Periodic Reporting for period 2 - SMESEC (Protecting Small and Medium-sized Enterprises digital technology through an innovative cyber-SECurity framework)
Periodo di rendicontazione: 2018-06-01 al 2020-05-31
SMEs are an attractive target for malicious hackers. They have more digital assets and information than an individual, but less security than a large enterprise. If we add that SMEs have usually no expertise or resources for cybersecurity, it is a recipe for disaster. Examples can be found just by having a quick look at internet and checking news (and struggles) of SMEs against cyberattacks. Additionally, cybersecurity solutions are usually expensive for them or do not provide a good solution for their needs. This problem is also usually a major inhibitor for start-up innovation in the EU. In this situation, SMESEC aims to provide a solution that supports SMEs in these issues. The key pillars can be divided in three areas: i) to provide a cybersecurity framework with state-of-the-art; ii) make the solution cost-effective and adaptive to SME needs; iii) offer cybersecurity awareness and training courses available for SMEs.
As we developed the SMESEC solution we always bear in mind the need to provide high degree of usability and automation, adequate degree of cyber situational awareness and control for end-users, incorporating the “human factor” in the design process, and following existing relevant best practices and adoption of standards, tailored to SMEs and individuals.
Due to the constantly increasing number of SMEs willing to address cyber-security issues and establish certain safeguards and defensive countermeasures, the SMESEC project needs to follow a specific set of actions towards providing a holistic security framework. The first set of action points is no other than a thorough ecosystem analysis, paired with the design and development of activities aiming to assemble the various components partners contribute into a unified solution.
Therefore, our main objectives are: (i) creation of an automated cyber-security assessment engine, capable of high level personalization and intelligent vulnerability categorization and analysis, (ii) the aforementioned automated cyber-security assessment, including user behaviour monitoring and reputation analysis, will offer feedback to SMEs and users for any type of vulnerability or improper behaviour of users, (iii) the alignment of the SMESEC innovations with international links and standardization bodies will eliminate decoupling between security solution development and the state-of-the-art, resulting in inexpensive and effective security recommendations.
As we developed the SMESEC solution we always bear in mind the need to provide high degree of usability and automation, adequate degree of cyber situational awareness and control for end-users, incorporating the “human factor” in the design process, and following existing relevant best practices and adoption of standards, tailored to SMEs and individuals.
Due to the constantly increasing number of SMEs willing to address cyber-security issues and establish certain safeguards and defensive countermeasures, the SMESEC project needs to follow a specific set of actions towards providing a holistic security framework. The first set of action points is no other than a thorough ecosystem analysis, paired with the design and development of activities aiming to assemble the various components partners contribute into a unified solution.
Therefore, our main objectives are: (i) creation of an automated cyber-security assessment engine, capable of high level personalization and intelligent vulnerability categorization and analysis, (ii) the aforementioned automated cyber-security assessment, including user behaviour monitoring and reputation analysis, will offer feedback to SMEs and users for any type of vulnerability or improper behaviour of users, (iii) the alignment of the SMESEC innovations with international links and standardization bodies will eliminate decoupling between security solution development and the state-of-the-art, resulting in inexpensive and effective security recommendations.
The work performed in this period covers from M13 to M36. That is, from June 1st 2018 to May 31st 2020. In this second period, which covers the second and third year of the project we have focused in technical development of the SMESEC Framework, tools, integration, testing, etc. together with dissemination and exploitation activities.
WP3: the objective of this WP was to work in the architectural and technical elements of the project.
WP4: this task was mostly done in the second year of the project and was very useful for working in the integration of the SMESEC Framework in the pilots. We defined a common methodology to follow by all the use case partners and synchronized it with the planned development of the SMESEC Framework.
WP5: The main objective of this WP was to perform the testing and evaluation of the SMESEC Framework by the use case partners.
WP6: the work in this WP focused in three different areas: dissemination, exploitation and standardization.
WP3: the objective of this WP was to work in the architectural and technical elements of the project.
WP4: this task was mostly done in the second year of the project and was very useful for working in the integration of the SMESEC Framework in the pilots. We defined a common methodology to follow by all the use case partners and synchronized it with the planned development of the SMESEC Framework.
WP5: The main objective of this WP was to perform the testing and evaluation of the SMESEC Framework by the use case partners.
WP6: the work in this WP focused in three different areas: dissemination, exploitation and standardization.
The innovation done in SMESEC focuses in two different areas: on the one hand the innovations done in the tools provided by the partners and on the other hand the SMESEC Framework.
Regarding the tools, in the first year of the project we have performed an analysis of the current status of the market according to each technology of the tools. The areas we have identified are: encryption, business continuity/disaster recovery, data loss prevention, governance, risk management and compliance, security information and event management, intrusion detection and prevention systems, distributed DDoS, web application firewall, application security testing, secure web gateway, unified service gateway, endpoint detection and response, endpoint protection platforms, deception technology, cloud access security brokers, user entity behaviour analytics, software-defined security, and identity and access management. We are aware other areas exist also in the market but, due to the large list of areas of cybersecurity and their application, we preferred to focus in the ones we can support/improve in the project. Once we identified these areas we performed an analysis of the state of the art of different solutions that exist in the market in these areas. The analysis allowed us to identify gaps in the market both from the cybersecurity and functional point of view. This was the basis for studying how better we can fulfil the needs of SMEs in these areas. Once this was finished, all partners started studying how they will improve/extend/refine their tools in order to allow better functionalities and performance for SMEs. We compiled the information and updated the graph of solutions with our planned solutions. This have been very helpful to understand how SMESEC will contribute and improve the cybersecurity areas identified at the initial phase of the project. The study, process and results are described in D2.1.
The other pillar of innovation SMESEC brings is in the SMESEC Framework. The framework aims to provide a platform that provides many different cybersecurity tools for protecting, enhancing and creating businesses for SMEs. It was very important to know how we could achieve this for any type of SME, bearing in mind their constraints. They are very critical and need to be taken into account for the architecture and development, as they have an impact on it (e.g. as-a-service or on-premises tools, integration between the tools, deployment in devices, alarms and recommendations for cybersecurity, etc.). In order to identify how to have a better impact and innovation in the project we started analysing the pilots of the project in terms of functionality, user experience, etc. This was extended with the information of innovation and impact of the tools we are doing in the project, so both elements were aligned. Therefore, the areas we plan to focus for the SMESEC Framework are: simplicity (decrease usual complexity of cybersecurity tools), protection (offer protection similar or better than existing solutions in the market), cost-effectiveness (cost of the tools, functionalities and framework must be keep as low as possible, probably studying different strategies for its use), training and awareness (apart from technical aspects, SMESEC must offer also training and awareness strategies, material and courses to complement the cybersecurity solutions of the project), and interconnection (provide a good communication and interconnection of tools, both for existing ones and also have the possibility for adding new ones not included in the project). More information about innovation of the SMESEC Framework can be found in D3.1
Regarding the tools, in the first year of the project we have performed an analysis of the current status of the market according to each technology of the tools. The areas we have identified are: encryption, business continuity/disaster recovery, data loss prevention, governance, risk management and compliance, security information and event management, intrusion detection and prevention systems, distributed DDoS, web application firewall, application security testing, secure web gateway, unified service gateway, endpoint detection and response, endpoint protection platforms, deception technology, cloud access security brokers, user entity behaviour analytics, software-defined security, and identity and access management. We are aware other areas exist also in the market but, due to the large list of areas of cybersecurity and their application, we preferred to focus in the ones we can support/improve in the project. Once we identified these areas we performed an analysis of the state of the art of different solutions that exist in the market in these areas. The analysis allowed us to identify gaps in the market both from the cybersecurity and functional point of view. This was the basis for studying how better we can fulfil the needs of SMEs in these areas. Once this was finished, all partners started studying how they will improve/extend/refine their tools in order to allow better functionalities and performance for SMEs. We compiled the information and updated the graph of solutions with our planned solutions. This have been very helpful to understand how SMESEC will contribute and improve the cybersecurity areas identified at the initial phase of the project. The study, process and results are described in D2.1.
The other pillar of innovation SMESEC brings is in the SMESEC Framework. The framework aims to provide a platform that provides many different cybersecurity tools for protecting, enhancing and creating businesses for SMEs. It was very important to know how we could achieve this for any type of SME, bearing in mind their constraints. They are very critical and need to be taken into account for the architecture and development, as they have an impact on it (e.g. as-a-service or on-premises tools, integration between the tools, deployment in devices, alarms and recommendations for cybersecurity, etc.). In order to identify how to have a better impact and innovation in the project we started analysing the pilots of the project in terms of functionality, user experience, etc. This was extended with the information of innovation and impact of the tools we are doing in the project, so both elements were aligned. Therefore, the areas we plan to focus for the SMESEC Framework are: simplicity (decrease usual complexity of cybersecurity tools), protection (offer protection similar or better than existing solutions in the market), cost-effectiveness (cost of the tools, functionalities and framework must be keep as low as possible, probably studying different strategies for its use), training and awareness (apart from technical aspects, SMESEC must offer also training and awareness strategies, material and courses to complement the cybersecurity solutions of the project), and interconnection (provide a good communication and interconnection of tools, both for existing ones and also have the possibility for adding new ones not included in the project). More information about innovation of the SMESEC Framework can be found in D3.1