Security teams need greater cyber defence capabilities to raise their level of awareness of the risk posed by cyberattacks and to improve their capacity to respond to threats. An EU initiative has developed a comprehensive solution to improve an organisation’s ongoing awareness of the risk to its business operations.

Digital Economy

Security

Lack of manpower combined with an overwhelming number of increasingly sophisticated attacks make cyber defence extremely difficult. Computer security incidence response teams (CSIRTs) struggle to keep up. “They need ways to distinguish the critical alerts that pose the greatest risk to their business from the background noise of low-level, low-priority alerts,” says Brian Lee, coordinator of the EU-funded PROTECTIVE project. “They also need to develop a better understanding of their adversary’s behaviour, capability and intent to move from their current reactive approach to cybersecurity to a more proactive security posture.” Lee continues: “CSIRTs are increasingly required to look outwards as well as inwards in acquiring and processing the threat intelligence (TI) needed to develop such a proactive detection capability.” Adopting a proactive security stance increases CSIRTs’ competence in discovering malicious activity in their given domain before damage is inflicted.

Boosting CSIRT threat awareness

The PROTECTIVE team developed a comprehensive solution to raise organisational cyber situational awareness (CSA). It did so by enhancing security alert correlation and prioritisation, linking the relevance/criticality of an organisation’s assets to its business/mission and establishing a TI sharing community. “These three elements are tightly woven to provide an integrated CSA platform that was developed initially for CSIRTs in the national research and educational network internet service provider community and later for SMEs,” explains Lee. To achieve CSA, project partners developed a fully open-source security situational awareness manager. It’s applicable to any enterprise type or sector, and gives CSIRTs real-time capability in capturing, correlating, analysing and visualising security alerts. It comes with software connector interfaces to many device types such as honeypots, firewalls, intrusion detection systems and custom connectors. Any other type of device or sensor can easily be added.

Improved security monitoring and increased TI sharing

PROTECTIVE also allows CSIRTs to capture and model computer assets under their supervision. Using the context awareness subsystems, an organisation can identify its key business goals and define the relationship between these goals, its vital information and computer assets. In this way, the solution assigns a priority to each asset. This information is combined with near-real-time scoring of the vulnerability levels of different assets. These two features help to rank critical alerts based on the potential damage the attack can inflict on the threatened assets and to the organisation’s business. High-impact alerts that target important hosts will have a higher priority than other alerts. PROTECTIVE enhances this alerting capability through real-time sharing of actionable cyber TI security alerts between CSIRTs in different organisations. It enables CSIRTs to have a broader awareness of cyber activities beyond just their own organisation. This in turn will help CSIRTs in attaining proactive detection and prevention of ongoing cybercrime activities. “Thanks to PROTECTIVE’s powerful open-source platform, CSIRTs and organisations are better prepared to handle incoming attacks, malware outbreaks and other security issues, and to guide the development of prevention and remediation procedures,” concludes Lee.

Keywords

PROTECTIVE, CSIRT, assets, security alert, cybersecurity, critical alerts, cyberattack, threat intelligence, cyber situational awareness