Intelligence Led Security - Patrick Curry

INTELLIGENCE LED 

SECURITY 

Patrick Curry – MACCSA - 

patrick.curry@maccsa.net

Multinational Alliance for 

Collaborative Cyber Situational Awareness 

MACCSA proprietary - info@maccsa.net

MACCSA AT A GLANCE 

Why 

• Multinational Experiment 7 (MNE7 - 16 nations & HQ 

NATO; 2 years) requirement to implement the 

Information Sharing Framework for Collaborative Cyber 

Situational Awareness 

• Increasing national and international need for cyber 

information sharing. 

Who helped to create it 

• Neutral & international approach 

• International organisations 

• UNIDIR, ITU, ITU-IMPACT, NATO ACT, EU (8 orgs) 

• FS-ISAC, TM Forum, FIRST, ACDC, ITU-T, CSA, eCSIRT 

• Nations (22 govs, 33 nations) 

• Industry sectors (65+ organisations) 

• Research 

Aim 

• To enable the implementation and operation of the 

Information Sharing Framework for CCSA 

• Not-for-profit, self-regulating body, registered in UK 

Progress 

• Oct 2013 – Formed (in Incheon) 

• Dec 2013 – Management Meeting – 60 orgs 

• Mar 2014 – Steering Group - 8+ orgs 

• Scope increased to include: 

• Incident management 

• All cybersecurity 

• Implementations 

• Diverse activities 

MACCSA proprietary - info@maccsa.net 

3

WHAT DO YOU NEED TO KNOW 

1. Context 

• Bigger picture 

• What’s changing 

• Why 

2. How this is going to affect you (your organisation) 

3. The information do you need to have 

4. The information you need to get and to share 

5. How you can share it 

6. The essentials for collaboration 

7. You should be part of a herd. Outliers tend to be the early prey 

MACCSA proprietary - 

4

CYBERSPACE IS GREAT, BUT… 

Today’s internet is a place where you can do… 

Truly dumb things 

On an epic scale 

Very quickly 

With little chance of recovery 

And you can’t guarantee the outcome… 

Laws of Physics Policy compliance absent instant systemic 

enforcement doesn’t work 


EU CYBER SECURITY STRATEGY - 28 FEB 14 

V-P Kroes 

• Democracy must talk to technology. We are making a transition to a data driven world 

• About simple things, people trusting that their personal data is protected, SMEs 

understanding cloud protection, citizen understanding eID. Without security there is no 

privacy. 

• Cyber breaches happen for multiple reasons. Over 3/4 of SMEs and 93% businesses 

suffered at least one breach, each costing up to 50M euros. 

• Merkel call for secure EU network. Central to our competitiveness, single digital 

market, strengthen security of services, no to data protectionism and yes to data 

protection. We want to use big data. 

• Trust is key. Weak link is the whole network, weak directive will let us down. 

• Cyber security strategy is providing the right building blocks. Strong cyber security 

domain is important to Europe. Without it, democracy would fail to manage 

technology. Make EU the safest place for digital. 


TOP THREAT – ID FRAUD 

ID Fraud = a top EU crime enabler 

McAfee: $1 trillion/year 

cybercrime (rising $2 trl) 

UK fraud > £73bn 

EU fraud > €500bn 

If we are not winning, we must be 

losing 


7

INCREASING ATTACK SURFACE 

• More users 

• More devices – internet of things… 

• More mobile 

• More cloud(s) 

• More BYO Disaster 

• More sensitivity – my info, health 

• More critical systems – smart metering, big data 

• Weak cyber borders >> internet governance under strain 

• Increasing expectations and temptations unwise decisions 

Just Surface Web 

….add 

Deep web 

Dark Web 

• UK – 50M smart meters by 2020 in 30M buildings (HMG) 

• 76% of financially active organisations in UK are not registered in UK or at all (& can’t 

tell the difference). (HMG) 

• 65% of IP theft is by insiders (SANS) 


Business World 

Competition 

Collaboration 

Organisation A 

Process 

Information 

Application 

Data 

Infrastructure 

Organisation B 

Process 

Information 

Application 

Data 


Cyber world collaborates to support normal Business use of cyberspace 

Cyber World 

Competition 

Collaboration 

Node A 

Process 

Information 

Application 

Data 


Node B 

Process 

Information 

Application 

Data 



STRATEGIC DRIVERS – INDUSTRIES & GOVERNMENT 

1. Business is becoming more collaborative and international 

2. Increasing legal, regulatory and commercial requirements for accountability and 

information protection in regulated industries 

3. Information protection requires access control 

4. Access control requires identity, authentication and authorisation, which are the basis 

of trust 

5. Trust across multiple organisations requires federation 

Organisations have to be considered trustworthy to trust each other 

Organisations need a common language of business to understand each other 

6. Federation requires collaborative governance and agreed Common Policy 

7. US and European federation bodies are pressing ahead and setting federation 

standards, leveraging national ID activities 

8. Nations need industry governance bodies for federated trust across their industries 


LEVELS OF ASSURANCE 

• We need to identify ourselves to others, and vice versa, in a wide 

range of situations and particularly for electronic activities. 

• We require different Levels of Assurance. 

1. LoA 4. Extra measures. 3 factor authentication (with second biometric). Strong 

hardware token. Optional federated Physical Access Control. Used in highly 

secure situations. 

2. LoA 3. High confidence in identity. Legally robust non-repudiation. 2 Factor 

Authentication E.g. employee authentication, digital signature, ID based 

encryption, secure email. 

3. LoA 2. Some confidence of Identity. Expect some failures. Financial liability 

model E.g. credit cards, Know Your Customer. 

4. LoA 1. Self assertion. E.g. mickey.mouse@microsoft.com. 


Employee - Gov 

3 

4 

Employee - Industry 

3 

4 

9/11 

Supply chain collaboration 

HSPD 12 

FIPS 201 - PIV 

Good Federation 

CertiPath/SAFEBioPharma 

SESAR 

NATO 

PIV - Interoperable 

ITU-T/ISO 

24760/29115 

Kantara Initiative 

Identity Assurance Framework 

Aero 

space 

Pharma 

Police 

Energy 

Borders 

Citizen 

Hardly used = weak business 

case 

2 

3 

NSTIC 

 

British Business Federation Authority - 

office@federatedbusiness.org 

Consumer 

2 

Credit cards 

NFC 

1 

2 

OIX 

HACC 

Legal 

3 

1 

Google 

Facebook 1

HIGHLIGHTS - BIG PICTURE 

“BUILDING THE WALL” 

Collaborative Crisis 

Management 

Collaborative Cyber 

SA 

Incident 

management 

Counter-fraud 

EU NISD 

NIS Platform 

Incident 

Notification 

Risk Transfer 

Cyber insurance 

models 

Managed risk 

Risk Assessment 

Risk Treatment 

Risk Mitigation 

Assessment tools 

Approved 

assessors 

International 

Standards – ISO, 

EU 

Cyber controls 

frameworks 

Assurance 

Schemes 

MACCSA is enabling in every area plus development of: 

• New capabilities 

• New data sources and registers 

Federated 

ID & Access 

management 


Red team/ serious 

games

CCSA & INCIDENT MANAGEMENT 

Collaborative Crisis 

Management 

Collaborative Cyber 

SA 

Hubs & Nodes 

Incident 

management 

Counter-fraud 

1. Identify 

2. Protect 

3. Detect 

4. Respond 

5. Recover 

Intel led 

Layered proactive defence 

Rumsfeld-based 

Federated ID & access 

management 

Cyber controls 

frameworks 

Taxonomies & 

Automation 

Red team/ serious 

games 

ROLO 

OrgID registers 

PANCRAS 

Defeat fake docs and 

products 

Others 

Triage & Analysis 

Processes 

Priority Info 

Requirements 


Status info 

Status Info 

Incident info 

Incident Info 

Intel info 

Intel Info 

Threat info 

Threat Info 

Vulnerabilitie 

s 

Vulnerabilitie 

s 

Crisis info 

Crisis info 

My Community 

Normality 

Act to Restore 

Normality 

Monitoring 

Specific 

Mitigations 

Known 

Unknowns 

Key 

Process 

Mitigation Plan 

Non-Specific 

Mitigations 

Incident Management Lifecycle 

Unknown 

Unknowns 

Detection 

Event 

State or 

Object 

Analysis 

Post 

Process 

Analysis 

Triage 

Prioritise 

Push & Pull 

Info 

Need to Know 

& Share 

External Organisations, International Allies and Industry Partner Communities

COMMERCIAL PERSPECTIVE 

1. Aerospace & Defence 

1. Federation and collaboration tools re-used across supply chains and international airports 

2. Re-used in transportation 

2. Pharmaceuticals and health 

1. Drug registration 

2. Drug trials 

3. E-Health 

3. Legal 

4. Education 

5. Finance 

6. Transport 

7. Communities …… 

Benefits so far 

• US DoD PKI federation – 47% reduction in 

hacking 

• Aerospace & defence. Re-use and supply 

chain agility. $3+ Bn/year improvements 

• Second order benefits – compliance, 

offshoring, new markets 

8. Strategic necessity to share cyber information 




INFORMATION SHARING FRAMEWORK V2.4 

Executive Summary 

Introduction 

Background and Context 

• Understanding Cyber 

• Using Cyberspace 

• Protecting Cyberspace 

• Cyber Situational Awareness 

• Benefits and Challenges 

Scope 

Aim 

Information Sharing Model 

• Architecture View 

• Structural View 

• Hub and Node Information Processing 

• Information Sharing Agreements 

• Information Sharing Processes 

• Trustworthiness, Federation and AAA 

• Taxonomies 

• Information Release - Traffic Light Protocol 

• Technological Evolution and Change Management 

Information Management Model 

• Introduction 

• Information Sources 

• Critical Information Requirements 

• Generation and Maintenance of Cyber Situational 

Awareness 

• Incident Management Lifecycle 

• Information Preparation 

• Types of Shared Information 

Next Steps 

Annexes 


ENABLING TECHNOLOGIES AND STANDARDS 

1. Cloud 

1. Interoperability and security issues 

2. Emerging international standards 

3. Trusted cloud. ISO, CSA, FISMA… 

2. PKI Federation for persons. Strong authentication, digital signature, ID-linked 

encryption, secure email, physical access control 

3. Trusted Platform Module 2.0 >700M already deployed!!! 

1. Device authentication and health = “Known Good Devices”. Key for BYOD 

2. Internationally acceptable 

3. TPM Mobile specification 

4. Essential for telco infrastructure protection and interoperability/re-use 

4. Trusted applications – Security Content Automation Protocol (SCAP) 

5. Location data interoperability 

6. Shift into information management, analytics and metadata layers. Enables Big Data. 

7. Network monitoring and detection for Governance Regulation Compliance (GRC) and 

cyber 

8. Security automation 


COLLABORATIVE CAPABILITIES & STANDARDS 

Main components of the MACCSA ISF 

• High Assurance federation – bridges, hubs, registers, IPV ISO 29003, 29115++ 

• Cyber framework tools – Cyber controls frameworks – US SP800-53, AU Top 35, 270XX, 

SANS, COBIT5 

• Assessment and interoperability - CDCAT 

• Taxonomies – IODEF/XMPP/STIX plus CIF, OpenIOC, Veris 

• Transport - RID/TAXII/XMPP 

• Information management and triage models – least mature 

Candidate Data repositories 

• Threat intelligence history 

• Operational incident history for insurance 

• Vulnerability information 

• Other 


ISO/IEC JTC1 SC27 WG5 – IDENTITY MANAGEMENT & PRIVACY 

TECHNOLOGIES 

• ISO 29100 – Privacy framework 

• ISO 29101 – Privacy reference architecture 

• ISO 29115 – Entity authentication assurance framework (contains ID definitions) 

• ISO 29146 – A framework for access management 

• ISO 29191 – Proposal on requirements on relative anonymity with identity escrow 

model for authentication and authorization using group signatures 

• ISO 24760 - A framework for identity management -- Part 1: Terminology and 

concepts 

• ISO 24760 - A Framework for Identity Management -- Part 2: Reference 

architecture and requirements 

• ISO 24760 - A Framework for Identity Management – Part 3: Practice 

• ISO 24761 - Authentication context for biometrics 

• ISO 29003 - Identity Proofing of Persons, Organisations, Devices and Software 

• Plus TCG Trusted Platform Module 1.2 and 2.0 


HOW MUCH DETAIL IS REQUIRED 

• Internet social engineering attacks 

• Widespread attacks using NNTP to distribute 

• Network sniffers 

attack 

• Packet spoofing 

• "Stealth" and other advanced scanning 

techniques 

• Session-hijacking 

• Windows-based remote access trojans (Back 

• Cyber-threats & bullying (not illegal in all 

Orifice) 

jurisdictions) 

• Email propagation of malicious code 

• Automated probes and scans 

• Wide-scale trojan distribution 

• GUI intrusion tools 

• Distributed attack tools 

• Automated widespread attacks 

• Targeting of specific users 

• Widespread, distributed denial-of-service 

attacks 

• Anti-forensic techniques 

• Industrial espionage 

• Wide-scale use of worms 

• Executable code attacks (against browsers) • Sophisticated botnet command and control 

attacks 

• Analysis of vulnerabilities in compiled software 

without source code 

• ……. 

• Widespread attacks on DNS infrastructure 


CYBERSECURITY, RISK MANAGEMENT AND INFORMATION SHARING 

• EU 42 CERTs (2011) 222 CERTs (2013) 

• EU Network Information Security Directive (NISD) and NIS Platform 

• Recommendations for Risk Management and for Information Sharing 

• Surveys of 32 nations, 60+ trade associations, 200+ companies. 

• 23 5 Risk Management Frameworks and one Risk Management Maturity Model 

• 32 Information Sharing Schemes. NL has the most 

• EU Commission requirement for collaborative industry lead into 2015+ 

• US Cybersecurity Framework plus NIST SP800-53 R4 

Existing sharing initiatives 

• EU ACDC – Advanced Cyber Defence Centre 

• NATO. CDXi plans 

• European Defence Agency – Cybersecurity Project 

• NL Taranis 

• UK CISP 

• Other nations… 


SUMMARY 

Communities of Trust. 

• Be part of the herd. Don’t be an outlier – people know you are not smart enough 

• Large organisations that do not share cyber info are 90% ineffective 

• 80% of major cyber incidents have real world impacts 

Requires Common Policies and Collaborative Governance. High Assurance is more mature. 

Privacy is a big issue everywhere, but is Europe going too far and expecting too much 

Strong privacy can increase the threat to the citizen. 

Internal (enterprise) and external (supply chain) security 

The (policy) issues are in the information space: 

• Need to know vs Obligation to share 

• Partial anonymity 

• Information provenance and reliability 

• Retraction without liability 

It’s about shared risk and collaborative cybersecurity 

• Identify, Protect, Detect, Respond, Recover 

• Intel-led, layered proactive defence is the only choice 

• Share and collaborate = collaborative cyber situational awareness 

• Criminals collaborate; so should we – only better

Intelligence Led Security - Patrick Curry

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?