The U.S. Cybersecurity Information Sharing Act of 2015: Joel Benge – “Risk Evangelist” Emergent Network Defense joel@ENDsecurity.com
Points to cover Overview History, Provisions, Challenges Implementation Application to reality Momentum Where do we go from here?
Joel Benge “Who is this guy?” Entertainment, Network Operations & Homeland Security Emergent Network Communications, Incident Response 2009-2015 Defense & Education 2015-Today Digital and Cybersecurity Executive Storytelling and Impact Awareness and Communications & Communications Perspective Reporting Risk Quantification About Emergent: • Digital Risk Management • CEO, Founder – Dr. Earl Crane, National Security Staff, DHS, CMU
Overview HISTORY Major Features and Provisions Voluntary sharing by procedures provides companies with: Antitrust Exemption, Non-Waiver of Privilege, Proprietary Incentives Information protections, FOIA Exemption, No Regulation or Enforcement Actions due to information shared. Remove information “not directly related to a cybersecurity Personal Data threat” that the company “knows” at the time of sharing to be “personal information of a specific individual or information that Protection identifies a specific individual .” “information necessary… to describe or identify a cybersecurity threat or vulnerability .” & “detects, Cyber Threat Indicators and prevents, or mitigates a known or suspected cyber Defensive Measures security threat or vulnerability .” A company is authorized to “monitor” and “operate defensive measures” on its own information system— or, Monitor and Defend with written authorization, another party’s system— for cybersecurity purposes. U.S. Cybersecurity Information Sharing Act of 2015
With whom is data shared? HISTORY Department of Defense Office of the Director of National Intelligence Department of Department of Treasury Commerce Homeland Security Department of Department of Justice Energy “Appropriate Federal Agencies”
DHS AIS Personal Information Scrub IMPLEMENT Companies Submit Specific fields tagged Only CTI or DM CTI or DM data to and held for human relevant data passed DHS via AIS review by DHS to partners • Companies are required to • Certain fields are scanned for • If the fields in question are remove any information “not pattern matching and held for found to not hold personal directly related to a human review while the rest of information or are pertinent to cybersecurity threat” that they the indicator is sent to the indicator, they are released know at the time of sharing to appropriate federal agencies. to the agencies after redaction. be “personal information of a If the field is not relevant to the specific individual or information threat, the field is deleted. that identifies a specific individual.” IP Address: 192.168.1.1 IP Address: 192.168.1.1 IP Address: 192.168.1.1 Account: Jason Bourne Account: XXXXXXXXXXX Account: XXXXXXXXXXX Threat: APT28 Threat: APT28 Threat: APT28 IOC: ABCDEFG IOC: ABCDEFG IOC: ABCDEFG Email Content: Hi, Jason. Your Email Content: Hi, Jason. Your Email Content: Hi, XXXXXX. Your package has been delivered! package has been delivered! package has been delivered!
DHS Implementation IMPLEMENT Companies may share CTI and DM with the US-CERT via email and web form. Or use the DHS Automated Information Sharing (AIS) Network
Adoption and Momentum MOMENTUM April 2017 Adoption expected to grow as more industries mature 201 As of March 2017 DHS reports 201 non-Federal entities on AIS 40 As of September 2016 DHS reports 40 Private & 10 Federal Agencies on AIS (1 contributing) February/March 2016 DHS releases guidance and launches AIS
Reaction so far MOMENTUM “These indicators of compromise are like breadcrumbs . It is only when you aggregate them in the context that you see what the meal is .” - Intel “… not as effective as it could be , but based on where we were five years ago, they certainly have made a lot more progress in a short amount of time” - HITRUST Alliance “… the private and public sectors [are] empowered to safely share more information about cyber threats and work together to jointly defend against attacks. - Rapid7 Too much data to be useful: “Data management, scale, and algorithmic strengths may give Facebook an advantage in threat intelligence sharing.” - (Opinion) Network World
So, is it working? MOMENTUM Difficult to say … The level of detail is too discrete/tactical without context . CTIs have short shelf lives . Risk of personal data leakage Data is Local Risk is Global.
So, what would work? An open, abstracted, and modular way to talk about, measure, and share risk .
Share Changes in Risk Posture, Not the Data Example Scenario: A malicious actor takes advantage of a vulnerability in phishing defense capability that results in data leak of operational data that has a HIGH Service Delivery Impact. Actors Vulnerabilities Targets Consequences Impacts Untrusted External Phishing Operational Data Leak Reputation & Legal UE Ph OpD Conf Rep Metrics Metrics Project Impact • • Legal Twitter Chatter Increased DLP alerts Compare to historical • • “ R isky Day” calendar Asset exposure alerts incidents of this type or • Blacklisted Traffic calibrated estimation. Assign to Risk categories based on business unit and type of no consequence. data Multiple impacts calendar self-reporting possible. “ clickiness ” spam filters (normalized metrics)
Indicator Sharing Decontextualized facts and numbers 204.100.5.31 64.53.232.100
A System for Shared Risk Using Common Scenario Ontology Example Scenario: A malicious actor takes advantage of a vulnerability in phishing defense capability that results in data leak of operational data that has a HIGH Service Delivery Impact. Conf ? UE Ph OpD UE Ph OpD Conf UE Ph OpD Conf
Sharing Nervousness in the Risk Space Actors Vulnerabilities Targets Consequences Impacts
Emergence and Swarm Big impact from small changes. Finding context in uncertainty. Finding Context in Uncertainty! Actor Vuln Target Nervous Data
SEE AROUND THE CORNER Thank You! Joel Benge – “Risk Evangelist” Emergent Network Defense joel@ENDsecurity.com
Finding Risk in the Data • Emergent Algorithms: to measure small • Swarming Artificial Intelligence: using changes for big impacts biomimicry to find high-risk scenarios
Recommend
More recommend