Periodic Reporting for period 2 - PROTECTIVE (Proactive Risk Management through Improved Cyber Situational Awareness)
Reporting period: 2017-09-01 to 2019-08-31
The PROTECTIVE project aims to provide CERTs with the tools required to improve their level of cyber situational awareness (CSA) . It does this by providing a framework to categorise and rank critical alerts based on the potential damage the attack can inflict on the organisations business. This framework gathers and integrates relevant information including computers criticality and vulnerability exposure to enable automated event prioritisation. High impact alerts that target or affect important computers have a higher priority than other events. PROTECTIVE improves proactive detection through enhanced security monitoring based on the use of Big-Data analytics for the collection, correlation, prioritisation and visualisation of data from multiple sources. It promotes sharing of threat intelligence between organisations that operate in the same sector and who often have similar missions - see Figure 1- PROTECTIVE ecosystem
Figure 1: PROTECTIVE Ecosystem
PROTECTIVE has applied these enhancements to both public CERTs and Small to Medium Enterprise (SME) communities. The PROTECTIVE system was targeted in the first instance at the National Research and Educational Network (NREN) CERT community during the project for evaluation and validation.. Alert correlation, automated prioritisation and visualisation have been identified as essential needs to address for NREN CSIRTS -- all of these are within the scope of PROTECTIVE. PROTECTIVE developed a CSA platform that integrated existing toolsets with bespoke developed components to provide comprehensive tool support for the above identified needs.
In order to verify the effectiveness of the PROTECTIVE approach and pipeline the project conducted two experimental evaluation pilots during the course of the project involving both NREN members form within the project and outside the project as well as the SME community. The evaluation focused primarily on the NREN CERT community. This was motivated in large part by demand from the public domain including CERT communities such as national and NREN CERTSs. Our domain market assessment indicated that threat intelligence sharing is a more feasible project output to explore for the SME community. The SME pilot therefore considered which aspects of threat intelligence were likely to be most useful for that community. Specific evaluation criteria were defined for each pilot, with help from stakeholders, to assess the effectiveness of the deployment
Platform security was developed using the Keycloak OAUTH2 security system. The systems is described in Figure 2:
Figure 2:PROTECTIVE Node Architecture
The main features developed included:
• A conceptual model for NREN CSIRT workflows
• A security event flow processing platform
• Alert statistical analysis and visualisation
• An asset-based risk assessment function to determine asset criticality
• Meta alert correlation, prioritisation and visualisation
• Privacy compliance checking for security alert sharing
• Cyber threat intelligence sharing platform
The project conducted two pilots during the lifetime of the project to validate the platform technology as well as the benefits of threat intelligence sharing to the communities. The second pilot involved a number of partners from outside the project including NRENs, enterprise partners and critical infrastructure operators. The results of the pilot showed that the PROTECTIVE platform provided many useful features and benefits for threat intelligence sharing while at the same time it is clear that there are still many organisational reservations about sharing threat intelligence that remain to be over come.
The outputs form the project have been open-sourced. A number of partners have reused part of the PROTECTIVE software for further research and product development.
The project team also published 13 academic articles. Team members attended a total of 41 dissemination events and and organised two workshops in collaboration with C3ISP and SHIELD.
PROTECTIVE us fully open-sourced and provides a ready to go SSAM for use by any organisation seeking to improve its security and has potential to project impact well beyond the project partners scope. The PROTECTIVE pilots validated the PROTECTIVE but also showed there are still legal and privacy concerns to be overcome when sharing threat intelligence.