collaborative cybersecurity

• Identify, Protect, Detect, Respond, Recover

• Intel-led, layered proactive defence is the only choice

• Share and collaborate = collaborative cyber situational awareness

• Criminals collaborate; so should we – only better


intelligence led security - information technology presentations... · intelligence led security...

Documents