A cybersecurity situational awareness and information sharing solution for local public administrations based on advanced big data analysis

CS-AWARE aimed to increase the automation of cybersecurity awareness approaches, by collecting cybersecurity relevant information from sources both inside and outside of monitored local public administrations (LPA) systems, performing advanced big data analysis to set this information in context for detecting and classifying threats and to detect relevant mitigation or prevention strategies.

CS-AWARE aimed to advance the function of a classical decision support system by enabling supervised system self-healing in cases where clear mitigation or prevention strategies for a specific threat could be detected. One of the key aspects of the European cybersecurity strategy is a cooperative and collaborative approach towards cybersecurity. CS-AWARE was built around this concept and relied on cybersecurity information being shared by relevant authorities in order to enhance awareness capabilities. At the same time, CS-AWARE enabled system operators to share incidents with relevant authorities to help protect the larger community from similar incidents. CS-AWARE has shown promising results and received acceptance by both pilot users in Italy and in Greece. An extensive trial period towards the end of the project helped us to assess the validity of the approach in day-to-day LPA operations.

At the technical level, the project aimed to improve cybersecurity by providing an online monitoring and awareness system that is able to detect security incidents by monitoring the complex organizational systems, and set it in context with information collected from external sources like cybersecurity information sharing communities or network and information security (NIS) competent authorities, as specified by the European cybersecurity strategy. This allows to classify suspicious events and incidents to concrete threats and attacks, as well as applicable strategies for prevention or mitigation. Furthermore, CS-AWARE is designed to interact with cybersecurity information sharing communities to share information about newly discovered incidents that could not be classified, in order to allow the community to analyze those events and potentially help others affected by the same incident.

We list below the overall objectives of the project:
1. Provide a cybersecurity situational awareness solution for local public administrations in line with the current and upcoming legal cybersecurity framework in the European Union and its member states.
2. Advance the automation of cyber incident detection, classification and visualisation to provide situational awareness. This includes socio-technical system analysis, data collection, data analysis and decision making as well as the visualisation of the findings.
3. Include a cybersecurity information exchange framework that embraces the collaboration and cooperation initiatives of European cybersecurity strategies. This includes the utilisation of cybersecurity data for threat detection as well as sharing of newly discovered cyber incident data.
4. Illustrate that cyber situational awareness is a key technology in cybersecurity by building advanced features like system self-healing on top of the situational awareness capabilities
5. Evaluate and validate the user needs through end-user involvement and pilot testing.

Work that took place within the project lifetime has successfully concluded to the following main affordances of the CS-Aware technology and the solutions it helps build:
● It provides automatic threat detection and identification, and additional information about the threat from reliable internet sources;
● It provides contextualised information by visualising the threat in the system network components and business processes;
● If available, it provides suggestions for self-healing, that can be applied automatically (when authorisation is granted by the end user);
● It allows automatic sharing of cybersecurity information with cybersecurity authorities, which is a requirement in European legislation like the NIS directive or the GDPR, and is currently lacking technology support.

More specifically, the business challenges we successfully coped with and address as part of the project are:
● Address and make progress on the complexity of cybersecurity management, as part not only of the particular organisation’s perspective but by allowing access to knowledge resources of other similar organisations (in our case: LPAs);
● Provide a superb user experience in terms of usability in the form of a user-friendly dashboard that allows users to configure fine-grained cross-platform customization and configuration settings and preferences;
● Filter information based on user’s preferences by sending back only what the requester has access to after a particular configuration has been set up;
● Extend the multilingual semantics support to include additional languages. This shall provide users clear explanations by means of making use of a multilingual semantics support component, helping eliminate the language barrier, and thus enabling LPA administrators, managers and local users to understand better the outputs of the CS-Aware system (both textual and graphical). This is extremely important when considering that our aim is to offer a single-point of service and support to help us build and grow our European market as a whole;
● Audit who has accessed to which specific information assets and infrastructures and which cybersecurity preferences were applied;
● Validate the CS-Aware technology’s cross-platform support in real-world scenarios with extensive participation of LPAs and their IT solutions and service providers.

Two aspects that definitely bring us ahead of existing competition are:
(a) The intelligent and fully automated part of the CS-AWARE project related to the data collection and storage and the analysis and decision making components. Based on the system and dependency analysis results, the base measurements from internal and external sources are observed and when relevant data points are collected, pre-processed and stored.
(b) In order to deal with the expected language barriers and usability concerns in the context of European local public administrations, multi-lingual semantics support has been included as part of the project’s solution. Where relevant, security related information coming from within the end user organizations, or information from external information sources, is automatically translated to benefit from the information of different cultural contexts.
Last but not least, regarding the technical work, the STIX 2.0 (Structured Threat Information Expression) language has been adopted as core language for all inter-component communication as well as data analysis for CS-AWARE platform. Since certain components or parts of them had already been developed in Java, a suitable library was developed for facilitating the processing of STIX data by them and as a synergetic result. The developed library was made publicly available as an open-source project, so that the cyber threats analysis community can benefit from its use. We consider this as a major outcome of the project that we aim to further improve and try increase its visibility and the potential impact it may have.