A Collaborative Analysis System for Cross-organization Cyber Incident Handling

Giuseppe Settanni, Florian Skopik, Yegor Shovgenya, Roman Fiedler

2016

Abstract

Information and Communication Technology (ICT) systems are predominant in today’s energy, finance, transportation and telecommunications infrastructures. Protecting such Critical Infrastructures (CIs) against modern cyber threats and respond to sophisticated attacks is becoming as complex as essential. A synergistic and coordinated effort between multiple organizations is required in order to tackle this kind of threats. Incidents occurring in interconnected critical infrastructures can be effectively handled only if a cooperation plan between different stakeholders is in place. Organizations need to cooperatively exchange security-relevant information in order to obtain a broader knowledge on the current cyber situation of their infrastructures and timely react if necessary. National cyber Security Operations Centers (SOCs), as proposed by the European NIS directive, are being established worldwide to achieve this goal. Critical infrastructure providers are asked to report to the national SOCs about security issues revealed in their networks. National SOCs correlate all the gathered data, analyze it and eventually provide support and mitigation strategies to the affiliated organizations. Although most of these tasks can be automated, human involvement is still necessary to enable SOCs to adequately take decisions on occurring incidents and quickly implement counteractions. In this paper we therefore introduce and evaluate a semi-automated analysis engine for cyber incident handling. The proposed approach, named CAESAIR (Collaborative Analysis Engine for Situational Awareness and Incident Response), aims at supporting SOC operators in collecting significant security-relevant data from various sources, investigating on reported incidents, correlating them and providing a possible interpretation of the security issues affecting concerned infrastructures.

References

  1. AIRBUS (2014). CYMERIUS - Security Management Tool. http://www.defenceandsecurityairbusds.com/web/guest/1299.
  2. ENISA (2013a). Cybersecurity cooperation: Defending the digital frontline.
  3. ENISA (2013b). Detect, share, protect. Technical report, EU Agency for Network and Information Security.
  4. ENISA (2013c). Technical Guideline on Incident Reporting.
  5. German Federal Office for Information Security (2014). German it crisis management webpage. https://www.bsi.bund.de/EN/Topics/IT-CrisisManagement/itcrisismanagement node.html.
  6. Government of Canada - Cyber Security (2014). Canadian cyber incidents response center homepage. http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbrscrt/ccirc-ccric-eng.aspx.
  7. IBM (2013). Combat the latest security attacks with global threat intelligence.
  8. Kaufmann, H., Hutter, R., Skopik, F., and Mantere, M. (2014). A structural design for a pan-european early warning system for critical infrastructures”. In Elektrotechnik und Informationstechnik. Springer.
  9. National Cyber Security Center - Ministry of Security and Justice - Netherlands (2014). Dutch cyber security center homepage. https://www.ncsc.nl/english/.
  10. NETFLIX (2015). Introducing FIDO: Automated Security Incident Response.
  11. Reichl, J., Schmidthaler, M., and Schneider, F. (2013). The value of supply security: The costs of power outages... Energy Economics, 36:256-261.
  12. Sackman, H. (1974). Delphi assessment: Expert opinion, forecasting and group process. An Experiment in Probabilistic Forecasting.
  13. Settanni, G., Skopik, F., Fiedler, R., and Shovgenya, Y. (2015). A blueprint for a pan-european cyber incident analysis system”. In Proceedings of 3rd International Symposium for ICS and SCADA Cyber Security Research, pages 84-88.
  14. Tankard, C. (2011). Advanced persistent threats and how to monitor and deter them. Network Security, 2011(8):16-19.
Download


Paper Citation


in Harvard Style

Settanni G., Skopik F., Shovgenya Y. and Fiedler R. (2016). A Collaborative Analysis System for Cross-organization Cyber Incident Handling . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 105-116. DOI: 10.5220/0005688301050116


in Bibtex Style

@conference{icissp16,
author={Giuseppe Settanni and Florian Skopik and Yegor Shovgenya and Roman Fiedler},
title={A Collaborative Analysis System for Cross-organization Cyber Incident Handling},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={105-116},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005688301050116},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Collaborative Analysis System for Cross-organization Cyber Incident Handling
SN - 978-989-758-167-0
AU - Settanni G.
AU - Skopik F.
AU - Shovgenya Y.
AU - Fiedler R.
PY - 2016
SP - 105
EP - 116
DO - 10.5220/0005688301050116