Community Research and Development Information Service - CORDIS


PROTECTIVE Report Summary

Project ID: 700071
Funded under: H2020-EU.3.7.

Periodic Reporting for period 1 - PROTECTIVE (Proactive Risk Management through Improved Cyber Situational Awareness)

Reporting period: 2016-09-01 to 2017-08-31

Summary of the context and overall objectives of the project

It seems nowadays that every time we read the paper or scan a news site that some new computer security incident (“cybercrime”) has taken place. No one is safe: individuals, small and large businesses and even governments are targeted.

Computer emergency response teams (CERTs) monitor computer networks to attempt to detect these attacks due to the huge volume of alerts. They need ways to distinguish critical security alerts that pose the greatest risk to their business. This obliges them increasingly to look outwards to other organisations as well as inwards – i.e. to their own organisation - to acquire and process the threat intelligence (TI) needed to develop such a proactive detection capability
The PROTECTIVE project aims to provide CERTs with the tools required to improve their level of cyber situational awareness (CSA) . It will do this by developing a framework to categorise and rank critical alerts based on the potential damage the attack can inflict on the organisations business. This framework will gather and integrate relevant information including computers criticality and vulnerability exposure to enable automated event prioritisation. High impact alerts that target or affect important computers will have a higher priority than other events.

PROTECTIVE will improve proactive detection through enhanced security monitoring based on the use of Big-Data analytics for the collection, correlation, prioritisation and visualisation of data from multiple sources. It will promote sharing of threat intelligence between organisations that operate in the same sector and who often have similar missions

PROTECTIVE will apply these enhancements to both public CERTs and Small to Medium Enterprise (SME) communities. As such the PROTECTIVE system will be targeted in the first instance at the National Research and Educational Network (NREN) CERT community during the project for evaluation and validation.. Alert correlation, automated prioritisation and visualisation have been identified as essential needs to address -- all of these are within the scope of PROTECTIVE. PROTECTIVE will develop a CSA platform that will integrate existing toolsets with bespoke developed components to provide comprehensive tool support for the above identified needs. A successfully developed PROTECTIVE system will thus have an immediate and clear impact in the public CERT community.
In order to verify the effectiveness of the PROTECTIVE approach and pipeline the project will conduct two experimental evaluation pilots during the course of the project involving both NREN members and the SME community. The evaluation will focus primarily on the NREN CERT community. This is motivated in large part by demand from the public domain including CERT communities such as national and NREN CERTSs. Our initial market assessment indicates that threat intelligence sharing is a more feasible project output to explore for the SME community. The SME pilot will therefore consider which aspects of threat intelligence are likely to be most useful for that community. Specific evaluation criteria will be defined for each pilot, with help from stakeholders, to assess the effectiveness of the deployment
The operation of the PROTECTIVE system in the NREN ecosystem is shown in the diagram below. It shows the TI sharing between NREN's and the details of a PROTECTIVE monitoring node in each NREN constituency.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

The project has developed an initial version of the PROTECTIVE system. This is based on the use of the already existing open source security management platform Mentat ( and Warden ( from consortium partner CESNET. These two systems are extended with additional software components for system and sensor statistical analysis and for assessing the importance of computer assets to the mission of the organisation. These systems are currently being integrated into a seamless security management platform for risk monitoring and threat intelligence sharing. During this period also the project has developed an overall architecture for the long term development of the PROTECTIVE monitoring and threat intelligence sharing and subsystem design and development has started.
The main results include

1. Definition of a conceptual model for NREN CERT workflows as well as requirements and scenario for overall system.
2. Research and design of analytics components and subsystems including meta-alert correlation and prioritisation
3. Defined an asset based risk assessment process to determine asset criticality
4. Investigated the state of the art of threat intelligence sharing mechanisms. Released first version of TI sharing based on Warden
5. Investigated and selection of Mentat and Warden as base technology components for PROTECTIVE.
6. Published 5 scientific articles

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

Although still in its early phase the project has made several contributions to extending the state of the art including
1. The definition of a methodology to enable CERTS to conduct an asset based risk assessment to determine asset criticality
2. Design of a generic security operations workflow for NREN CERTs
3. Development of a family of threat sharing architectures for the NREN community
4. Publications of a number of papers on varied aspects of the project work including the use of blockchains for trusted collaboration between threat management actors, the use of security situational awareness as a factor in risk based access control etc.

Expected result until the end of the project
1. A completed (Meta) Alert Prioritisation Analytics system integrated with the PROTECTIVE framework. Additionally A range of alert processing analytics functions including
o System and sensor Data Statistics
o Time Series and Trend Monitoring

2. A completed Assets Criticality and Vulnerability management system that interwork with NREN inventory management systems and the Analytics functions in PROTECTIVE
3. A completed Threat Intelligence sharing platform based on Warden and Mentat that works for both peer-to-peer and centralised hub architectures. This system will contain some specific subsystems
o A compliance module that check outgoing data for compliance with certain GDPR criteria.
o A Trust management module that estimates trust metrics for incoming alerts.
4. A Threat Intelligence poral that supports effective security management for SME’s
5. A complete and integrated PROTECTIVE framework with the above applications attached and designed to be extendable
6. A successfully completed NREN pilot that verifies and validates the operation of the PROTECTIVE system.

PROTECTIVE will provide solutions for public domain CERTs and SME’s who both have needs outside the mainstream of security solution provision. This has created a shortfall, clearly articulated by ENISA, of tools with the required analytical and visualisation capabilities to enable public CERT provide optimised services to their constituency. SME’s also are vulnerable to cybercrime as they have limited resources to protect themselves and often a limited understanding of what needs to be done. PROTECTIVE will provide the NREN solution as a n open-source platform to achieve greater impact by facilitating increased security monitoring and threat intelligence sharing. uptake. PROTECTIVE will also create a commercial version for to address security solutions in the commercial market.

Related information

Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top