The U.S. Cybersecurity Information Sharing Act of 2015: Joel Benge Risk Evangelist Emergent Network Defense

Transcription

1 The U.S. Cybersecurity Information Sharing Act of 2015: Joel Benge Risk Evangelist Emergent Network Defense

2 Points to cover Overview History, Provisions, Challenges Implementation Application to reality Momentum Where do we go from here?

3 Joel Benge Who is this guy? Entertainment, Communications, & Education Network Operations & Incident Response Homeland Security Emergent Network Defense 2015-Today Storytelling and Communications Digital and Impact Perspective Cybersecurity Awareness and Reporting Executive Communications & Risk Quantification About Emergent: Digital Risk Management CEO, Founder Dr. Earl Crane, National Security Staff, DHS, CMU

4 HISTORY Overview Major Features and Provisions Incentives Personal Data Protection Cyber Threat Indicators and Defensive Measures Monitor and Defend U.S. Cybersecurity Information Sharing Act of 2015 Voluntary sharing by procedures provides companies with: Antitrust Exemption, Non-Waiver of Privilege, Proprietary Information protections, FOIA Exemption, No Regulation or Enforcement Actions due to information shared. Remove information not directly related to a cybersecurity threat that the company knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual. information necessary to describe or identify a cybersecurity threat or vulnerability. & detects, prevents, or mitigates a known or suspected cyber security threat or vulnerability. A company is authorized to monitor and operate defensive measures on its own information system or, with written authorization, another party s system for cybersecurity purposes.

5 HISTORY With whom is data shared? Department of Defense Office of the Director of National Intelligence Department of Treasury Department of Commerce Homeland Security Department of Justice Department of Energy Appropriate Federal Agencies

6 IMPLEMENT DHS AIS Personal Information Scrub Companies Submit CTI or DM data to DHS via AIS Specific fields tagged and held for human review by DHS Only CTI or DM relevant data passed to partners Companies are required to remove any information not directly related to a cybersecurity threat that they know at the time of sharing to be personal information of a specific individual or information that identifies a specific individual. Certain fields are scanned for pattern matching and held for human review while the rest of the indicator is sent to appropriate federal agencies. If the fields in question are found to not hold personal information or are pertinent to the indicator, they are released to the agencies after redaction. If the field is not relevant to the threat, the field is deleted. IP Address: Account: Jason Bourne Threat: APT28 IOC: ABCDEFG Content: Hi, Jason. Your package has been delivered! IP Address: Account: XXXXXXXXXXX Threat: APT28 IOC: ABCDEFG Content: Hi, Jason. Your package has been delivered! IP Address: Account: XXXXXXXXXXX Threat: APT28 IOC: ABCDEFG Content: Hi, XXXXXX. Your package has been delivered!

7 DHS Implementation IMPLEMENT Companies may share CTI and DM with the US-CERT via and web form. Or use the DHS Automated Information Sharing (AIS) Network

8 Adoption and Momentum MOMENTUM As of March 2017 DHS reports 201 non-federal entities on AIS As of September 2016 DHS reports 40 Private & 10 Federal Agencies on AIS (1 contributing) April 2017 Adoption expected to grow as more industries mature February/March 2016 DHS releases guidance and launches AIS

9 MOMENTUM Reaction so far These indicators of compromise are like breadcrumbs. It is only when you aggregate them in the context that you see what the meal is. - Intel not as effective as it could be, but based on where we were five years ago, they certainly have made a lot more progress in a short amount of time - HITRUST Alliance the private and public sectors [are] empowered to safely share more information about cyber threats and work together to jointly defend against attacks. - Rapid7 Too much data to be useful: Data management, scale, and algorithmic strengths may give Facebook an advantage in threat intelligence sharing. - (Opinion) Network World

10 So, is it working? MOMENTUM Difficult to say The level of detail is too discrete/tactical without context. CTIs have short shelf lives. Risk of personal data leakage Data is Local Risk is Global.

11 So, what would work? An open, abstracted, and modular way to talk about, measure, and share risk.

12 Share Changes in Risk Posture, Not the Data Example Scenario: A malicious actor takes advantage of a vulnerability in phishing defense capability that results in data leak of operational data that has a HIGH Service Delivery Impact. Actors Vulnerabilities Targets Consequences Impacts Untrusted External Phishing Operational Data Leak Reputation & Legal UE Ph OpD Conf Rep Metrics Twitter Chatter Risky Day calendar Blacklisted Traffic spam filters calendar clickiness Metrics Increased DLP alerts Asset exposure alerts no data self-reporting Project Impact Compare to historical incidents of this type or calibrated estimation. Legal Assign to Risk categories based on business unit and type of consequence. Multiple impacts possible. (normalized metrics)

13 Indicator Sharing Decontextualized facts and numbers

14 A System for Shared Risk Using Common Scenario Ontology Example Scenario: A malicious actor takes advantage of a vulnerability in phishing defense capability that results in data leak of operational data that has a HIGH Service Delivery Impact. UE Ph OpD Conf UE Ph OpD Conf? UE Ph OpD Conf

15 Sharing Nervousness in the Risk Space Actors Vulnerabilities Targets Consequences Impacts

16 Emergence and Swarm Big impact from small changes. Finding context in uncertainty. Finding Context in Uncertainty! Actor Vuln Target Nervous Data

17 SEE AROUND THE CORNER Thank You! Joel Benge Risk Evangelist Emergent Network Defense

18 Finding Risk in the Data Emergent Algorithms: to measure small changes for big impacts Swarming Artificial Intelligence: using biomimicry to find high-risk scenarios