Periodic Reporting for period 2 - SHIELD (Securing against intruders and other threats through a NFV-enabled environment)
Reporting period: 2017-09-01 to 2019-02-28
The ambition of SHIELD is to contribute towards addressing these challenges by designing and implementing an integrated framework for next-generation security-as-a-service (SecaaS) offerings.
Towards this aim, the SHIELD approach combines Network Functions Virtualisation (NFV), Big Data Analytics and Trusted Computing (TC), in order to provide an extensible, adaptable, fast, low-cost and trustworthy cybersecurity solution. It aims at delivering cybersecurity as an integrated service of virtual network infrastructures, which can be tailored for Internet Service Providers (ISPs) and enterprise customers - including SMEs - in equal terms. Virtualised Network Security Functions (vNSF) provide software instantiations of security appliances that can be dynamically deployed into a network infrastructure. In line with the NFV concept and going beyond traditional cloud-based SecaaS offers, vNSFs can be distributed within the network infrastructure close to the user/customer. This allows to radically optimize resource allocation, minimize costs and reduce incident response time.
Furthermore, SHIELD envisages that data and logs from vNSFs are aggregated and fed into an information-driven Intrusion Detection and Prevention System (IDPS) platform called Data Analysis and Remediation Engine (DARE), featuring analytical components capable of predicting specific vulnerabilities and attacks. The DARE leverages state-of-the-art Big Data technologies in order to collect, store and process data from vNSFs and translate them into adversarial options, behaviours and intents. By centralising events and logs form multiple vNSFs, the DARE maintains the “big picture” of the network infrastructure status; thus it can infer events which cannot be detected by the individual vNSFs - and dynamically propose actions so as to automatically mitigate them.
Last but not least, in order to address security issues associated with software-based infrastructures, such as SDN/NFV, SHIELD leverages Trusted Computing (TC) aspects and mechanisms in order to attest both the software-defined network infrastructure as well as the virtualised security appliances (vNSFs) and the underlying infrastructure, protecting them against unauthorised modifications.
The SHIELD virtual security infrastructure can either used by the ISP internally for network monitoring and protection, but it can also be offered as-a-service to ISP customers; for this purpose, SHIELD establishes a “vNSF Store”, i.e. a repository of available virtual security functions (firewalls, DPIs, content filters etc.) from which the ISP customers can select the ones which best match their needs and deploy them to protect their infrastructure. This approach promotes openness and interoperability of security functions and offers an affordable, zero-CAPEX security solution for citizens and SMEs.
- The candidate use cases of the SHIELD framework were defined, identifying the involved stakeholders and the value chain, leading to a set of technical requirements.
- The implementation phase followed, focusing on the two main subsystems of the SHIELD framework, i.e. the DARE and the vNSF ecosystem (including the Attestation framework).
- System integration and testing followed several iterative cycles, putting together all components and assembling/verifying the end-to-end SHIELD framework.
- The evaluation and assessment phase was also carried out during the final phase of the project, including realistic lab-based usage scenarios, assessment in pre-operational conditions (under real traffic), as well as targeted demos with external stakeholders.
- Last, with respect to the communication and exploitation part, the communication activities included public online channels, articles in international conferences and journals, participations in exhibitions and targeted speeches. The exploitation activities included an analysis of the market landscape, the positioning of SHIELD, as well as a concrete business plan accompanied by a thorough techno-economic analysis.
Overall, the project has produced three main discrete results, in terms of technical development:
- The Data Analytics and Remediation Engine (DARE).
- The vNSF Ecosystem, consisting of the vNSFs and the vNSF management and orchestration (MANO) stack.
- The attestation framework, consisting of both hardware and software components.
All above results are jointly developed foreground and most of them have been publicly released as open-source software.
The envisaged impact of SHIELD includes:
- Addressing of all expected impacts targeted by the EC Work Programme (better management of cybersecurity information sources; more effective vulnerability remediation, enhanced prevention and detection; reducing the impact of incidents, increasing the level of awareness and preparedness)
- Improving the innovation capacity and fostering the integration of new knowledge, by enabling third-party services and algorithms to be easily integrated into the SHIELD system
- Offering competitive advantages for key stakeholders (telecom operators, ISPs, vendors, SMEs, cybersecurity agencies) by promoting the creation of an open ecosystem for cybersecurity infrastructure and services
- Bringing clear benefits to the society, by efficiently and effectively combating cybercrime and also improving the intelligence operations within the network - rather than the endpoints, whose level of protection mostly depends on the expertise of the end user/individual citizen.