Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISG ISI (Information Security Indicators) ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva) Gerard Gaudin (G²C)

Similar presentations


Presentation on theme: "ISG ISI (Information Security Indicators) ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva) Gerard Gaudin (G²C)"— Presentation transcript:

1 ISG ISI (Information Security Indicators) ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva) Gerard Gaudin (G²C) Chairman of ETSI ISG ISI Geneva – 30 August 2013

2 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August ISG ISI positioning against Risk Management and ISMS fields ISG ISI

3 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August closely linked Work Items ISI Indicators (ISI and Guide ISI-001-2) = A powerful way to assess security controls level of enforcement and effectiveness (+ benchmarking) ISI Event Model (ISI-002) = A comprehensive security event classification model (taxonomy + representation) ISI Maturity (ISI-003) = Necessary to assess the maturity level regarding overall SIEM capabilities (technology/people/process) and to weigh event detection results. Methodology complemented by ISI-005 (which is a more detailed and case by case approach) ISI Event Detection (ISI-004) = Demonstrate through examples how to produce indicators and how to detect the related events with various means and methods (with classification of use cases/symptoms) ISI Event Testing (ISI-005) = Propose a way to produce security events and to test the effectiveness of existing detection means (for major types of events) Address the scope of main missing security event detection standardization issues 3

4 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 Real events 4 ISI Work Items Positioning Security prevention measures Event detection measures ISI-005 Event Testing Fake events (Simulation) Event reaction measures Detected events ISI-003 Maturity ISI -004 Event Detection Residual risk (event model- centric vision) ISI-002 Event Model ISI Indicators ISI Indicators

5 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August Security policy ISO or NIST Act Action Plans Event Model Indicators Reaction Plans Forensics ContractsProjectsPhys. Sec. BCP Risk Analysis Protect. Prof. 2 ISO or NIST ISO or NIST Whole specifications 3 Security Table 4 1 Implementation frameworks Global frameworks Base (or technical) frameworks Specific reference frameworks MITRE CAPEC ITU-T X.152X NIST (SCAP) … Glossary MITRE CEE US CAG IETF RFC 4765/ 5070/6045/5424 ISI Work Items positioned against other standards Continuous assurance specifications … ISO or NIST NIST NIST ITU-T X.1205 IETF RFC 2350 NIST ISI -002 Event Model ISI-005 Event Testing ISI-003 Maturity ISI-004 Event Detection ISI Indicators ITU-T E.409

6 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 Switch from a qualitative to a quantitative culture in IT Security Scope of measurements (External and internal threats – attempt and success –, users deviant behaviours, nonconformities and/or vulnerabilities – software, configuration, behavioural, general security framework) Closely tied event classification model (ISI-002) Rest on a comprehensive reference framework to define precisely the various security events making up the indicators Link with IT CIA risk Business-oriented security observatory (based on risk profiles) Statistical approach to be complemented by major and rare risks approach (to be evaluated in a different way) Objective to reconcile top-down (security governance) and bottom- up (IT ground operations) approaches, and bring closer the distance between those 2 populations 6 ISI-001 specifications (1)

7 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 State-of-the-art associated figures = feasibility of the approach demonstrated by G²C based on an international sample of companies in 4 countries 7 ISI-001 specifications (2) State-of- the-art (by month) Country devia- tion Level of scattering Level of detection imprecision Refe- rence industry base Perimeter applicable to indicator Source (s) Perio- dicity IEX_ PHI.1 33 cam- paigns Yes (only Fr & Ger) 100 % against state-of-the-art (between -70 % and +50 %) 1Standard RSA + comple mentary figures on typology Quarterly IEX_ DOS.1 0,008 DDoS attack No 80 % against state-of-the-art (between -50 % and +50 %) 1StandardBy Web site CSI and sample of 15 Annual + quartterly tuning IEX_ MLW.4 1,5 malware successfully installed on servers No 80 % against state-of-the-art (between -35 % and +65 %) 3Standard By set of 10,000 servers CSI and sample of 15 Annual + quartterly tuning VCF_ UAC.3 6 not compliant accounts No50 % against state-of-the-art (between -60 % et +40 %) 3StandardBy database or application Sample of 15 Quarterly

8 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 Position the proposed operational indicators against ISO controls and ISO technical controls = provide more assurance to governance and auditors 8 ISI-001 specifications (Companion Guide) ISO control areas ISO technical control areas Incident type indicators Vulnerability (behavioural, software, configuration, general security) type indicators Comments A5 Non-continuous checking A6 Purely organisational issues A7 IWH_UNA.1 VTC_NRG.1 VOR_PRT.1 Information classification + asset management A8x IMF_LOM.1 IDB_UID.1 IDB_RGH.1 to 7 IDB_IDB.1 IDB_MIS.1 IDB_IAC.1 IDB_LOG.1 VBH_PRC.1 to 6 VBH_IAC.1 to 2 VBH_FTR.1 to 3 VBH_WTI. 1 to 6 VBH_PSW.1 to 3 VBH_RGH.1 VBH_HUW.1 to 2 Focus on deviant internal behaviours A9x IEX_PHY.1VTC_PHY.1 Marginal topic for a SIEM approach... A15XX IMF_TRF.2 to 3VBH_IAC.2 VBH_WTI.2 VBH_WTI.6 VBH_RGH.1 VCF_DIS.1 VCF_TRF.1 VCF_FWR.1 VCF_ARN.1 VCF_UAC.1 to 3 VTC_IDS.1 Focus on configuration vulnerabilities or non- conformities

9 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 An event model reconciling ease of understanding and comprehensiveness with rigor Includes both a taxonomy (and a full dictionary) and a related representation model – ensuring easy use by all stakeholders and enabling the link with indicators Deals with incidents, vulnerabilities and non-conformities Deals with complex security incidents described as a combination of smaller elementary ones Is positioned at the appropriate level of abstraction (what and how) between 2 positions = Causes, reasons or motivations behind security events (who) IT CIA risks and associated impacts (what kind of consequences) 9 ISI-002 specifications (1)

10 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 Event taxonomy and related representation Use of the taxonomy for incidents belonging to Intrusions and external attacks category (example among the 7 ones) Representation model to classify and summarize (Major factors for being well received and successful) = Be simple (elevator test with less than one minute to explain...) Be structured according to incidents causes and/or motivations Be immediately understandable by both field IT security experts and top executives Be detailed and accurate enough regarding malicious incidents And last (but not the least), clearly separate internal incidents from external incidents 10 ISI-002 specifications (2) Who and/or Why WhatHowStatus Which vulnera- bility(ies) is (are) been exploited On what kind of asset With what CIA consequences With what kind of impact Malicious act / External agent X (many choices) Only sometimes X (incident attempt underway or incident success) Only sometimes and when required for clarification X (various choices) Only someti- mes and when able to be determined -

11 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August The diversified uses of the event model ISI-002 specifications (3)

12 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August ISI-002 specifications (4) ISI-001 and ISI-002 against the ISO standard measurement model

13 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 The mandatory taking into account of the organizations SIEM maturity level A good security event detection level (still often very low today) requires many conditions (tools appropriately configured, advan- ced processes especially for use case creation, seasoned experts) This overall maturity level can be assessed accurately through 10 KPIs (with a clear correspondence with the 20 US CAG Critical Controls) Provision (with these KPIs) of a reckoning formula to assess its detection levels with major kinds of security events (and to weigh the results of its own measurements) This methodology may be complemented by a more dedicated and case by case one based on the production of security events and testing of the effectiveness of existing detection means (for major types of events) 13 ISI-003 specifications

14 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 Guidelines to implement effective security incident detection means are missing and required Security incident detection levels are still too low (Cf. Website intru- sions, stealthy malware, APTs,...) when monitoring installed systems Among various reasons, detection is focused too exclusively on pure technical issues and top-down approaches are lacking (reference to challenging statistical figures) Need for a comprehensive classification of effective symptoms/ hints/artifacts/use cases (or indicators of compromise) to be sought after in IT system traces = the only mean to spot often stealthy incidents Give some examples of frequent poorly detected security events in order to illustrate some powerful means and methods of detection More conceptual than technical specifications 14 ISI-004 specifications

15 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 Guidelines to stimulate security events are missing and are required (same motivations as ISI-003) Objective of testing of detection means and tools during development and deployment phases (lab and in-operation situations), and of measurement of their effectiveness Stimulate existing detection means by relevant events (see ISI-002) Try/perform fake incidents (to be identified/count) Introduce vulnerabilities (to be identified/count) Will rest on existing test patterns (Cf. DIAMONDS project), with provision of catalogs (methods, configurations, scenarios) Could also be used for penetration testing More technical than conceptual specifications 15 ISI-005 specifications

16 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 Several standards already available ISG ISI started in Autumn 2011 = Members of the Unit and of the 5 Work Items are European and US experts ISI Indicators (ISI and ISI Companion Guide) and ISI Event Model (ISI-002) have been published last April ISI Maturity (ISI-003) will be available by the end of 2013 ISI Event Detection (ISI-004) will be available by the end of 2013 ISI Event Testing (ISI-005) started at the beginning of 2013 ISG ISI schedule 16

17 ISG ISI (Information Security Indicators) Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 Specifications already proven (sometimes in use for more than 4 years) Release notably through the network of Club R2GS associations in Europe (France, UK, Germany,...), which is structured around ISG ISI specifications = ISI-001-1/-2 and ISI-002 already in use in more than 50 very large organizations in Europe (including government agencies and Ministries), within the banking industry in France,... Release through ETSI members Liaison with ISO JTC1 SC 27 WG4 Basis for the constitution of large data bases in Europe = Independent IT security observatories providing dependable state-of- the-art figures for indicators This will constitute a genuine step forward for the profession (within 2 to 3 years)... Dissemination of ISG ISI specifications 17


Download ppt "ISG ISI (Information Security Indicators) ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva) Gerard Gaudin (G²C)"

Similar presentations


Ads by Google