Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Similar documents
ISAO SO Product Outline

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Global Resilience Federation Trust. Collaboration. Community. Cindy Donaldson President, Global Resilience Federation October 2017

CYBER RESILIENCE & INCIDENT RESPONSE

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

NCSF Foundation Certification

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Why you should adopt the NIST Cybersecurity Framework

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Achieving & Measuring the Value of Cyber Threat Information Sharing. Lindsley Boiney, Clem Skorupka (presenting)

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Symantec Security Monitoring Services

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Framework for Improving Critical Infrastructure Cybersecurity

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

Chapter X Security Performance Metrics

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

MDISS Webinar. Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER)

align security instill confidence

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

The University of Queensland

Industry role moving forward

Framework for Improving Critical Infrastructure Cybersecurity

RSA Cybersecurity Poverty Index : APJ

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Overview of the Cybersecurity Framework

Chapter X Security Performance Metrics

Cyber Partnership Blueprint: An Outline

RSA Cybersecurity Poverty Index

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Incident Response Services

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

National Preparedness System. Update for EMForum June 11, 2014

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

HPH SCC CYBERSECURITY WORKING GROUP

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

Information Security Continuous Monitoring (ISCM) Program Evaluation

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

The new cybersecurity operating model

PALANTIR CYBERMESH INTRODUCTION

Defining Computer Security Incident Response Teams

Securing Your Digital Transformation

Member of the County or municipal emergency management organization

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Scope Cyber Attack Task Force (CATF)

The NIST Cybersecurity Framework

MANAGING CYBER RISK: THE HUMAN ELEMENTS OF CYBERSECURITY

Cybersecurity: Incident Response Short

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

MaGMa: a framework and tool for use case management

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

FOR FINANCIAL SERVICES ORGANIZATIONS

Cyber Threat Intelligence Debbie Janeczek May 24, 2017

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

TEL2813/IS2621 Security Management

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

RSA INCIDENT RESPONSE SERVICES

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

YOU VE GOT 99 PROBLEMS AND A BUDGET S ONE

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

RSA NetWitness Suite Respond in Minutes, Not Months

Building UAE s cyber security resilience through effective use of technology, processes and the local people.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Cyber Security & Homeland Security:

Continuous protection to reduce risk and maintain production availability

Mr. Games, Thank you. Kent Landfield McAfee, LLC. [Attachment Copied Below]

Her Majesty the Queen in Right of Canada, Cat. No.: PS4-66/2014E-PDF ISBN:

Medical Device Cybersecurity: FDA Perspective

Department of Management Services REQUEST FOR INFORMATION

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

ISAO SP 4000: Protecting Consumer Privacy in Cybersecurity Information Sharing v1.0

TRUE SECURITY-AS-A-SERVICE

CYBERSECURITY MATURITY ASSESSMENT

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

NCSF Foundation Certification

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Statement for the Record

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Introducing Cyber Observer

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Critical Infrastructure Protection Committee Strategic Plan

Transcription:

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment SWG G 3 2016 v0.2 ISAO Standards Organization Standards Working Group 3: Information Sharing Kent Landfield, Chair Michael Darling, Co-Chair May 2, 2016

Copyright 2016, ISAO SO (Information Sharing and Analysis Organization Standards Organization). Any part of this publication may be distributed, posted, reproduced, stored in a retrieval system, or transmitted in any form or by any means without the prior written permission of the copyright owner.

Table of Contents Executive Summary... v Note To Reviewers... v Objectives... 1 SupportING Cybersecurity Risk and Incident Management... 1 ISAO Information Sharing Value Proposition and Policies... 3 Categories of Information an ISAO May Want to Share... 4 Collection, Dissemination and Analysis Functional DECOMPOSITION... 5 Note to Reviewers... 5 Threat Landscape Awareness... 6 Response Measures... 6 Coordination... 7 Trend and Pattern Analysis... 7 Applying Shared Information... 10 Architectural Considerations... 11 GeneralIzed Architectures... 11 Mechanisms... 11 Collaboration Among ISAOs and AdvanceD Capabilities... 12 Figures Figure 1. Context for Information Sharing... 3 Figure 2. Levels of Information Related to Activity Framework... 4 Figure 3. Applying Information to Cybersecurity Risks... 11 Tables Table 1. Functional Components and Information Sharing Capabilities... 7 iii

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 EXECUTIVE SUMMARY Standards Working Group (SWG) 3, Information Sharing, produced this draft for discussion purposes at the upcoming workshops and to further encourage private-sector input before the ISAO SO publishes a complete preliminary draft for public comment. SWG3 is currently focusing on cyber threat information sharing. In the future it is our intent to expand this effort to support cyber-physical threat information as well. In the process of performing our work, we developed a context and conceptual framework to focus the discussion of information sharing capabilities. We have identified some areas where more information is needed. NOTE TO REVIEWERS The discussion draft that follows includes a framework overview, a set of information capabilities, and the data aspects that fit together. The three areas are interrelated but distinct. What is not clear is the most effective way to present these: in a NIST CSF format, in some other means? We appreciate your assistance in helping determine the most useful way to depict the overall relationships for someone getting involved in an ISAO for the first time. The following are additional questions or issues to consider: Additional discussions about the Information Sharing Context and conceptual framework being presented Further categories of information an ISAO may want to be shared The functional decomposition of an ISAO The depth of focus on the analytics aspects of an ISAO. Suggestions in these areas would be particularly useful and will be incorporated into the document in the coming versions. The material is and will remain a work in progress; SWG3 welcomes and actively encourages comments and other input. v

28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 OBJECTIVES As noted in the Introduction section of the ISAO SO Product Outline (of which this document will be a part), ISAOs need to be able to share information related to cybersecurity risks and incidents, and to collaborate in as close to real time as possible. Further, the efforts of individual ISAOs can be combined into an overarching effort to improve the cybersecurity resiliency of their members and the nation. The ISAO SO recognizes that not all new ISAOs may be capable initially of or desire to fully achieve these objectives. The information sharing guideline is structured to provide a new or existing ISAO with a context identifying outcomes to be considered when selecting and implementing information sharing and collaboration efforts for the ISAO. In addition to a context framework and information uses, we also present a functional decomposition of possible ISAO information sharing activities. This guideline also offers a path to consider for maturing an ISAO s information sharing capabilities. Note that the framework is conceptual as opposed to prescriptive, and inclusion is meant to illustrate options rather than mandate. Information sharing may also be supported by other future relevant documents (statements of principle, policy documents, processes, procedures, data standards, etc.). SUPPORTING CYBERSECURITY RISK AND INCIDENT MANAGEMENT Companies, enterprises, and organizations manage strategic and tactical cyberrelated risks, as a result of the technology they employ or their interaction with others. Managing these risks entails understanding the environment in which they are operating (situational awareness), determining directions to pursue (decision-making), and detailing efforts (actions) to undertake. These are activities an organization executes daily. Taking a risk-based approach, where defensive actions and practices are aligned to changes in the cybersecurity environment, an ISAO can assist members in the decision-making efforts by identifying possible actions to help them establish the appropriate practices to prevent, detect, respond to, and recover from relevant threats, vulnerabilities, and incidents. ISAOs can perform a significant role in assisting their members and others to better understand various cybersecurity-related risks by providing situational awareness of the current and emerging environment in which they and others are operating. An ISAO considering the environment and situation can make decisions and inform its members about threats, vulnerabilities, or incidents that may 1

65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 be of interest or impact. Further, an ISAO may develop and provide recommended measures or actions to address immediate or emerging changes in the cybersecurity environment of interest to its members. In this way, the ISAO itself is executing the same situational awareness, decision-making, and actions framework in its ISAO support role for its members. With respect to cybersecurity-related information, an organization has a need for various types of information, which we place for discussion purposes into an context for information sharing with two major categories. The first category of information relates to the purpose for which the information is used. While the overall purpose of information sharing is to enable effective risk management, this can be distilled into three groups of information. These different groups build up to a full spectrum of risk management. Situational awareness information provides awareness of the broader threat landscape. Decision making information is customized to a particular organization s needs and enables more effective security management. Action information directly supports the implementation of a particular measure that improves security. The second category of information revolves around time and the application of resources. This type of information seeks to capture the complementary efforts that need to occur for effective cybersecurity. It begins with information most operationally relevant to security and builds upon it. Immediate information relates to actions to defend against or respond to new threats, vulnerabilities, or incidents. Tactical information relates to decisions on how to best deploy organization s existing resources against the change in situational awareness. Strategic information relates to making plans and decisions on efforts and resources needed to address emerging or future threat environments. The situational awareness, decision-making, and action framework and the information construct levels are depicted in Figure 1. Conceptually, a mature ISAO will have a close and interactive relationship between the framework an organization is executing and the information sharing construct levels an ISAO is performing. 2

98 Figure 1. Context for Information Sharing 99 100 101 102 103 104 105 106 107 108 109 110 111 112 ISAO INFORMATION SHARING VALUE PROPOSITION AND POLICIES Fundamental to the establishment of an ISAO will be the value proposition to be offered its participants, partners, and collaborators and the specific categories of information to be collected, disseminated, and shared. The following guidance can assist ISAOs as they develop their information sharing policy considerations. Using the activities and categories of information discussed previously, an ISAO can consider and respond to the questions below to begin establishing an information sharing policy. Which categories of information does the ISAO want to provide members to give them situational awareness relevant to their affinity group? Will the ISAO provide raw data, analysis, or both to assist members in their tactical decision-making efforts? 3

113 114 115 116 117 118 119 120 121 Will members expect information related to action recommendations, including defensive measures, best practices, and/or procedures for incident coordination? Will the ISAO provide analysis of a strategic nature related to trending analysis and threat actor targeting and motivation? In the context of the framework and information construct levels, Figure 2 presents various interactions to consider as an ISAO develops its information sharing objectives and policies. Figure 2. Levels of Information Related to Activity Framework 122 123 124 125 126 127 CATEGORIES OF INFORMATION AN ISAO MAY WANT TO SHARE ISAOs can support the interactions shown above in Figure 2 by providing their members information needing immediate action, information of a tactical nature, and/or information of a strategic nature. 4

128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 This information can be described in categories, namely: Threats Vulnerabilities Targets Impacts Analysis Indicators of compromise Tactics, techniques, and procedures Incident information Campaigns Defensive measures and courses of action Best practices Trending and strategic analysis Threat actor targeting and motivations Existing industry practices. {TBD: These categories will be further defined.} COLLECTION, DISSEMINATION AND ANALYSIS FUNCTIONAL DECOMPOSITION NOTE TO REVIEWERS At this point the information sharing functional components described below are not intended to be a one-to-one mapping to the context depicted above, as the highlevel functional categories are generic and support various aspects of the framework. The high-level categories are decomposed into sub-categories to identify the more specific information capabilities needed to support those categories. This section describes in more detail the functional components of information sharing an ISAO may want to consider. Participation in information sharing efforts is mainly driven by interests either personal, organizational, or both. Those responsible for managing cybersecurity risks and taking actions to deal with them will participate in an ad hoc, defined, or institutionalized information sharing activity to better understand the environment in which they are operating and/or to contribute to collective interests. 5

159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 Personal or organizational interests generally value the following: New knowledge for a better understanding of the threat and vulnerability environment in which they are operating Recommendations for dealing with specific threats and vulnerabilities Receipt of situational alerts that may affect their security posture Validation of their understanding of a current situation or incident Additional information that may improve their current understanding of threats, vulnerabilities, and/or incidents Knowledge of the actions being taken by others Coordination of collective actions Feedback on the effectiveness of actions being taken by others individually or collectively. These personal or organizational interests can be used to describe four functional component categories that together make up the broad tactical and strategic efforts that an ISAO can perform: Threat landscape awareness Response measures Coordination Trend and pattern analysis. These broad categories, as shown below, can be further decomposed to more specific functional elements and information sharing capabilities to support the personal or organizational interests of those participating in or working with an ISAO. THREAT LANDSCAPE AWARENESS Collect information. General and community of interest focused. Make appropriate information available. Analyze collected information. Develop alerts and notifications. RESPONSE MEASURES Distribute alerts and rapid notification. Develop countermeasures. Immediate 6

191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 Long-term Identify best and good practice recommendations. Determine effectiveness. COORDINATION Establish coordination processes and capabilities. Activate coordination. Establish coordination efforts. Assess coordination efforts. TREND AND PATTERN ANALYSIS Retain historical information. Perform strategic analysis. Identify trends, discontinuities, or patterns of activity. Determine threat actors and motivations. Publish analysis and recommendations. Table 1 describes these categories and sub-categories and identifies information sharing capabilities that support them. Table 1. Functional Categories and Information Sharing Capabilities Functional Category or Subcategory Description Information Sharing Capability Threat landscape awareness Collect information: General. Focus on community of interest. Make appropriate information available. Know what s going on related to cybersecurity or other issues of interest to the ISAO. Obtain threat, vulnerability, and incident information from ISAO participants and other sources for information of interest. As necessary, encourage community of interest participation to build deeper trust relationships. Distribute or make information available in accordance with TLP procedures and labelling. Anonymous and attributable submissions Email and listservs Calls Meetings Secure portal submissions Automation feeds Direct cybersecurity partner feeds Traffic Light Protocol (TLP) labelling implementation Similar capabilities as above that can be segregated and tailored for community of interest participants Distribution through appropriate communication channels (portal access, email, automation platforms, etc.) 7

Functional Category or Subcategory Description Information Sharing Capability Analyze collected information. Review, de-conflict, validate, sanitize, and analyze collected information. Conduct research or intelligence to alert the members of evolving or existing threats, incidents, and vulnerabilities. Develop alerts. Identify changes in situational awareness that may be of interest to ISAO participants and others. Response measures Distribute alerts and rapid notification. Develop countermeasures: Immediate Long-term. Identify best and good practice recommendations. Determine effectiveness. Coordination Establish coordination processes and capabilities Activate coordination Establish operational or procedural measures to mitigate the utility or deny the effectiveness of vulnerabilities or exploits to infrastructures, operations, or systems. Provide developed alerts and notifications to appropriate participants or partners. Develop in collaboration with participants and partners, countermeasures to mitigate risks of new threats or vulnerabilities. Focus on immediate and then longer term measures. Based on interests of participants, make recommendations for best and good practices to mitigate and respond to cybersecurity and other relevant risks and incidents. Develop metrics and perform surveys to continually measure the effectiveness and satisfaction of participants with the services being provided. Synchronize and integrate activities to ensure the pursuit of the shared objectives established by the ISAO. Policy and procedures established for assessing the need for coordination among members with shared interests to discuss and coordinated Issue notification for an emergency call for coordination. Analysts and analysts tools Communication mechanisms for levels of alert criticality Multiple mechanisms for highest level of alerts Communication mechanisms for levels of alert criticality Multiple and diverse mechanisms for highest level of alerts Conferencing and networking collaboration mechanisms for both technical experts and participants Access to capabilities that provide searchable topic analysis for participants Conferencing, networking, and forums for collaboration among technical experts and participants Surveying capabilities Publishing and providing references and a repository for availability of recommendations to participants Access to capabilities that provide searchable topic analysis for participants Participant survey capabilities Communication/network mechanism for a leadership group (identified sub-group) to make a decision to activate coordination. Established diverse communication capability to initiate an Emergency Call 8

208 Functional Category or Subcategory Description Information Sharing Capability Establish coordination actions/efforts Establish playbooks for various situations where coordination among participants is required. For ongoing incidents of specified severity implement conferencing capabilities to determine the status, countermeasures, and response information related to an ongoing situation. Assess coordination efforts Trend and Pattern Analysis Retain historical information. Perform strategic analysis: Identify trends, discontinuities, or patterns of activity. Determine threat actors and motivations. Publish analysis and recommendations. During and following coordination events continually assess decisions and actions taken. Collect information and attempt to spot a pattern or trend derived from the information of interest to the ISAO participants. Maintain history of submissions, analysis and decisions in a secure database. Analyze the ISAO historical information along with other information to provide value-added insights on trends and new activity of significant to the interest of participants. Regularly communicate with ISAO participants and others based on ISAO policy and procedures. Survey capabilities. Conferencing capabilities Secure operational database and software with appropriate access controls to segregate and deal with various sensitivity of information Analysts and analysts tools External collaboration mechanisms for analysts to engage other experts Communication channels and networking events for members to receive analysis Access to capabilities that provide searchable topic analysis for participants 209 9

210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 APPLYING SHARED INFORMATION As an example, specific types of information namely, regarding threats, vulnerabilities, and incidents can support the framework and an organization s efforts to manage and mitigate its cybersecurity-related risks. Figure 3 depicts at a high level where specific types of information can be used. The depiction seeks to show the hierarchy of information and how progressive levels of analysis can turn raw unstructured data into valuable knowledge of the environment. Armed with this knowledge, organizations can then prioritize efforts to defend against the most prevalent threats. The categories of information are: Immediate: Information needs that concern actions to defend against or respond to new threats, vulnerabilities, or incidents Tactical: Information needs that concern decisions on how to best deploy an organization s existing resources against the change in situational awareness. Strategic: Information needs that concern making plans and decisions on the efforts and resources needed to address emerging or future threat environments. 10

226 Figure 3. Applying Information to Cybersecurity Risks 227 228 229 230 231 232 233 234 235 236 237 238 (For future SWG3 development:) ARCHITECTURAL CONSIDERATIONS GENERALIZED ARCHITECTURES Centralized Peer to peer Hub and spoke Mesh network. MECHANISMS (TBD: Level of details and/or references that would be beneficial in this guidance.) E-mail/listservs 11

239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 Website postings Automated (primary indicator and defensive measures, then follow-on information) Secure portal Direct feeds from threat intelligence firms Face-to-face, WebEx meetings, conference calls. COLLABORATION AMONG ISAOs AND ADVANCED CAPABILITIES (To be developed:) Information sharing capabilities and mechanisms that would help an ISAO achieve the benefits of more active, regular collaboration among ISAOs, partners, and others Automated capabilities for information dissemination using a network of standards-based platforms, in addition to advanced capabilities being researched. 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback