ETSI ISG ISI Information Security Indicators

Transcription

1 ETSI ISG ISI Information Security Indicators Updates on ISI standardization results Paolo De Lutiis (Telecom Italia Information Technology) 9th ETSI Security Workshop ETSI All rights reserved

2 Cyber Defense and SIEM standardization ISI focus is Security Assurance, Cyber Defense, SIEM (Security Information Event Detection) Make security measurable, by defining a set of security indicators, to be used not only by security experts, but also by the senior management Overcome real world difficulties on this matter focusing on standard implementation: easy to use standards ISG ISI started in late 2011, by using the Fench club R2GS results as the starting point 2 ETSI All rights reserved

3 Cyber Defense and SIEM standardization ISI defined a complete framework, strongly focused on the DETECTION part of cybersecurity. Find out the half way between security governance and Security Operations: Gain support from IT and security managers and decision makers Experience is the key ISG ISI established many relationships and collaborations, e.g.: ISO SC27 WG4 Security control & Services (Operational Security) ITU-T SG17 Q4 Cyber Security ETSI TC E2NA-NTECH (Security) 3 ETSI All rights reserved

4 ISI: the focus is on detection measures Event reaction measures Fake events (Simulation) Security prevention measures Real events Residual risk (event modelcentric vision) Event detection measures Detected events 4 ETSI All rights reserved

5 A new framework to Address the full scope of main missing security event detection issues ISI Indicators (ISI and Guide ISI-001-2) A powerful way to assess the performance of the security operations and to benchmark security posture of Organizations About 100 indicators oriented to the comprehension of the events How to select your indicators? Use your ISMS (ISO 27000) ISI Event Model (ISI-002) A complete security event classification model covering incidents, vulnerability and non-conformities Full taxonomy to describe completely IT security events Bases for security analysis methodologies (e.g. LS with ETSI NTECH) ISI Maturity (ISI-003) Assessing the maturity level regarding of all event detection mechanisms 8 indicators based on the SANS CAG: Consensus Audit Guideline Select your KPSI on the bases of the selected ISI-001 indicators. 5 ETSI All rights reserved

6 A new framework to Address the full scope of main missing security event detection issues ISI Event Detection (ISI-004) Describes how to produce indicators and how to detect the related events Examples of detection methods: use cases/symptoms to investigate ISI Event Testing (ISI-005) How to produce fake security events Testing of the effectiveness of existing detection means Improvement of detection rates 6 ETSI All rights reserved

7 ISI firsts results and work plan for 2014 ISI Indicators (ISI and ISI-001-2), ISI Event Model (ISI- 002) and ISI Event Detection (ISI-004) have been already published as Group Standards. ISI maturity (ISI-003) has been finalized and it will be published during 1Q2014 ISI Event Testing (ISI-005) has been already started in 2013 and it will developed during 2014 During 2014 maintenance WIs will opened to collect and integrate into the framework the comments received so far 7 ETSI All rights reserved

8 Conclusion ISI deliverables are based on real-field experience: the French club R2GS ISI follows ETSI standardization process: stable and robust deliverables to fulfil the EU needs: Europe is the first target for ISI specs The ISI framework is now stable and almost fully available Many interests and proposals for collaboration collected around Security Indicators topic within the standardization world: ISO, ITU-T, ETSI, etc. The work will continue in 2014 to complete the framework and start its maintenance 8 ETSI All rights reserved

9 Contact Details: Paolo De Lutiis Telecom Italia Information Technology Rapporteur of WI ISI-003 Maturity Thank you! 9 ETSI All rights reserved