FINNISH CYBER DEFENSE MODEL GUIDED TOUR

Similar documents
CYBERSECURITY WEEK FROM THE CENTER OF THE WORLD

ENISA Cooperation in the EU / NIS Directive

ENISA EU Threat Landscape

Stakeholders Analysis

Cyber Crime Update. Mark Brett Programme Director February 2016

Centre for cybersecurity Belgium : Role, Missions et future capacities

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Croatian National CERT ACDC project Darko Perhoc, Head of National CERT CISSP, CEH, CCNP Security R&S,CCDP

Netherlands Cyber Security Strategy. Michel van Leeuwen Head of Cyber Security Policy Ministry of Security and Justice

CYBER THREAT INTELLIGENCE TOWARDS A MATURE CTI PRACTICE

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Bradford J. Willke. 19 September 2007

Implementing Executive Order and Presidential Policy Directive 21

Critical Information Infrastructure Protection Law

RISING CYBER SECURITY CAPABILITY WITH A UNIQUE NETWORK OF TRUSTED PARTNERS. Jan De Blauwe Chairman Cyber Security Coalition Belgium

The Network and Information Security Directive - ENISA's contribution

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

Cyber Security in Europe

An overview of the CERT/CC and CSIRT Community

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

Co-operation against cybercrime CSIRTs LE private sector

European Union Agency for Network and Information Security

Itu regional workshop

Cyber Security Strategy

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

Angela McKay Director, Government Security Policy and Strategy Microsoft

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Network and Information Security Directive

CERT.LV activities, role in Latvia and globally. Baiba Kaskina, CERT.LV , Sofia, Bulgaria

Cisco Connected Factory Accelerator Bundles

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Building a Resilient Security Posture for Effective Breach Prevention

Discussion on MS contribution to the WP2018

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Security Awareness Training Courses

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

RFC 2350 YOROI-CSDC. Expectations for Computer Security Incident Response. Date 2018/03/26. Version 1.0

Directive on Security of Network and Information Systems

Avoiding Information Overload: Automated Data Processing with n6

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Cyber Security is a Team Sport

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Statement for the Record

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

New Zealand National Cyber Security Centre Incident Summary

The Case for National CSIRTs

GlobalPlatform Addressing Unique Security Challenges through Standardization

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Security in India: Enabling a New Connected Era

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Securing Europe's Information Society

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

NEXT GENERATION SECURITY OPERATIONS CENTER

PULLING OUR SOCS UP VODAFONE GROUP AT RSAC Emma Smith. Andy Talbot. Group Technology Security Director Vodafone Group Plc

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

Security and resilience in Information Society: the European approach

Regional Workshop on Frameworks for Cybersecurity and CIIP Feb 2008 Doha, Qatar

ENISA Operational security CERT relations. Update January Contact:

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Israel and ICS Cyber Security

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

2017 retail crime survey. summary

ENISA s Position on the NIS Directive

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

The Windstream Enterprise Advantage for Banking

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

The U.S. Cybersecurity Information Sharing Act of 2015: Joel Benge Risk Evangelist Emergent Network Defense

Business Context: Key for Successful Risk Management

CHALLENGES GOVERNANCE INTEGRATION SECURITY

Chapter X Security Performance Metrics

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ENISA CE2014 After Action Report

CONTEMPORARY CYBER ATTACK TRENDS AND CHALLENGES DR SHASHWAT RAIZADA

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

ISAO SO Product Outline

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

Crisis Management Plan

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Transport and ICT Global Practice Smart Connections for All Sandra Sargent, Senior Operations Officer, Transport & ICT GP, The World Bank

Commonwealth Cyber Declaration

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

The commission communication "towards a general policy on the fight against cyber crime"

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

INTELLIGENT CYBER THREAT DEFENSE. Fight tomorrow s cyber threats in real time with cutting edge machine learning

GDPR Update and ENISA guidelines

Introducing Cyber Observer

Transcription:

FINNISH CYBER DEFENSE MODEL GUIDED TOUR SPAM Botnets Identity theft Phishing Denial of Service Defacements @codenomicon

BACKGROUND Sindri Bjarnason - sindri@codenomicon.com Senior Solution Engineer at Codenomicon 3+ years founding the national CSIRT in Iceland (2011-2014) Currently working with various CSIRTs on topics related to abuse handling

OVERVIEW Finland s National Cyber Security Strategy Meanwhile in Finland NCSC-FI as the common denominator of success Examining the key components of NCSC-FI / NCSS Applicability of the Finnish model

NATIONAL CYBER SECURITY STRATEGIES Extensive NCSS documentation available on the ENISA website: https://www.enisa.europa.eu/activities/resilience-and-ciip/national- The Finnish NCSS published in 2013 is located there: cyber-security-strategies-ncsss/national-cyber-security-strategies-in- the-world https://www.enisa.europa.eu/activities/resilience-and-ciip/nationalcyber-security-strategies-ncsss/finlandscybersecuritystrategy.pdf

THE FINNISH NCSS The principles of Cyber Security Management on a national level Provides current state and future vision for the evolution of cyber security within Finland 10 Strategic Guidelines that encapsulate the primary components of the NCSS Is the Finnish NCSS <=> Finnish Defense Model?

NCSS <=> FINNISH DEFENSE MODEL? The NCSS can be seen as a focal document of the national cyber security framework However! The Finnish NCSS reflects heavily on the maturity of the IT ecosystem within Finland It does not provide an insight into the past/present evolution of its individual component These individual components are what makes the NCSS viable

MEANWHILE IN FINLAND

AREAS OF NOTEWORTHY SUCCESS Finland is ranked as the cleanest nation in terms of network abuse Mature IT / IT-SEC ecosystem International level: Threat intelligence sharing across national borders Multi-national network abuse response Active engagement with actors on the cyber security scene National and international collaboration Active dialog with the research / academic community Established as a trusted source for information exchange

CERT-UK IN ACTION - INCIDENTS & VULNERABILITIES

#

THE COMMON DENOMINATOR?

NCSC-FI, THE FINNISH NATIONAL CSIRT Established in 2001, officially operational in 2002 Mostly ISP focused throughout 2005 Early adopter of automated abuse handling (2006) Constituency expansion to CII (2006) Active CII protection role (~2013) Extensive service portfolio for its constituency and outside actors High maturity level

NCSC-FI: OPERATIONAL STATS

SUITABLE ROLE MODEL? By observing the evolution of NCSC-FI we can identify the components that play a key role in its current success Even with its civil scope, it is the entity in Finland with the highest rate of exposure to the challenges related to network abuse It stands to reason that these components will (with high probability) be contributing factors to the initial success of NCSS implementation making sure these components are evaluated in the context of todays technical environment

KEY COMPONENTS COLLABORATION AUTOMATION SITUATIONAL AWARENESS

COLLABORATION

CHALLENGE: CREATE AND MAINTAIN AN ENVIRONMENT THAT SUPPORTS AND ENCOURAGES ACTIVE COLLABORATION BETWEEN NATIONAL ACTORS (AND LATER INTERNATIONAL ACTORS) APPROACH: IDENTIFY ACTIVE COLLABORATION SCENARIOS WITHIN THE IT- ECOSYSTEM AND INTEGRATE WITH IT. ESTABLISH SECTOR/ THREAT SPECIFIC WORKGROUPS. ACTIVE NETWORKING

GOAL: A TRUSTED COMMUNICATION NETWORK BETWEEN DIFFERENT ACTORS THAT ENABLES INTERNAL COMMUNICATION AS WELL AS COLLECTIVE RESPONSE OBSERVATION: A NEW ACTOR/AUTHORITY WILL START WITH LIMITED TRUST, BEING ABLE TO CONTRIBUTE INTERESTING DATA/INSIGHTS HELPS INITIALLY (NATIONAL SITUATIONAL AWARENESS)

NATIONAL SITUATIONAL AWARENESS #

AUTOMATION

CHALLENGE: OVER TIME THE AMOUNT OF REPORTED / OBSERVED NETWORK ABUSE WILL INCREASE DRASTICALLY AND RAPIDLY DECREASE THE UTILIZATION OF RESOURCES APPROACH: NCSC-FI WAS AN EARLY ADOPTER OF AUTOMATION BACK IN 2006. AT THE PRESENT VAST MAJORITY OF NETWORK ABUSE IS DEALT WITH THROUGH AUTOMATED PROCESSES

GOAL: DEPLOY A FLEXIBLE FRAMEWORK THAT AUTOMATES FULLY THE FETCH-PROCESS-REPORT CYCLE OF ABUSE HANDLING OBSERVATION: THE EFFECTIVENESS OF AUTOMATION WILL ULTIMATELY BE IN RELATION TO THE ACTIVE COLLABORATION BETWEEN ACTORS

AUTOMATION Following the initial automation in 2006, NCSC-FI went from processing 1.000 incidents to 100.000 incidents that year On average NCSC-FI automatically handles ~200.000 incidents per year This allows them to focus their resources on more serious incidents requiring a managed approach The situational awareness will also benefit through automation, extending normal operations to campaigns Abuse automation has come a long way since 2006

CAMPAIGNS THROUGH AUTOMATION

SITUATIONAL AWARENESS

NATIONAL SITUATIONAL AWARENESS #

NATIONAL SITUATIONAL AWARENESS #

THOSE THREE COMPONENTS AND THEIR DERIVATIVES ARE THE FOUNDATION FOR 4 OF THE 10 NCSS STRATEGIC GUIDELINES

APPLICABILITY

THE STAIRWAY TO AWARENESS

REFERENCES AbuseHelper - automation framework for abuse handling: http://en.wikipedia.org/wiki/abusehelper http://www.codenomicon.com/products/abusesa/ Establishing national CSIRT (CERT-CC): https://www.cert.org/incident-management/national-csirts/ ENISA: https://www.enisa.europa.eu/activities/cert/support

ADDITIONAL SLIDES

START ON LEVEL 1

Level 1: Assets being identified, useful feeds known Proxy Cleaners Cleaners Cleaners

Level 1: Assets being identified, useful feeds known Level 2: Automated 24/7 abuse handling with common tools Proxy Cleaners Cleaners Cleaners

Level 1: Assets being identified, useful feeds known Level 2: Automated 24/7 abuse handling with common tools Level 3: Situation Awareness State of the Nation Insight over actual incidents Phenomena in the world and in the nation For example vulnerable services, DDoS potential Proxy KPIs Cleaner benchmarks Proxy Cleaners Cleaners Cleaners Other Nations

Level 1: Assets being identified, useful feeds known Level 2: Automated 24/7 abuse handling with common tools Level 3: Situation Awareness Level 4: Abuse Handling Expanded with sensors State of the Nation Expanding coverage with IoC monitoring IOC SHARING Proxy IoC Notifications IoCs Cleaners Cleaners Unorganised Cleaners Unorganised = organisations who do not have own sectorspecific proxy Other Nations

Level 1: Assets being identified, useful feeds known Level 2: Automated 24/7 abuse handling with common tools Level 3: Situation Awareness Level 4: Abuse Handling Expanded with sensors State of the Nation IoCs IOC SHARING Proxy IoC Notifications Cleaners Cleaners Unorganised Cleaners IoCs Other Nations Working with Sector Specific Proxies CI Sector Proxy IoC Notifications Cleaners Cleaners Organised Cleaners

NATURAL GROWTH OF OPERATION

NATION-TO-NATION REALTIME IOC SHARING CISP/ CISP/ CERT UK CERT CISP/ UK CERT UK Cleaners Cleaners Cleaners UK Victim feed NCSC-FI IoC Feed NCSC-FI Cleaners Cleaners Cleaners

NATIONAL PUBLIC-PRIVATE PARTNERSHIPS CISP/ CISP/ CERT CISP/ UK CERT UK CERT UK Cleaners Cleaners Cleaners JANET (EDU) Clea Clea Clea Cleaners 1000x UK Victim feed NCSC-FI IoC Feed NCSC-FI

NATIONAL PUBLIC-PRIVATE PARTNERSHIPS NCSC-FI IoC Alerts IoC Feed Reports 2013: Handled 15 million events, discovered 622 Critical Incidents Continuous Critical Incidents Trough Java Security Investment Based on Actual Situation Simple network configuration change made a big difference CIP A After seeing actual incidents we decided to fix our incident response capability CIP B Week

PUBLIC-PRIVATE PARTNERSHIPS Bank Employees IPS AV Confirmed IoCs

BEHIND THE CORNER

SHARED SITUATIONAL AWARENESS ACROSS NATIONAL BORDERS ENABLING LOCALIZED IOC S TO COMPLEMENT A MULTI- NATIONAL SITUATIONAL AWARENESS

#

COMMON UNDERSTANDING OF CRIMINAL INFRASTRUCTURE EVOLUTION COMPLEMENTED BY A FIXED-POINT STATE

#

ENABLING REALTIME MITIGATION BETWEEN NATION STATES ENABLING SHARED MITIGATION THROUGH COMPATIBLE WORKFLOWS

#

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback