ISG ISI (Information Security Indicators) ETSI ISG ISI

ISG ISI (Information Security Indicators) ETSI ISG ISI

ISG ISI (Information Security Indicators) ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva) Geneva 30 August 2013 Gerard Gaudin (GC) Chairman of ETSI ISG ISI ISG ISI (Information Security Indicators) ISG ISI positioning against Risk Management and ISMS fields Risk Management (ISO 27005) Implement key measures (Do) - Security event detection and processing (workflow) Dispatch and put into hierarchy the133 ISMS control points depending on IS components (Plan et Do) Deepen some ISMS controls (Do) Remedy to security gaps (Act) - Security event detection and processing (workflow) - Legal validity of evidence (forensics) IS G Event-model centric vision IS I Check continuously risk evaluation results (Check) - Checking of field situation

regarding residual risks - Security event criticity evaluation Controls and ISMS (ISO 27002/1 and Cobit) Check continuously ISMS relevancy (Check) - Through operational indicators (process, human, technical) controls relevancy Cyber Defence and SIEM (ISO 27035 and new ISO, ITU-T and ETSI standards to come) Club R2GS Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 2 ISG ISI (Information Security Indicators) Address the scope of main missing security event detection standardization issues 5 closely linked Work Items ISI Indicators (ISI-001-1 and Guide ISI-001-2) = A powerful way to assess security controls level of enforcement and effectiveness (+ benchmarking) ISI Event Model (ISI-002) = A comprehensive security event classification model (taxonomy + representation) ISI Maturity (ISI-003) = Necessary to assess the maturity level regarding overall SIEM capabilities (technology/people/process) and to weigh event detection results. Methodology complemented by ISI-005 (which is a more detailed and case by case approach) ISI Event Detection (ISI-004) = Demonstrate through examples how to produce indicators and how to detect the related events with various means and methods (with classification of use cases/symptoms) ISI Event Testing (ISI-005) = Propose a way to produce security events and to test the effectiveness of existing detection means (for major types of events) Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013

3 ISG ISI (Information Security Indicators) ISI Work Items Positioning Event reaction measures sting ent Te v E 5 0 ISI-0 Fake events (Simulation) Security prevention measures Real events Residual risk (event modelcentric vision) M ISI-003 aturity Event detection measures Detected events ction nt Dete e v E 4 ISI -00

odel vent M E 2 0 0 ISIors Indicat 1 1 0 0 ISI ors Indicat 2 1 0 0 ISI Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 4 ISG ISI (Information Security Indicators) ISI Work Items positioned against other standards 4 Global frameworks 3 Implementation frameworks Whole specifications Continuous assurance specifications ISO 27002 or NIST 800-53 ISO 27004 or NIST 800-55 ISO 27035 or NIST 800-61 ITU-T E.409 ITU-T X.1205 IETF RFC 2350 US CAG NIST 800-92 NIST 800-137 aturity ISO 27003 or NIST 800-37

M ISI-003 Specific reference frameworks 2 Security Table Protect. Prof. Projects 1 Base (or technical) frameworks Security policy Risk Analysis Contracts BCP Phys. Sec. ators -1 Indic 1 0 0 I IS icator d n I 1 el ISI-001 nt Mod e v E 2

I -00 EventISModel Reaction Plans MITRE CAPEC Act Action Plans NIST 800-86 Forensics Indicatorss MITRE CEE Glossary tection ent De v E 4 0 ISI-0 IETF RFC 4765/ NIST 800-126 (SCAP) 5070/6045/5424 sting vent Te E 5 0 0 ISI- ITU-T X.152X Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 5 ISG ISI (Information Security Indicators) ISI-001 specifications (1) Switch from a qualitative to a quantitative culture in IT Security Scope of measurements (External and internal threats attempt and success , users deviant behaviours, nonconformities and/or

vulnerabilities software, configuration, behavioural, general security framework) Closely tied event classification model (ISI-002) Rest on a comprehensive reference framework to define precisely the various security events making up the indicators Link with IT CIA risk Business-oriented security observatory (based on risk profiles) Statistical approach to be complemented by major and rare risks approach (to be evaluated in a different way) Objective to reconcile top-down (security governance) and bottomup (IT ground operations) approaches, and bring closer the distance between those 2 populations Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 6 ISG ISI (Information Security Indicators) ISI-001 specifications (2) State-of-the-art associated figures = feasibility of the approach demonstrated by GC based on an international sample of companies in 4 countries State-ofthe-art (by month) Country deviation Level of scattering Level of detection imprecision Reference industry base Perimeter applicable to indicator Standard IEX_ PHI.1

33 campaigns Yes (only Fr & Ger) 100 % against state-of-the-art (between -70 % and +50 %) 1 Standard IEX_ DOS.1 0,008 DDoS attack No 80 % against state-of-the-art (between -50 % and +50 %) 1 Standard IEX_ MLW.4 1,5 malware successfully installed on servers No 80 % against state-of-the-art (between -35 % and +65 %) 3

VCF_ UAC.3 6 not compliant accounts No 50 % against state-of-the-art (between -60 % et +40 %) 3 By Web site Source (s) Periodicity RSA + comple mentary figures on typology Quarterly CSI and sample of 15 Annual + quartterly tuning Standard Standard By set of 10,000 servers CSI and sample of 15

By database or application Sample of 15 Annual + quartterly tuning Quarterly Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 7 ISG ISI (Information Security Indicators) ISI-001 specifications (Companion Guide) Position the proposed operational indicators against ISO 27002 controls and ISO 27006 technical controls = provide more assurance to governance and auditors ISO 27002 control areas A5 A6 A7 ISO 27006 technical control areas A8 x A9 x ... A15 ... XX

Incident type indicators Vulnerability (behavioural, software, configuration, general security) type indicators Comments Non-continuous checking Purely organisational issues IWH_UNA.1 IMF_LOM.1 IDB_UID.1 IDB_RGH.1 to 7 IDB_IDB.1 IDB_MIS.1 IDB_IAC.1 IDB_LOG.1 VTC_NRG.1 VOR_PRT.1 VBH_PRC.1 to 6 VBH_IAC.1 to 2 VBH_FTR.1 to 3 VBH_WTI. 1 to 6 VBH_PSW.1 to 3 VBH_RGH.1 VBH_HUW.1 to 2 Information classification + asset management Focus on deviant internal behaviours IEX_PHY.1 VTC_PHY.1 Marginal topic for a SIEM approach ... ... ...

IMF_TRF.2 to 3 VBH_IAC.2 VBH_WTI.2 VBH_WTI.6 VBH_RGH.1 VCF_DIS.1 VCF_TRF.1 VCF_FWR.1 VCF_ARN.1 VCF_UAC.1 to 3 VTC_IDS.1 Focus on configuration vulnerabilities or nonconformities Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 8 ISG ISI (Information Security Indicators) ISI-002 specifications (1) An event model reconciling ease of understanding and comprehensiveness with rigor Includes both a taxonomy (and a full dictionary) and a related representation model ensuring easy use by all stakeholders and enabling the link with indicators Deals with incidents, vulnerabilities and non-conformities Deals with complex security incidents described as a combination of smaller elementary ones Is positioned at the appropriate level of abstraction (what and how) between 2 positions = Causes, reasons or motivations behind security events (who) IT CIA risks and associated impacts (what kind of consequences) Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 9 ISG ISI (Information Security Indicators) ISI-002 specifications (2) Event taxonomy and related representation Use of the taxonomy for incidents belonging to Intrusions and external attacks category (example among the 7 ones) Who and/or Why

What How Status X Malicious X act / External (many agent choices) Only sometimes (incident attempt underway or incident success) Which vulnerability(ies) is (are) been exploited Only sometimes and when required for clarification On what kind of asset X (various choices) With what CIA consequences With what kind of impact Only sometimes and when able to be determined

- Representation model to classify and summarize (Major factors for being well received and successful) = Be simple (elevator test with less than one minute to explain ...) Be structured according to incidents causes and/or motivations Be immediately understandable by both field IT security experts and top executives Be detailed and accurate enough regarding malicious incidents And last (but not the least), clearly separate internal incidents from external incidents Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 10 ISG ISI (Information Security Indicators) ISI-002 specifications (3) The diversified uses of the event model Security event testing (Detection effectiveness) 2 1 Global and complete framework of reaction plans (ITIL compatible) Possible design of a risk data base on top of a security event data base 3 Event model 9 4 SIEM 9 uses More readable reports (based on a common framework of indicators) Easier link between SIEM and

risk assessment methods (EBIOS, OCTAVE, CRAMM, ) 8 5 7 Easier analysis of malicious activity and deviant behaviors (Link with Counter Competitive Intelligence) Easier link between SIEM and security policy and rules (ISO 27002) + Link with Continuous Auditing (US CAG) Comparison with public reference statistical figures (by industry sector) 6 Support for insurance offerings in cyber-risks Consistency of the uses between each other thanks to the event model pivotal role Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 11 ISG ISI (Information Security Indicators) ISI-002 specifications (4) ISI-001 and ISI-002 against the ISO 27004 standard measurement model Counting of some events (ISI-001-1) Event classification model (ISI-002) Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 12 ISG ISI (Information Security Indicators) ISI-003 specifications

The mandatory taking into account of the organizations SIEM maturity level A good security event detection level (still often very low today) requires many conditions (tools appropriately configured, advanced processes especially for use case creation, seasoned experts) This overall maturity level can be assessed accurately through 10 KPIs (with a clear correspondence with the 20 US CAG Critical Controls) Provision (with these KPIs) of a reckoning formula to assess its detection levels with major kinds of security events (and to weigh the results of its own measurements) This methodology may be complemented by a more dedicated and case by case one based on the production of security events and testing of the effectiveness of existing detection means (for major types of events) Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 13 ISG ISI (Information Security Indicators) ISI-004 specifications Guidelines to implement effective security incident detection means are missing and required Security incident detection levels are still too low (Cf. Website intrusions, stealthy malware, APTs, ...) when monitoring installed systems Among various reasons, detection is focused too exclusively on pure technical issues and top-down approaches are lacking (reference to challenging statistical figures) Need for a comprehensive classification of effective symptoms/ hints/artifacts/use cases (or indicators of compromise) to be sought after in IT system traces = the only mean to spot often stealthy incidents Give some examples of frequent poorly detected security events in order to illustrate some powerful means and methods of detection More conceptual than technical specifications Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 14 ISG ISI (Information Security Indicators) ISI-005 specifications Guidelines to stimulate security events are missing and are required (same motivations as ISI-003) Objective of testing of detection means and tools during development and deployment phases (lab and in-operation situations), and of measurement of their effectiveness Stimulate existing detection means by relevant events (see ISI-002) Try/perform fake incidents (to be identified/count)

Introduce vulnerabilities (to be identified/count) Will rest on existing test patterns (Cf. DIAMONDS project), with provision of catalogs (methods, configurations, scenarios) Could also be used for penetration testing More technical than conceptual specifications Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 15 ISG ISI (Information Security Indicators) ISG ISI schedule Several standards already available ISG ISI started in Autumn 2011 = Members of the Unit and of the 5 Work Items are European and US experts ISI Indicators (ISI-001-1 and ISI-001-2 Companion Guide) and ISI Event Model (ISI-002) have been published last April ISI Maturity (ISI-003) will be available by the end of 2013 ISI Event Detection (ISI-004) will be available by the end of 2013 ISI Event Testing (ISI-005) started at the beginning of 2013 Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 16 ISG ISI (Information Security Indicators) Dissemination of ISG ISI specifications Specifications already proven (sometimes in use for more than 4 years) Release notably through the network of Club R2GS associations in Europe (France, UK, Germany, ...), which is structured around ISG ISI specifications = ISI-001-1/-2 and ISI-002 already in use in more than 50 very large organizations in Europe (including government agencies and Ministries), within the banking industry in France, ... Release through ETSI members Liaison with ISO JTC1 SC 27 WG4 Basis for the constitution of large data bases in Europe = Independent IT security observatories providing dependable state-ofthe-art figures for indicators This will constitute a genuine step forward for the profession (within 2 to 3 years) ... Gerard Gaudin (ISG ISI chairman) ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting 30 August 2013 17

Recently Viewed Presentations

  • CCI PIPELINE SYSTEMS Casing Spacers & End Seals

    CCI PIPELINE SYSTEMS Casing Spacers & End Seals

    Casing Spacers for bell & spigot joints or large diameter applications are designed and fabricated to insure an extra margin of support. CCI Pipeline Systems has the experience to design and manufacture virtually any configuration of casing spacer, including multi-carrier...
  • Imperialism: Beginnings and Basic Structures - PowerPoint ...

    Imperialism: Beginnings and Basic Structures - PowerPoint ...

    COLONIALISM SPEEDS UP Age of Exploration ↓ Europeans raced for overseas colonies ↓ Growth of European commerce and trade worldwide ↓ Commercial Revolution "OLD" IMPERIALISM 1500s-1700s England, France, Holland, Portugal, and Spain Wars over colonies INTERLUDE - LATE 1700s-LATE 1800s...
  • INTEREST POINTS FOR HYPERSPECTRAL IMAGES GOAL Amit Mukherjee

    INTEREST POINTS FOR HYPERSPECTRAL IMAGES GOAL Amit Mukherjee

    Lowe, "Distinctive Image Featuresfrom Scale-Invariant Keypoints", International Journal of Computer Vision, 2004. Mikolajczyk et al. "Scale and affine invariant interest point detectors". International Journal of Computer Vision, Volume 60, Number 1, 2004.
  • Non-Invasive Prenatal Testing (NIPT)

    Non-Invasive Prenatal Testing (NIPT)

    Objectives Following this session the learner will be able to: Refer to their local genetics centre and/or order appropriately order non-invasive prenatal testing (NIPT) and enhanced first trimester screening (eFTS) Discuss and address patient concerns regarding NIPT Find high quality...
  • mrfitton.weebly.com

    mrfitton.weebly.com

    Tort Law. A . tort. is a harm for which the law provides a "civil remedy". Something someone else does that you can sue them for. ... Trespass to Chattels. Assault. Words or actions that cause a . reasonable. belief...
  • A Spatial Way of Thinking - Digital Citizenship

    A Spatial Way of Thinking - Digital Citizenship

    New York City. Hawaii . The theme of Place is how a place is described. Thematic Maps. ... Landform. Physical Feature. Population Density. Region. Thematic Map. ... Population Density Map - A map of the average number of people who...
  • Lecture 8: Transition Systems - BIU

    Lecture 8: Transition Systems - BIU

    If n is not known, check while time allows. Average complexity: polynomial. Some experiments Basic system written in SML (by Alex Groce, CMU). Experiment with black box using Unix I/O. Allows model-free model checking of C code with inter-process communication....
  • Systemic Varicella Zoster Infection Causing Cerebral Venous Thrombosis

    Systemic Varicella Zoster Infection Causing Cerebral Venous Thrombosis

    5d ago he started to have headache, holocephalic, accompanied with nausea and vomiting. On the day of admission he had 2 GTCS. The neurological exam was totally normal apart from mild bilateral pupil edema. General examination showed skin rash in...