Presentation is loading. Please wait.

Presentation is loading. Please wait.

ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva) Gerard Gaudin (G²C) Chairman of ETSI ISG ISI Geneva – 30 August.

Similar presentations

Presentation on theme: "ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva) Gerard Gaudin (G²C) Chairman of ETSI ISG ISI Geneva – 30 August."— Presentation transcript:

1 ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva)
Gerard Gaudin (G²C) Chairman of ETSI ISG ISI Geneva – 30 August 2013

2 ISG ISI positioning against Risk Management and ISMS fields

3 5 closely linked Work Items
Address the scope of main missing security event detection standardization issues 5 closely linked Work Items ISI Indicators (ISI and Guide ISI-001-2) = A powerful way to assess security controls level of enforcement and effectiveness (+ benchmarking) ISI Event Model (ISI-002) = A comprehensive security event classification model (taxonomy + representation) ISI Maturity (ISI-003) = Necessary to assess the maturity level regarding overall SIEM capabilities (technology/people/process) and to weigh event detection results. Methodology complemented by ISI-005 (which is a more detailed and case by case approach) ISI Event Detection (ISI-004) = Demonstrate through examples how to produce indicators and how to detect the related events with various means and methods (with classification of use cases/symptoms) ISI Event Testing (ISI-005) = Propose a way to produce security events and to test the effectiveness of existing detection means (for major types of events)

4 ISI Work Items Positioning
Event reaction measures ISI-005 Event Testing Fake events (Simulation) ISI-003 Maturity Security prevention measures Real events Event detection measures Detectedevents Residual risk (event model-centric vision) ISI -004 Event Detection ISI-002 Event Model ISI Indicators ISI Indicators

5 ISI Work Items positioned against other standards
Whole specifications Continuous assurance specifications 4 Global frameworks ISO or NIST ISO or NIST 3 ISO or NIST ITU-T E.409 ISO or NIST Implementation frameworks ITU-T X.1205 IETF RFC 2350 US CAG NIST NIST 2 ISI-003 Maturity Security Table Security policy Act Action Plans Indicators ISI Indicators Specific reference frameworks ISI Indicators Protect. Prof. ISI -002 Event Model Risk Analysis BCP Reaction Plans Event Model MITRE CAPEC NIST MITRE CEE Projects Contracts Phys. Sec. Forensics Glossary ISI-005 Event Testing ISI-004 Event Detection 1 Base (or technical) frameworks IETF RFC 4765/ 5070/6045/5424 NIST (SCAP) ITU-T X.152X

6 ISI-001 specifications (1)
Switch from a qualitative to a quantitative culture in IT Security Scope of measurements (External and internal threats – attempt and success –, user’s deviant behaviours, nonconformities and/or vulnerabilities – software, configuration, behavioural, general security framework) Closely tied event classification model (ISI-002) Rest on a comprehensive reference framework to define precisely the various security events making up the indicators Link with IT CIA risk Business-oriented security observatory (based on risk profiles) Statistical approach to be complemented by major and rare risks approach (to be evaluated in a different way) Objective to reconcile top-down (security governance) and bottom-up (IT ground operations) approaches, and bring closer the distance between those 2 populations

7 ISI-001 specifications (2)
State-of-the-art associated figures = feasibility of the approach demonstrated by G²C based on an international sample of companies in 4 countries State-of-the-art (by month) Country devia-tion Level of scattering Level of detection imprecision Refe-rence industry base Perimeter applicable to indicator Source (s) Perio-dicity IEX_ PHI.1 33 cam-paigns Yes (only Fr & Ger) 100 % against state-of-the-art (between -70 % and +50 %) 1 Standard RSA + comple mentary figures on typology Quarterly IEX_ DOS.1 0,008 DDoS attack No 80 % against state-of-the-art (between -50 % and +50 %) By Web site CSI and sample of 15 Annual + quartterly tuning IEX_ MLW.4 1,5 malware successfully installed on servers 80 % against state-of-the-art (between -35 % and +65 %) 3 By set of 10,000 servers VCF_ UAC.3 6 not compliant accounts 50 % against state-of-the-art (between -60 % et +40 %) By database or application Sample of 15

8 ISI-001 specifications (Companion Guide)
Position the proposed operational indicators against ISO controls and ISO technical controls = provide more assurance to governance and auditors ISO control areas ISO technical control areas Incident type indicators Vulnerability (behavioural, software, configuration, general security) type indicators Comments A5 Non-continuous checking A6 Purely organisational issues A7 IWH_UNA.1 VTC_NRG VOR_PRT.1 Information classification + asset management A8 x IMF_LOM IDB_UID IDB_RGH.1 to IDB_IDB IDB_MIS IDB_IAC IDB_LOG.1 VBH_PRC.1 to VBH_IAC.1 to VBH_FTR.1 to VBH_WTI. 1 to VBH_PSW.1 to VBH_RGH VBH_HUW.1 to 2 Focus on deviant internal behaviours A9 IEX_PHY.1 VTC_PHY.1 Marginal topic for a SIEM approach ... A15 XX IMF_TRF.2 to 3 VBH_IAC VBH_WTI VBH_WTI VBH_RGH VCF_DIS VCF_TRF VCF_FWR VCF_ARN VCF_UAC.1 to VTC_IDS.1 Focus on configuration vulnerabilities or non- conformities

9 ISI-002 specifications (1)
An event model reconciling ease of understanding and comprehensiveness with rigor Includes both a taxonomy (and a full dictionary) and a related representation model – ensuring easy use by all stakeholders and enabling the link with indicators Deals with incidents, vulnerabilities and non-conformities Deals with complex security incidents described as a combination of smaller elementary ones Is positioned at the appropriate level of abstraction (what and how) between 2 positions = Causes, reasons or motivations behind security events (who) IT CIA risks and associated impacts (what kind of consequences)

10 ISI-002 specifications (2)
Event taxonomy and related representation Use of the taxonomy for incidents belonging to “Intrusions and external attacks” category (example among the 7 ones) Representation model to classify and summarize (Major factors for being well received and successful) = Be simple (“elevator test” with less than one minute to explain ...) Be structured according to incidents causes and/or motivations Be immediately understandable by both field IT security experts and top executives Be detailed and accurate enough regarding malicious incidents And last (but not the least), clearly separate internal incidents from external incidents Who and/or Why What How Status Which vulnera-bility(ies) is (are) been exploited On what kind of asset With what CIA consequences With what kind of impact Malicious act / External agent X (many choices) Only sometimes X (incident attempt underway or incident success) Only sometimes and when required for clarification X (various choices) Only someti-mes and when able to be determined -

11 ISI-002 specifications (3) The diversified uses of the event model

12 ISI-002 specifications (4)
ISI-001 and ISI-002 against the ISO standard measurement model

13 ISI-003 specifications The mandatory taking into account of the organization’s SIEM maturity level A good security event detection level (still often very low today) requires many conditions (tools appropriately configured, advan-ced processes especially for use case creation, seasoned experts) This overall maturity level can be assessed accurately through 10 KPIs (with a clear correspondence with the 20 US CAG Critical Controls) Provision (with these KPIs) of a reckoning formula to assess its detection levels with major kinds of security events (and to weigh the results of its own measurements) This methodology may be complemented by a more dedicated and case by case one based on the production of security events and testing of the effectiveness of existing detection means (for major types of events)

14 ISI-004 specifications Guidelines to implement effective security incident detection means are missing and required Security incident detection levels are still too low (Cf. Website intru-sions, stealthy malware, APTs, ...) when monitoring installed systems Among various reasons, detection is focused too exclusively on pure technical issues and top-down approaches are lacking (reference to challenging statistical figures) Need for a comprehensive classification of effective symptoms/ hints/artifacts/use cases (or indicators of compromise) to be sought after in IT system traces = the only mean to spot often stealthy incidents Give some examples of frequent poorly detected security events in order to illustrate some powerful means and methods of detection More conceptual than technical specifications

15 ISI-005 specifications Guidelines to stimulate security events are missing and are required (same motivations as ISI-003) Objective of testing of detection means and tools during development and deployment phases (lab and in-operation situations), and of measurement of their effectiveness Stimulate existing detection means by relevant events (see ISI-002) Try/perform fake incidents (to be identified/count) Introduce vulnerabilities (to be identified/count) Will rest on existing test patterns (Cf. DIAMONDS project), with provision of catalogs (methods, configurations, scenarios) Could also be used for penetration testing More technical than conceptual specifications

16 Several standards already available
ISG ISI schedule Several standards already available ISG ISI started in Autumn 2011 = Members of the Unit and of the 5 Work Items are European and US experts ISI Indicators (ISI and ISI Companion Guide) and ISI Event Model (ISI-002) have been published last April ISI Maturity (ISI-003) will be available by the end of 2013 ISI Event Detection (ISI-004) will be available by the end of 2013 ISI Event Testing (ISI-005) started at the beginning of 2013

17 Specifications already proven (sometimes in use for more than 4 years)
Dissemination of ISG ISI specifications Specifications already proven (sometimes in use for more than 4 years) Release notably through the network of Club R2GS associations in Europe (France, UK, Germany, ...), which is structured around ISG ISI specifications = ISI-001-1/-2 and ISI-002 already in use in more than 50 very large organizations in Europe (including government agencies and Ministries), within the banking industry in France, ... Release through ETSI members Liaison with ISO JTC1 SC 27 WG4 Basis for the constitution of large data bases in Europe = Independent IT security observatories providing dependable state-of-the-art figures for indicators This will constitute a genuine step forward for the profession (within 2 to 3 years) ...

Download ppt "ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva) Gerard Gaudin (G²C) Chairman of ETSI ISG ISI Geneva – 30 August."

Similar presentations

Ads by Google