intelligence led security - information technology presentations... · intelligence led security...
TRANSCRIPT
INTELLIGENCE LED SECURITY
Patrick Curry – MACCSA - [email protected]
Multinational Alliance for
Collaborative Cyber Situational Awareness
MACCSA proprietary - [email protected]
MACCSA AT A GLANCE
• To enable the implementation and operation of the Information Sharing Framework for CCSA
• Not-for-profit, self-regulating body, registered in UK
MACCSA proprietary - [email protected]
• Multinational Experiment 7 (MNE7 - 16 nations & HQ NATO; 2 years) requirement to implement the Information Sharing Framework for Collaborative Cyber Situational Awareness
• Increasing national and international need for cyber information sharing.
• Oct 2013 – Formed (in Incheon)
• Dec 2013 – Management Meeting – 60 orgs
• Mar 2014 – Steering Group - 8+ orgs
• Scope increased to include:
• Incident management
• All cybersecurity
• Implementations
• Diverse activities
3
• Neutral & international approach
• International organisations
• UNIDIR, ITU, ITU-IMPACT, NATO ACT, EU (8 orgs)
• FS-ISAC, TM Forum, FIRST, ACDC, ITU-T, CSA, eCSIRT
• Nations (22 govs, 33 nations)
• Industry sectors (65+ organisations)
• Research
Aim
Who helped to create itWhy
Progress
WHAT DO YOU NEED TO KNOW?
1. Context
• Bigger picture
• What’s changing
• Why
2. How this is going to affect you (your organisation)
3. The information do you need to have
4. The information you need to get and to share
5. How you can share it
6. The essentials for collaboration
7. You should be part of a herd. Outliers tend to be the early prey
4MACCSA proprietary -
CYBERSPACE IS GREAT, BUT…
Today’s internet is a place where you can do…
Truly dumb things
On an epic scale
Very quickly
With little chance of recovery
And you can’t guarantee the outcome…
Laws of Physics Policy compliance absent instant systemic
enforcement doesn’t work
MACCSA proprietary - [email protected]
EU CYBER SECURITY STRATEGY - 28 FEB 14
V-P Kroes
• Democracy must talk to technology. We are making a transition to a data driven world
• About simple things, people trusting that their personal data is protected, SMEs understanding cloud protection, citizen understanding eID. Without security there is no privacy.
• Cyber breaches happen for multiple reasons. Over 3/4 of SMEs and 93% businesses suffered at least one breach, each costing up to 50M euros.
• Merkel call for secure EU network. Central to our competitiveness, single digital market, strengthen security of services, no to data protectionism and yes to data protection. We want to use big data.
• Trust is key. Weak link is the whole network, weak directive will let us down.
• Cyber security strategy is providing the right building blocks. Strong cyber security domain is important to Europe. Without it, democracy would fail to manage technology. Make EU the safest place for digital.
MACCSA proprietary - [email protected]
7
ID Fraud = a top EU crime enablerMcAfee: $1 trillion/year cybercrime (rising $2 trl)
UK fraud > £73bnEU fraud > €500bn
If we are not winning, we must be losing
TOP THREAT – ID FRAUD
MACCSA proprietary - [email protected]
INCREASING ATTACK SURFACE• More users
• More devices – internet of things…
• More mobile
• More cloud(s?)
• More BYO Disaster
• More sensitivity – my info, health
• More critical systems – smart metering, big data
• Weak cyber borders >> internet governance under strain
• Increasing expectations and temptations unwise decisions
• UK – 50M smart meters by 2020 in 30M buildings (HMG)
• 76% of financially active organisations in UK are not registered in UK or at all (& can’t tell the difference). (HMG)
• 65% of IP theft is by insiders (SANS)
MACCSA proprietary - [email protected]
Just Surface Web
….add
Deep web
Dark Web
Process
Information
Application
Data
Infrastructure
Organisation A
Process
Information
Application
Data
Infrastructure
Organisation B
Competition
Collaboration
Cyber world collaborates to support normal Business use of cyberspace
Business World
Node A Node B
Process
Information
Application
Data
Infrastructure
Process
Information
Application
Data
Infrastructure
Competition
Collaboration
Cyber World
MACCSA proprietary - [email protected]
STRATEGIC DRIVERS – INDUSTRIES & GOVERNMENT
1. Business is becoming more collaborative and international
2. Increasing legal, regulatory and commercial requirements for accountability and information protection in regulated industries
3. Information protection requires access control
4. Access control requires identity, authentication and authorisation, which are the basis of trust
5. Trust across multiple organisations requires federation
Organisations have to be considered trustworthy to trust each other
Organisations need a common language of business to understand each other
6. Federation requires collaborative governance and agreed Common Policy
7. US and European federation bodies are pressing ahead and setting federation standards, leveraging national ID activities
8. Nations need industry governance bodies for federated trust across their industries
MACCSA proprietary - [email protected]
LEVELS OF ASSURANCE
We need to identify ourselves to others, and vice versa, in a wide range of situations and particularly for electronic activities.
We require different Levels of Assurance.
1. LoA 4. Extra measures. 3 factor authentication (with second biometric). Strong hardware token. Optional federated Physical Access Control. Used in highly secure situations.
2. LoA 3. High confidence in identity. Legally robust non-repudiation. 2 Factor Authentication E.g. employee authentication, digital signature, ID based encryption, secure email.
3. LoA 2. Some confidence of Identity. Expect some failures. Financial liability model E.g. credit cards, Know Your Customer.
4. LoA 1. Self assertion. E.g. [email protected].
MACCSA proprietary - [email protected]
British Business Federation Authority [email protected]
Citizen
Consumer
Employee - Gov Employee - Industry
9/11
HSPD 12
FIPS 201 - PIV
PIV - Interoperable
ITU-T/ISO24760/29115
Supply chain collaboration
CertiPath/SAFEBioPharma
Kantara InitiativeIdentity Assurance Framework
Borders
Police
NATO
SESAR
Legal
Energy
Pharma
Aero space
?
34
34
12
Hardly used = weak business case?
OIXGoogle
Facebook1
1
Credit cards
HACC?NFC??
2
3
23
NSTIC ?
Good Federation
HIGHLIGHTS - BIG PICTURE“BUILDING THE WALL”
Risk Assessment Risk Treatment
Risk Transfer
Risk Mitigation
Cyber controls
frameworks
EU NISD
NIS Platform
International
Standards – ISO,
EU
Cyber insurance
models
Assessment tools
Assurance
Schemes
Approved
assessors
Managed risk
Collaborative Cyber
SA
Incident
management
Collaborative Crisis
Management
Counter-fraud
Incident
Notification
Red team/ serious
games
MACCSA proprietary - [email protected]
Federated
ID & Access
management
MACCSA is enabling in every area plus development of:
• New capabilities
• New data sources and registers
CCSA & INCIDENT MANAGEMENT
Collaborative Cyber
SA
Hubs & Nodes
Incident
management
Collaborative Crisis
Management
Counter-fraud
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
Others
ROLO
OrgID registers
PANCRAS
Defeat fake docs and
products
Red team/ serious
games
Federated ID & access
management
Cyber controls
frameworks
Triage & Analysis
Processes
Taxonomies &
Automation
MACCSA proprietary - [email protected]
Priority Info
Requirements
Intel led
Layered proactive defence
Rumsfeld-based
Incident Management Lifecycle
External Organisations, International Allies and Industry Partner Communities
Detection
Event
Normality
Mitigation Plan
Monitoring
Analysis
Triage
Prioritise
Act to Restore
Normality
Analysis
Sta
tus In
fo
Incid
en
t In
fo
Sta
tus in
fo
Incid
en
t in
fo
Inte
l In
fo
Inte
l in
fo
Vu
lnera
bili
tie
s
Vu
lnera
bili
tie
s
Crisis
in
fo
Crisis
in
fo
Th
rea
t In
fo
Th
rea
t in
fo
Specific
Mitigations
Non-Specific
Mitigations
Known
Unknowns
Unknown
Unknowns
Push & Pull
Info
Need to Know
& Share
Process
Post
My Community
Process
State or Object
Key
COMMERCIAL PERSPECTIVE
1. Aerospace & Defence
1. Federation and collaboration tools re-used across supply chains and international airports
2. Re-used in transportation
2. Pharmaceuticals and health
1. Drug registration
2. Drug trials
3. E-Health
3. Legal
4. Education
5. Finance
6. Transport
7. Communities ……
8. Strategic necessity to share cyber information
Benefits so far
• US DoD PKI federation – 47% reduction in
hacking
• Aerospace & defence. Re-use and supply
chain agility. $3+ Bn/year improvements
• Second order benefits – compliance,
offshoring, new markets
MACCSA proprietary - [email protected]
MACCSA proprietary - [email protected]
MACCSA proprietary - [email protected]
INFORMATION SHARING FRAMEWORK V2.4
Executive Summary
Introduction
Background and Context
• Understanding Cyber
• Using Cyberspace
• Protecting Cyberspace
• Cyber Situational Awareness
• Benefits and Challenges
Scope
Aim
Information Sharing Model
• Architecture View
• Structural View
• Hub and Node Information Processing
• Information Sharing Agreements
• Information Sharing Processes
• Trustworthiness, Federation and AAA
• Taxonomies
• Information Release - Traffic Light Protocol
• Technological Evolution and Change Management
Information Management Model
• Introduction
• Information Sources
• Critical Information Requirements
• Generation and Maintenance of Cyber Situational Awareness
• Incident Management Lifecycle
• Information Preparation
• Types of Shared Information
Next Steps
Annexes
MACCSA proprietary - [email protected]
ENABLING TECHNOLOGIES AND STANDARDS1. Cloud
1. Interoperability and security issues
2. Emerging international standards
3. Trusted cloud. ISO, CSA, FISMA…
2. PKI Federation for persons. Strong authentication, digital signature, ID-linked encryption, secure email, physical access control
3. Trusted Platform Module 2.0 >700M already deployed!!!
1. Device authentication and health = “Known Good Devices”. Key for BYOD
2. Internationally acceptable
3. TPM Mobile specification
4. Essential for telco infrastructure protection and interoperability/re-use
4. Trusted applications – Security Content Automation Protocol (SCAP)
5. Location data interoperability
6. Shift into information management, analytics and metadata layers. Enables Big Data.
7. Network monitoring and detection for Governance Regulation Compliance (GRC) and cyber
8. Security automation
MACCSA proprietary - [email protected]
COLLABORATIVE CAPABILITIES & STANDARDS
Main components of the MACCSA ISF
• High Assurance federation – bridges, hubs, registers, IPV ISO 29003, 29115++
• Cyber framework tools – Cyber controls frameworks – US SP800-53, AU Top 35, 270XX, SANS, COBIT5
• Assessment and interoperability - CDCAT
• Taxonomies – IODEF/XMPP/STIX plus CIF, OpenIOC, Veris
• Transport - RID/TAXII/XMPP
• Information management and triage models – least mature
Candidate Data repositories
• Threat intelligence history
• Operational incident history for insurance
• Vulnerability information
• Other
MACCSA proprietary - [email protected]
ISO/IEC JTC1 SC27 WG5 – IDENTITY MANAGEMENT & PRIVACY TECHNOLOGIES
ISO 29100 – Privacy framework
ISO 29101 – Privacy reference architecture
ISO 29115 – Entity authentication assurance framework (contains ID definitions)
ISO 29146 – A framework for access management
ISO 29191 – Proposal on requirements on relative anonymity with identity escrow model for authentication and authorization using group signatures
ISO 24760 - A framework for identity management -- Part 1: Terminology and concepts
ISO 24760 - A Framework for Identity Management -- Part 2: Reference architecture and requirements
ISO 24760 - A Framework for Identity Management – Part 3: Practice
ISO 24761 - Authentication context for biometrics
ISO 29003 - Identity Proofing of Persons, Organisations, Devices and Software
Plus TCG Trusted Platform Module 1.2 and 2.0
MACCSA proprietary - [email protected]
HOW MUCH DETAIL IS REQUIRED?• Internet social engineering attacks
• Network sniffers
• Packet spoofing
• Session-hijacking
• Cyber-threats & bullying (not illegal in all jurisdictions)
• Automated probes and scans
• GUI intrusion tools
• Automated widespread attacks
• Widespread, distributed denial-of-service attacks
• Industrial espionage
• Executable code attacks (against browsers)
• Analysis of vulnerabilities in compiled software without source code
• Widespread attacks on DNS infrastructure
• Widespread attacks using NNTP to distribute attack
• "Stealth" and other advanced scanning techniques
• Windows-based remote access trojans (Back Orifice)
• Email propagation of malicious code
• Wide-scale trojan distribution
• Distributed attack tools
• Targeting of specific users
• Anti-forensic techniques
• Wide-scale use of worms
• Sophisticated botnet command and control attacks
• …….
MACCSA proprietary - [email protected]
CYBERSECURITY, RISK MANAGEMENT AND INFORMATION SHARING
• EU 42 CERTs (2011) 222 CERTs (2013)
• EU Network Information Security Directive (NISD) and NIS Platform
• Recommendations for Risk Management and for Information Sharing
• Surveys of 32 nations, 60+ trade associations, 200+ companies.
• 23 5 Risk Management Frameworks and one Risk Management Maturity Model
• 32 Information Sharing Schemes. NL has the most
• EU Commission requirement for collaborative industry lead into 2015+
• US Cybersecurity Framework plus NIST SP800-53 R4
Existing sharing initiatives
• EU ACDC – Advanced Cyber Defence Centre
• NATO. CDXi plans
• European Defence Agency – Cybersecurity Project
• NL Taranis
• UK CISP
• Other nations…
MACCSA proprietary - [email protected]
SUMMARYCommunities of Trust.
• Be part of the herd. Don’t be an outlier – people know you are not smart enough
• Large organisations that do not share cyber info are 90% ineffective
• 80% of major cyber incidents have real world impacts
Requires Common Policies and Collaborative Governance. High Assurance is more mature.
Privacy is a big issue everywhere, but is Europe going too far and expecting too much? Strong privacy can increase the threat to the citizen.
Internal (enterprise) and external (supply chain) security
The (policy) issues are in the information space:
• Need to know vs Obligation to share
• Partial anonymity
• Information provenance and reliability
• Retraction without liability
It’s about shared risk and collaborative cybersecurity
• Identify, Protect, Detect, Respond, Recover
• Intel-led, layered proactive defence is the only choice
• Share and collaborate = collaborative cyber situational awareness
• Criminals collaborate; so should we – only better
MACCSA proprietary - [email protected]