Proactive Risk Management through Improved Cyber Situational Awareness

It seems nowadays that every time we read the paper or scan a news site that some new computer security incident (“cybercrime”) has taken place. No one is safe: individuals, small and large businesses and even governments are targeted. Computer emergency response teams (CERTs) monitor computer networks to attempt to detect these attacks due to the huge volume of alerts. They need ways to distinguish critical security alerts that pose the greatest risk to their business. This obliges them increasingly to look outwards to other organisations as well as inwards – i.e. to their own organisation - to acquire and process the threat intelligence (TI) needed to develop such a proactive detection capability

The PROTECTIVE project aims to provide CERTs with the tools required to improve their level of cyber situational awareness (CSA) . It does this by providing a framework to categorise and rank critical alerts based on the potential damage the attack can inflict on the organisations business. This framework gathers and integrates relevant information including computers criticality and vulnerability exposure to enable automated event prioritisation. High impact alerts that target or affect important computers have a higher priority than other events. PROTECTIVE improves proactive detection through enhanced security monitoring based on the use of Big-Data analytics for the collection, correlation, prioritisation and visualisation of data from multiple sources. It promotes sharing of threat intelligence between organisations that operate in the same sector and who often have similar missions - see Figure 1- PROTECTIVE ecosystem

Figure 1: PROTECTIVE Ecosystem

PROTECTIVE has applied these enhancements to both public CERTs and Small to Medium Enterprise (SME) communities. The PROTECTIVE system was targeted in the first instance at the National Research and Educational Network (NREN) CERT community during the project for evaluation and validation.. Alert correlation, automated prioritisation and visualisation have been identified as essential needs to address for NREN CSIRTS -- all of these are within the scope of PROTECTIVE. PROTECTIVE developed a CSA platform that integrated existing toolsets with bespoke developed components to provide comprehensive tool support for the above identified needs.

In order to verify the effectiveness of the PROTECTIVE approach and pipeline the project conducted two experimental evaluation pilots during the course of the project involving both NREN members form within the project and outside the project as well as the SME community. The evaluation focused primarily on the NREN CERT community. This was motivated in large part by demand from the public domain including CERT communities such as national and NREN CERTSs. Our domain market assessment indicated that threat intelligence sharing is a more feasible project output to explore for the SME community. The SME pilot therefore considered which aspects of threat intelligence were likely to be most useful for that community. Specific evaluation criteria were defined for each pilot, with help from stakeholders, to assess the effectiveness of the deployment

The project developed Security Situational Awareness Manager (SSAM). This is based on the use of the already existing open source security management platform Mentat (https://mentat.cesnet.cz//en/index(s’ouvre dans une nouvelle fenêtre)) and Warden (https://warden.cesnet.cz/en/index(s’ouvre dans une nouvelle fenêtre)) from consortium partner CESNET. These two systems are extended with additional software components for system and sensor statistical analysis and for assessing the importance of computer assets to the mission of the organisation. These systems were integrated into the open Mentat/Warden toolset to provide a seamless security management platform for risk monitoring and threat intelligence sharing.
Platform security was developed using the Keycloak OAUTH2 security system. The systems is described in Figure 2:

Figure 2:PROTECTIVE Node Architecture

The main features developed included:

• A conceptual model for NREN CSIRT workflows
• A security event flow processing platform
• Alert statistical analysis and visualisation
• An asset-based risk assessment function to determine asset criticality
• Meta alert correlation, prioritisation and visualisation
• Privacy compliance checking for security alert sharing
• Cyber threat intelligence sharing platform

The project conducted two pilots during the lifetime of the project to validate the platform technology as well as the benefits of threat intelligence sharing to the communities. The second pilot involved a number of partners from outside the project including NRENs, enterprise partners and critical infrastructure operators. The results of the pilot showed that the PROTECTIVE platform provided many useful features and benefits for threat intelligence sharing while at the same time it is clear that there are still many organisational reservations about sharing threat intelligence that remain to be over come.

The outputs form the project have been open-sourced. A number of partners have reused part of the PROTECTIVE software for further research and product development.
The project team also published 13 academic articles. Team members attended a total of 41 dissemination events and and organised two workshops in collaboration with C3ISP and SHIELD.

PROTECTIVE has developed and open-sourced a Security Situational Awareness Manager (SSAM). This SSAM significantly extends the functionality of a traditional SIEM (Security Incident and Event Manager) through the inclusion of the PROTECTIVE Context Awareness function that gives operators a very clear view of the relative priorities of security alerts and in this way enables fast and efficient alert handling. PROTECTIVE also integrates functions for privacy compliance checking to ensure that confidential information is to accidentally leaked via shared alerts. This continuously checks the outgoing alert stream to ensure shared alerts are compliant with sharing policy.

PROTECTIVE us fully open-sourced and provides a ready to go SSAM for use by any organisation seeking to improve its security and has potential to project impact well beyond the project partners scope. The PROTECTIVE pilots validated the PROTECTIVE but also showed there are still legal and privacy concerns to be overcome when sharing threat intelligence.