Sharing Act of 2015: Joel Benge Risk Evangelist Emergent Network - - PowerPoint PPT Presentation
The U.S. Cybersecurity Information Sharing Act of 2015: Joel Benge Risk Evangelist Emergent Network Defense joel@ENDsecurity.com Points to cover Overview History, Provisions, Challenges Implementation Application to reality
Joel Benge – “Risk Evangelist” Emergent Network Defense joel@ENDsecurity.com
Overview
History, Provisions, Challenges
Implementation
Application to reality
Momentum
Where do we go from here?
Joel Benge
“Who is this guy?”
Storytelling and Communications Digital and Impact Perspective Cybersecurity Awareness and Reporting Executive Communications & Risk Quantification Entertainment, Communications, & Education Network Operations & Incident Response Homeland Security 2009-2015 Emergent Network Defense 2015-Today
About Emergent:
Overview
Major Features and Provisions
Voluntary sharing by procedures provides companies with: Antitrust Exemption, Non-Waiver of Privilege, Proprietary Information protections, FOIA Exemption, No Regulation or Enforcement Actions due to information shared.
Remove information “not directly related to a cybersecurity threat” that the company “knows” at the time of sharing to be “personal information of a specific individual or information that identifies a specific individual.”
“information necessary… to describe or identify a cybersecurity threat or vulnerability.” & “detects, prevents, or mitigates a known or suspected cyber security threat or vulnerability.” A company is authorized to “monitor” and “operate defensive measures” on its own information system—or, with written authorization, another party’s system—for cybersecurity purposes.
Incentives Personal Data Protection Cyber Threat Indicators and Defensive Measures Monitor and Defend
HISTORY
U.S. Cybersecurity Information Sharing Act of 2015
With whom is data shared?
HISTORY
Department of Defense Office of the Director of National Intelligence Department of Commerce Department of Energy Department of Justice Department of Treasury Homeland Security
“Appropriate Federal Agencies”
DHS AIS Personal Information Scrub
remove any information “not directly related to a cybersecurity threat” that they know at the time of sharing to be “personal information of a specific individual or information that identifies a specific individual.”
pattern matching and held for human review while the rest of the indicator is sent to appropriate federal agencies.
found to not hold personal information or are pertinent to the indicator, they are released to the agencies after redaction. If the field is not relevant to the threat, the field is deleted. Companies Submit CTI or DM data to DHS via AIS Specific fields tagged and held for human review by DHS Only CTI or DM relevant data passed to partners IMPLEMENT
IP Address: 192.168.1.1 Account: Jason Bourne Threat: APT28 IOC: ABCDEFG Email Content: Hi, Jason. Your package has been delivered! IP Address: 192.168.1.1 Account: XXXXXXXXXXX Threat: APT28 IOC: ABCDEFG Email Content: Hi, Jason. Your package has been delivered! IP Address: 192.168.1.1 Account: XXXXXXXXXXX Threat: APT28 IOC: ABCDEFG Email Content: Hi, XXXXXX. Your package has been delivered!
IMPLEMENT
DHS Implementation
Companies may share CTI and DM with the US-CERT via email and web form. Or use the DHS Automated Information Sharing (AIS) Network
40
February/March 2016 DHS releases guidance and launches AIS As of September 2016 DHS reports 40 Private & 10 Federal Agencies on AIS (1 contributing) As of March 2017 DHS reports 201 non-Federal entities on AIS April 2017 Adoption expected to grow as more industries mature
201
MOMENTUM
Adoption and Momentum
Reaction so far
“These indicators of compromise are like
them in the context that you see what the meal is.”
“…not as effective as it could be, but based on where we were five years ago, they certainly have made a lot more progress in a short amount of time”
“… the private and public sectors [are] empowered to safely share more information about cyber threats and work together to jointly defend against attacks.
Too much data to be useful: “Data management, scale, and algorithmic strengths may give Facebook an advantage in threat intelligence sharing.”
MOMENTUM
Difficult to say… The level of detail is too discrete/tactical without context. CTIs have short shelf lives. Risk of personal data leakage Data is Local Risk is Global.
So, is it working?
MOMENTUM
So, what would work?
An open, abstracted, and modular way to talk about, measure, and share risk.
Reputation & Legal Leak Operational Data Phishing
UE Ph OpD Conf Rep
Actors Vulnerabilities Targets Consequences Impacts
Metrics
Metrics
Untrusted External Project Impact
Compare to historical incidents of this type or calibrated estimation.
Assign to Risk
categories based on business unit and type of consequence. Multiple impacts possible.
Legal
calendar “clickiness” no data self-reporting spam filters
Share Changes in Risk Posture, Not the Data
(normalized metrics)
Example Scenario: A malicious actor takes advantage of a vulnerability in phishing defense capability that results in data leak of operational data that has a HIGH Service Delivery Impact.
Indicator Sharing
Decontextualized facts and numbers
64.53.232.100 204.100.5.31
A System for Shared Risk
Using Common Scenario Ontology
Example Scenario: A malicious actor takes advantage of a vulnerability in phishing defense capability that results in data leak of operational data that has a HIGH Service Delivery Impact.
UE Ph OpD Conf UE Ph OpD Conf UE Ph OpD Conf ?
Impacts Consequences Targets Vulnerabilities Actors
Sharing Nervousness in the Risk Space
Big impact from small changes. Finding context in uncertainty. Finding Context in Uncertainty!
Nervous Data
Actor Vuln Target
Joel Benge – “Risk Evangelist” Emergent Network Defense joel@ENDsecurity.com
Finding Risk in the Data
changes for big impacts
biomimicry to find high-risk scenarios