Transcript Sharing and collecting threat and impact information in

Sharing and collecting threat and
impact information in practice.
Enisa Workshop, February, Brussels
NCSC-NL [email protected]
1
Topics to discuss
1.
2.
3.
4.
5.
The big picture
The need for speed
What to improve
Lessons learned
Outlook
2
1 The Big Picture
• NCSC-NL focusses on Dutch government and
critical infrastructure
• Information processing with Taranis and team
of analists, experts and specialists
• Sharing information objects like trends and
vulnerabilities in numerous products
• New project focussing on more rappidly
sharing and collecting information on threats
and impacts using collaborative power
3
4
2 The need for speed
• Dorifel case 2012
• Sharing information about upcoming threat
using email, webiste and phone.
• Organizations process information manually, if
at all
• Reporting to the NCSC is done sparsely, if at all
using different channels and formats.
• Resulting in limited situational awareness
5
3 What to improve
• Share information (and updates) in much
higher speed
• Facilitate feedback in standardized way
• Improve shared situational awareness
• Strengthen involvement of critical
infrastructure partners
• Be transparant and guarantee privacy
requirements
6
4 Lessons learned
A.
B.
C.
D.
E.
F.
Legal
Policy
Communication
Collaboration
Privacy control
Infrastructure
7
8
A. Legal
• You are likely to process data such as IP
addresses
• Before you continue, check your legal base
• Sharing information and self built appliances
may interfere with fair competition in the
market place
9
B. Policy
• Can you relate your activities to a National Cyber
Security Strategy?
• New policies will be developped: stay on top
• Use a steering group when working with multiple
partners and/or in political arena
C. Communication
• Involve special interest groups
• Keep it simple stupid
• Threat and impact information is sensitive,
seldom secret
10
D. Collaboration
Because:
• We don’t own the IT infrastructure
• No mandatory cooperation required
• Innovation power
Approach:
• Find common grounds and know all interests
• Use expertise available in the group
• Stick to your designated role in the play
• Sit down, keep calm, it takes time to get trust
11
Partners:
• Receiving: critical infrastructure and
government organisations
• Sharing: NCSC-NL, ISS, R&D centers, DFI,
SOC’s, Cert’s,
12
13
E. Privacy controls
Sensor:
• Raw data only locally
• No IoC’s on personal identifable information
• IP addresses hashed and salted
• Retention time <30 days
• Hits after 30 minute delay
• White box soultion
• No remote management
14
Process and organization:
• Descripe the working process
• Perform a privacy impact assessment
• Have your processes externaly audited
• Keep checking on compliancy with legislation
and policies
• Only screened personnel handle data
15
F. Infrastructure
• Low volume: not-so public IoC’s, relevant to
our constituency, high/high
• Distributed client/server framework for
government (network detection system)
• MISP as distribution platform for critical
infrastrure partners
16
17
To conclude
• Privacy controls are enabler for government
collaboration
• Private organizations need a solid business case
• Make your own sensor only when privacy
controls cannot be guaranteed
• Context data needed badly besides solid threat
observables
• Major maturity differences between
organizations
• Key is your personal relation with stakeholders
18
5 Outlook
• Improving technical infrastructure
• Strenghten colaboration MSP’s
• Increase number of partners and participants
19
More information
More Information about the NCSC
https://www.ncsc.nl/english
Taranis open source workflow application
www.ncsc.nl/english/services/incident-response/monitoring/taranis.html
The project
http://link.springer.com/article/10.1007%2Fs00502-015-0289-2
www.rijksoverheid.nl/documenten-en-publicaties/publicaties/2014/03/17/nationaal-detectie-netwerk.html (Dutch)
Malware information sharing platform
https://github.com/misp/
http://www.circl.lu/services/misp-malware-information-sharing-platform/
IDMEF
http://www.ietf.org/rfc/rfc4765.txt
STIX
https://stix.mitre.org/
Learn more about the Dutch way of collaborative collecting and sharing? Contact me: [email protected]
20