Intelligence Led Security - Patrick Curry
Intelligence Led Security - Patrick Curry
Intelligence Led Security - Patrick Curry
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
INTELLIGENCE LED<br />
SECURITY<br />
<strong>Patrick</strong> <strong>Curry</strong> – MACCSA -<br />
patrick.curry@maccsa.net
Multinational Alliance for<br />
Collaborative Cyber Situational Awareness<br />
MACCSA proprietary - info@maccsa.net
MACCSA AT A GLANCE<br />
Why<br />
• Multinational Experiment 7 (MNE7 - 16 nations & HQ<br />
NATO; 2 years) requirement to implement the<br />
Information Sharing Framework for Collaborative Cyber<br />
Situational Awareness<br />
• Increasing national and international need for cyber<br />
information sharing.<br />
Who helped to create it<br />
• Neutral & international approach<br />
• International organisations<br />
• UNIDIR, ITU, ITU-IMPACT, NATO ACT, EU (8 orgs)<br />
• FS-ISAC, TM Forum, FIRST, ACDC, ITU-T, CSA, eCSIRT<br />
• Nations (22 govs, 33 nations)<br />
• Industry sectors (65+ organisations)<br />
• Research<br />
Aim<br />
• To enable the implementation and operation of the<br />
Information Sharing Framework for CCSA<br />
• Not-for-profit, self-regulating body, registered in UK<br />
Progress<br />
• Oct 2013 – Formed (in Incheon)<br />
• Dec 2013 – Management Meeting – 60 orgs<br />
• Mar 2014 – Steering Group - 8+ orgs<br />
• Scope increased to include:<br />
• Incident management<br />
• All cybersecurity<br />
• Implementations<br />
• Diverse activities<br />
MACCSA proprietary - info@maccsa.net<br />
3
WHAT DO YOU NEED TO KNOW<br />
1. Context<br />
• Bigger picture<br />
• What’s changing<br />
• Why<br />
2. How this is going to affect you (your organisation)<br />
3. The information do you need to have<br />
4. The information you need to get and to share<br />
5. How you can share it<br />
6. The essentials for collaboration<br />
7. You should be part of a herd. Outliers tend to be the early prey<br />
MACCSA proprietary -<br />
4
CYBERSPACE IS GREAT, BUT…<br />
Today’s internet is a place where you can do…<br />
Truly dumb things<br />
On an epic scale<br />
Very quickly<br />
With little chance of recovery<br />
And you can’t guarantee the outcome…<br />
Laws of Physics Policy compliance absent instant systemic<br />
enforcement doesn’t work<br />
MACCSA proprietary - info@maccsa.net
EU CYBER SECURITY STRATEGY - 28 FEB 14<br />
V-P Kroes<br />
• Democracy must talk to technology. We are making a transition to a data driven world<br />
• About simple things, people trusting that their personal data is protected, SMEs<br />
understanding cloud protection, citizen understanding eID. Without security there is no<br />
privacy.<br />
• Cyber breaches happen for multiple reasons. Over 3/4 of SMEs and 93% businesses<br />
suffered at least one breach, each costing up to 50M euros.<br />
• Merkel call for secure EU network. Central to our competitiveness, single digital<br />
market, strengthen security of services, no to data protectionism and yes to data<br />
protection. We want to use big data.<br />
• Trust is key. Weak link is the whole network, weak directive will let us down.<br />
• Cyber security strategy is providing the right building blocks. Strong cyber security<br />
domain is important to Europe. Without it, democracy would fail to manage<br />
technology. Make EU the safest place for digital.<br />
MACCSA proprietary - info@maccsa.net
TOP THREAT – ID FRAUD<br />
ID Fraud = a top EU crime enabler<br />
McAfee: $1 trillion/year<br />
cybercrime (rising $2 trl)<br />
UK fraud > £73bn<br />
EU fraud > €500bn<br />
If we are not winning, we must be<br />
losing<br />
MACCSA proprietary - info@maccsa.net<br />
7
INCREASING ATTACK SURFACE<br />
• More users<br />
• More devices – internet of things…<br />
• More mobile<br />
• More cloud(s)<br />
• More BYO Disaster<br />
• More sensitivity – my info, health<br />
• More critical systems – smart metering, big data<br />
• Weak cyber borders >> internet governance under strain<br />
• Increasing expectations and temptations unwise decisions<br />
Just Surface Web<br />
….add<br />
Deep web<br />
Dark Web<br />
• UK – 50M smart meters by 2020 in 30M buildings (HMG)<br />
• 76% of financially active organisations in UK are not registered in UK or at all (& can’t<br />
tell the difference). (HMG)<br />
• 65% of IP theft is by insiders (SANS)<br />
MACCSA proprietary - info@maccsa.net
Business World<br />
Competition<br />
Collaboration<br />
Organisation A<br />
Process<br />
Information<br />
Application<br />
Data<br />
Infrastructure<br />
Organisation B<br />
Process<br />
Information<br />
Application<br />
Data<br />
Infrastructure<br />
Cyber world collaborates to support normal Business use of cyberspace<br />
Cyber World<br />
Competition<br />
Collaboration<br />
Node A<br />
Process<br />
Information<br />
Application<br />
Data<br />
Infrastructure<br />
Node B<br />
Process<br />
Information<br />
Application<br />
Data<br />
Infrastructure<br />
MACCSA proprietary - info@maccsa.net
STRATEGIC DRIVERS – INDUSTRIES & GOVERNMENT<br />
1. Business is becoming more collaborative and international<br />
2. Increasing legal, regulatory and commercial requirements for accountability and<br />
information protection in regulated industries<br />
3. Information protection requires access control<br />
4. Access control requires identity, authentication and authorisation, which are the basis<br />
of trust<br />
5. Trust across multiple organisations requires federation<br />
Organisations have to be considered trustworthy to trust each other<br />
Organisations need a common language of business to understand each other<br />
6. Federation requires collaborative governance and agreed Common Policy<br />
7. US and European federation bodies are pressing ahead and setting federation<br />
standards, leveraging national ID activities<br />
8. Nations need industry governance bodies for federated trust across their industries<br />
MACCSA proprietary - info@maccsa.net
LEVELS OF ASSURANCE<br />
• We need to identify ourselves to others, and vice versa, in a wide<br />
range of situations and particularly for electronic activities.<br />
• We require different Levels of Assurance.<br />
1. LoA 4. Extra measures. 3 factor authentication (with second biometric). Strong<br />
hardware token. Optional federated Physical Access Control. Used in highly<br />
secure situations.<br />
2. LoA 3. High confidence in identity. Legally robust non-repudiation. 2 Factor<br />
Authentication E.g. employee authentication, digital signature, ID based<br />
encryption, secure email.<br />
3. LoA 2. Some confidence of Identity. Expect some failures. Financial liability<br />
model E.g. credit cards, Know Your Customer.<br />
4. LoA 1. Self assertion. E.g. mickey.mouse@microsoft.com.<br />
MACCSA proprietary - info@maccsa.net
Employee - Gov<br />
3<br />
4<br />
Employee - Industry<br />
3<br />
4<br />
9/11<br />
Supply chain collaboration<br />
HSPD 12<br />
FIPS 201 - PIV<br />
Good Federation<br />
CertiPath/SAFEBioPharma<br />
SESAR<br />
NATO<br />
PIV - Interoperable<br />
ITU-T/ISO<br />
24760/29115<br />
Kantara Initiative<br />
Identity Assurance Framework<br />
Aero<br />
space<br />
Pharma<br />
Police<br />
Energy<br />
Borders<br />
Citizen<br />
Hardly used = weak business<br />
case<br />
2<br />
3<br />
NSTIC <br />
<br />
British Business Federation Authority -<br />
office@federatedbusiness.org<br />
Consumer<br />
2<br />
Credit cards<br />
NFC<br />
1<br />
2<br />
OIX<br />
HACC<br />
Legal<br />
3<br />
1<br />
Google<br />
Facebook 1
HIGHLIGHTS - BIG PICTURE<br />
“BUILDING THE WALL”<br />
Collaborative Crisis<br />
Management<br />
Collaborative Cyber<br />
SA<br />
Incident<br />
management<br />
Counter-fraud<br />
EU NISD<br />
NIS Platform<br />
Incident<br />
Notification<br />
Risk Transfer<br />
Cyber insurance<br />
models<br />
Managed risk<br />
Risk Assessment<br />
Risk Treatment<br />
Risk Mitigation<br />
Assessment tools<br />
Approved<br />
assessors<br />
International<br />
Standards – ISO,<br />
EU<br />
Cyber controls<br />
frameworks<br />
Assurance<br />
Schemes<br />
MACCSA is enabling in every area plus development of:<br />
• New capabilities<br />
• New data sources and registers<br />
Federated<br />
ID & Access<br />
management<br />
MACCSA proprietary - info@maccsa.net<br />
Red team/ serious<br />
games
CCSA & INCIDENT MANAGEMENT<br />
Collaborative Crisis<br />
Management<br />
Collaborative Cyber<br />
SA<br />
Hubs & Nodes<br />
Incident<br />
management<br />
Counter-fraud<br />
1. Identify<br />
2. Protect<br />
3. Detect<br />
4. Respond<br />
5. Recover<br />
Intel led<br />
Layered proactive defence<br />
Rumsfeld-based<br />
Federated ID & access<br />
management<br />
Cyber controls<br />
frameworks<br />
Taxonomies &<br />
Automation<br />
Red team/ serious<br />
games<br />
ROLO<br />
OrgID registers<br />
PANCRAS<br />
Defeat fake docs and<br />
products<br />
Others<br />
Triage & Analysis<br />
Processes<br />
Priority Info<br />
Requirements<br />
MACCSA proprietary - info@maccsa.net
Status info<br />
Status Info<br />
Incident info<br />
Incident Info<br />
Intel info<br />
Intel Info<br />
Threat info<br />
Threat Info<br />
Vulnerabilitie<br />
s<br />
Vulnerabilitie<br />
s<br />
Crisis info<br />
Crisis info<br />
My Community<br />
Normality<br />
Act to Restore<br />
Normality<br />
Monitoring<br />
Specific<br />
Mitigations<br />
Known<br />
Unknowns<br />
Key<br />
Process<br />
Mitigation Plan<br />
Non-Specific<br />
Mitigations<br />
Incident Management Lifecycle<br />
Unknown<br />
Unknowns<br />
Detection<br />
Event<br />
State or<br />
Object<br />
Analysis<br />
Post<br />
Process<br />
Analysis<br />
Triage<br />
Prioritise<br />
Push & Pull<br />
Info<br />
Need to Know<br />
& Share<br />
External Organisations, International Allies and Industry Partner Communities
COMMERCIAL PERSPECTIVE<br />
1. Aerospace & Defence<br />
1. Federation and collaboration tools re-used across supply chains and international airports<br />
2. Re-used in transportation<br />
2. Pharmaceuticals and health<br />
1. Drug registration<br />
2. Drug trials<br />
3. E-Health<br />
3. Legal<br />
4. Education<br />
5. Finance<br />
6. Transport<br />
7. Communities ……<br />
Benefits so far<br />
• US DoD PKI federation – 47% reduction in<br />
hacking<br />
• Aerospace & defence. Re-use and supply<br />
chain agility. $3+ Bn/year improvements<br />
• Second order benefits – compliance,<br />
offshoring, new markets<br />
8. Strategic necessity to share cyber information<br />
MACCSA proprietary - info@maccsa.net
MACCSA proprietary - info@maccsa.net
MACCSA proprietary - info@maccsa.net
INFORMATION SHARING FRAMEWORK V2.4<br />
Executive Summary<br />
Introduction<br />
Background and Context<br />
• Understanding Cyber<br />
• Using Cyberspace<br />
• Protecting Cyberspace<br />
• Cyber Situational Awareness<br />
• Benefits and Challenges<br />
Scope<br />
Aim<br />
Information Sharing Model<br />
• Architecture View<br />
• Structural View<br />
• Hub and Node Information Processing<br />
• Information Sharing Agreements<br />
• Information Sharing Processes<br />
• Trustworthiness, Federation and AAA<br />
• Taxonomies<br />
• Information Release - Traffic Light Protocol<br />
• Technological Evolution and Change Management<br />
Information Management Model<br />
• Introduction<br />
• Information Sources<br />
• Critical Information Requirements<br />
• Generation and Maintenance of Cyber Situational<br />
Awareness<br />
• Incident Management Lifecycle<br />
• Information Preparation<br />
• Types of Shared Information<br />
Next Steps<br />
Annexes<br />
MACCSA proprietary - info@maccsa.net
ENABLING TECHNOLOGIES AND STANDARDS<br />
1. Cloud<br />
1. Interoperability and security issues<br />
2. Emerging international standards<br />
3. Trusted cloud. ISO, CSA, FISMA…<br />
2. PKI Federation for persons. Strong authentication, digital signature, ID-linked<br />
encryption, secure email, physical access control<br />
3. Trusted Platform Module 2.0 >700M already deployed!!!<br />
1. Device authentication and health = “Known Good Devices”. Key for BYOD<br />
2. Internationally acceptable<br />
3. TPM Mobile specification<br />
4. Essential for telco infrastructure protection and interoperability/re-use<br />
4. Trusted applications – <strong>Security</strong> Content Automation Protocol (SCAP)<br />
5. Location data interoperability<br />
6. Shift into information management, analytics and metadata layers. Enables Big Data.<br />
7. Network monitoring and detection for Governance Regulation Compliance (GRC) and<br />
cyber<br />
8. <strong>Security</strong> automation<br />
MACCSA proprietary - info@maccsa.net
COLLABORATIVE CAPABILITIES & STANDARDS<br />
Main components of the MACCSA ISF<br />
• High Assurance federation – bridges, hubs, registers, IPV ISO 29003, 29115++<br />
• Cyber framework tools – Cyber controls frameworks – US SP800-53, AU Top 35, 270XX,<br />
SANS, COBIT5<br />
• Assessment and interoperability - CDCAT<br />
• Taxonomies – IODEF/XMPP/STIX plus CIF, OpenIOC, Veris<br />
• Transport - RID/TAXII/XMPP<br />
• Information management and triage models – least mature<br />
Candidate Data repositories<br />
• Threat intelligence history<br />
• Operational incident history for insurance<br />
• Vulnerability information<br />
• Other<br />
MACCSA proprietary - info@maccsa.net
ISO/IEC JTC1 SC27 WG5 – IDENTITY MANAGEMENT & PRIVACY<br />
TECHNOLOGIES<br />
• ISO 29100 – Privacy framework<br />
• ISO 29101 – Privacy reference architecture<br />
• ISO 29115 – Entity authentication assurance framework (contains ID definitions)<br />
• ISO 29146 – A framework for access management<br />
• ISO 29191 – Proposal on requirements on relative anonymity with identity escrow<br />
model for authentication and authorization using group signatures<br />
• ISO 24760 - A framework for identity management -- Part 1: Terminology and<br />
concepts<br />
• ISO 24760 - A Framework for Identity Management -- Part 2: Reference<br />
architecture and requirements<br />
• ISO 24760 - A Framework for Identity Management – Part 3: Practice<br />
• ISO 24761 - Authentication context for biometrics<br />
• ISO 29003 - Identity Proofing of Persons, Organisations, Devices and Software<br />
• Plus TCG Trusted Platform Module 1.2 and 2.0<br />
MACCSA proprietary - info@maccsa.net
HOW MUCH DETAIL IS REQUIRED<br />
• Internet social engineering attacks<br />
• Widespread attacks using NNTP to distribute<br />
• Network sniffers<br />
attack<br />
• Packet spoofing<br />
• "Stealth" and other advanced scanning<br />
techniques<br />
• Session-hijacking<br />
• Windows-based remote access trojans (Back<br />
• Cyber-threats & bullying (not illegal in all<br />
Orifice)<br />
jurisdictions)<br />
• Email propagation of malicious code<br />
• Automated probes and scans<br />
• Wide-scale trojan distribution<br />
• GUI intrusion tools<br />
• Distributed attack tools<br />
• Automated widespread attacks<br />
• Targeting of specific users<br />
• Widespread, distributed denial-of-service<br />
attacks<br />
• Anti-forensic techniques<br />
• Industrial espionage<br />
• Wide-scale use of worms<br />
• Executable code attacks (against browsers) • Sophisticated botnet command and control<br />
attacks<br />
• Analysis of vulnerabilities in compiled software<br />
without source code<br />
• …….<br />
• Widespread attacks on DNS infrastructure<br />
MACCSA proprietary - info@maccsa.net
CYBERSECURITY, RISK MANAGEMENT AND INFORMATION SHARING<br />
• EU 42 CERTs (2011) 222 CERTs (2013)<br />
• EU Network Information <strong>Security</strong> Directive (NISD) and NIS Platform<br />
• Recommendations for Risk Management and for Information Sharing<br />
• Surveys of 32 nations, 60+ trade associations, 200+ companies.<br />
• 23 5 Risk Management Frameworks and one Risk Management Maturity Model<br />
• 32 Information Sharing Schemes. NL has the most<br />
• EU Commission requirement for collaborative industry lead into 2015+<br />
• US Cybersecurity Framework plus NIST SP800-53 R4<br />
Existing sharing initiatives<br />
• EU ACDC – Advanced Cyber Defence Centre<br />
• NATO. CDXi plans<br />
• European Defence Agency – Cybersecurity Project<br />
• NL Taranis<br />
• UK CISP<br />
• Other nations…<br />
MACCSA proprietary - info@maccsa.net
SUMMARY<br />
Communities of Trust.<br />
• Be part of the herd. Don’t be an outlier – people know you are not smart enough<br />
• Large organisations that do not share cyber info are 90% ineffective<br />
• 80% of major cyber incidents have real world impacts<br />
Requires Common Policies and Collaborative Governance. High Assurance is more mature.<br />
Privacy is a big issue everywhere, but is Europe going too far and expecting too much<br />
Strong privacy can increase the threat to the citizen.<br />
Internal (enterprise) and external (supply chain) security<br />
The (policy) issues are in the information space:<br />
• Need to know vs Obligation to share<br />
• Partial anonymity<br />
• Information provenance and reliability<br />
• Retraction without liability<br />
It’s about shared risk and collaborative cybersecurity<br />
• Identify, Protect, Detect, Respond, Recover<br />
• Intel-led, layered proactive defence is the only choice<br />
• Share and collaborate = collaborative cyber situational awareness<br />
• Criminals collaborate; so should we – only better<br />
MACCSA proprietary - info@maccsa.net