ISG ISI (Information Security Indicators) ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva) Gerard Gaudin (G²C)

ISG ISI (Information Security Indicators)

ETSI ISG ISI Standardization(ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva)

Gerard Gaudin (G²C)Chairman of ETSI ISG ISIGeneva – 30 August 2013


Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013 2

Controls and ISMS(ISO 27002/1 and Cobit)

Cyber Defence and SIEM (ISO 27035 and new ISO, ITU-T

and ETSI standards to come)

Risk Management (ISO 27005)

Check continuously riskevaluation results (Check)

- Checking of field situation regarding residual risks- Security event criticityevaluation

- Through operational indicators(process, human, technical) controls relevancy

Dispatch and put into hierarchythe133 ISMS control points

depending on IS components (Plan et Do)

Check continuouslyISMS relevancy (Check)

Remedy to secu-rity gaps (Act)

« Event-model centric » vision

Implement keymeasures (Do)

© Club R2GS

Deepen some ISMS controls (Do)

- Legal validity of evidence(forensics)

- Security event detectionand processing (workflow)

- Security event detection and processing (workflow)

ISG ISI positioning against Risk Management and ISMS fields

ISG

ISI


Gerard Gaudin (ISG ISI chairman) – ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting – 30 August 2013

5 closely linked Work Items

ISI Indicators (ISI-001-1 and Guide ISI-001-2) = A powerful way to assess security controls level of enforcement and effectiveness (+ benchmarking)

ISI Event Model (ISI-002) = A comprehensive security event classification model (taxonomy + representation)

ISI Maturity (ISI-003) = Necessary to assess the maturity level regarding overall SIEM capabilities (technology/people/process) and to weigh event detection results. Methodology complemented by ISI-005 (which is a more detailed and case by case approach)

ISI Event Detection (ISI-004) = Demonstrate through examples how to produce indicators and how to detect the related events with various means and methods (with classification of use cases/symptoms)

ISI Event Testing (ISI-005) = Propose a way to produce security events and to test the effectiveness of existing detection means (for major types of events)

Address the scope of main missing security event detection standardization issues

3



Real events

4

ISI Work Items Positioning

Security prevention measures

Event detection measures

ISI-005 Event Testing

Fake events (Simulation)

Event reaction measures

Detectedevents

ISI-003 Maturity

ISI -004 Event Detection

Residual risk (event model-centric vision)

ISI-002 Event Model

ISI-001-1 Indicators




Security policy

ISO 27002 or NIST 800-53

Act Action Plans

Event Model

Indicators

Reaction Plans

ForensicsContractsProjects Phys. Sec.

BCP Risk AnalysisProtect. Prof.

2

ISO 27004 or NIST 800-55

ISO 27035 or NIST 800-61

Whole specifications

3

Security Table

4

1

Implementation frameworks

Global frameworks

Base (or technical) frameworks

Spec

ific

refe

renc

e fr

amew

orks

MITRE CAPEC

ITU-T X.152X

NIST 800-126 (SCAP)

…

GlossaryMITRE CEE

US CAG

IETF RFC 4765/ 5070/6045/5424

ISI Work Items positioned against other standards

Continuous assurance specifications

…

ISO 27003 or NIST 800-37

NIST 800-92 NIST 800-137ITU-T X.1205 IETF RFC 2350

NIST 800-86ISI -002 Event Model

ISI-005 Event Testing

ISI-003 Maturity

ISI-004 Event Detection



ITU-T E.409



Switch from a qualitative to a quantitative culture in IT Security

Scope of measurements (External and internal threats – attempt and success –, user’s deviant behaviours, nonconformities and/or vulnerabilities – software, configuration, behavioural, general security framework)

Closely tied event classification model (ISI-002) Rest on a comprehensive reference framework to define precisely the

various security events making up the indicators Link with IT CIA risk

Business-oriented security observatory (based on risk profiles) Statistical approach to be complemented by major and rare risks

approach (to be evaluated in a different way) Objective to reconcile top-down (security governance) and bottom-

up (IT ground operations) approaches, and bring closer the distance between those 2 populations

6

ISI-001 specifications (1)



State-of-the-art associated figures = feasibility of the approach demonstrated by G²C based on an

international sample of companies in 4 countries

7


State-of-the-art (by

month)

Country devia-tion

Level of scattering

Level of detection

imprecision

Refe-rence

industry base

Perimeter applicable

to indicator

Source (s)Perio-dicity

IEX_ PHI.1

33 cam-paigns

Yes (only Fr & Ger)

100 % against state-of-the-art (between -70 % and +50 %)

1 Standard Standard RSA + comple mentary figures on typology

Quarterly

IEX_ DOS.1

0,008DDoS attack

No 80 % against state-of-the-art (between -50 % and +50 %)

1 Standard By Web site CSI and sample of 15

Annual + quartterly tuning

IEX_ MLW.4

1,5 malware successfully installed on servers

No 80 % against state-of-the-art (between -35 % and +65 %)

3 Standard By set of 10,000 servers

CSI and sample of 15

Annual + quartterly tuning

VCF_ UAC.3

6 not compliant accounts

No 50 % against state-of-the-art (between -60 % et +40 %)

3 Standard By database or application

Sample of 15

Quarterly



Position the proposed operational indicators against ISO 27002 controls and ISO 27006 technical controls =

provide more assurance to governance and auditors

8

ISI-001 specifications (Companion Guide)

ISO 27002 control areas

ISO 27006 technical control areas

Incident type indicators

Vulnerability (behavioural, software, configuration, general

security) type indicators

Comments

A5 Non-continuous checking

A6 Purely organisational issues

A7 IWH_UNA.1 VTC_NRG.1 VOR_PRT.1

Information classification + asset management

A8 x IMF_LOM.1 IDB_UID.1 IDB_RGH.1 to 7 IDB_IDB.1 IDB_MIS.1 IDB_IAC.1 IDB_LOG.1

VBH_PRC.1 to 6 VBH_IAC.1 to 2 VBH_FTR.1 to 3 VBH_WTI. 1 to 6 VBH_PSW.1 to 3 VBH_RGH.1 VBH_HUW.1 to 2

Focus on deviant internal behaviours

A9 x IEX_PHY.1 VTC_PHY.1 Marginal topic for a SIEM approach

... ... ... ... ...A15 XX IMF_TRF.2 to 3 VBH_IAC.2

VBH_WTI.2 VBH_WTI.6 VBH_RGH.1 VCF_DIS.1 VCF_TRF.1 VCF_FWR.1 VCF_ARN.1 VCF_UAC.1 to 3 VTC_IDS.1

Focus on configuration vulnerabilities or non-conformities



An event model reconciling ease of understanding and comprehensiveness with rigor

Includes both a taxonomy (and a full dictionary) and a related representation model – ensuring easy use by all stakeholders and enabling the link with indicators

Deals with incidents, vulnerabilities and non-conformities Deals with complex security incidents described as a

combination of smaller elementary ones Is positioned at the appropriate level of abstraction (what

and how) between 2 positions = Causes, reasons or motivations behind security events (who) IT CIA risks and associated impacts (what kind of

consequences)

9




Event taxonomy and related representation

Use of the taxonomy for incidents belonging to “Intrusions and external attacks” category (example among the 7 ones)

Representation model to classify and summarize (Major factors for being well received and successful) = Be simple (“elevator test” with less than one minute to explain ...) Be structured according to incidents causes and/or motivations Be immediately understandable by both field IT security experts

and top executives Be detailed and accurate enough regarding malicious incidents And last (but not the least), clearly separate internal incidents from

external incidents

10


Who and/or Why What How Status

Which vulnera-bility(ies) is (are) been exploited

On what kind of asset

With what CIA

consequences

With what kind of impact

Malicious act / External

agent

X (many choices)

Only sometimes

X (incident

attempt underway or

incident success)

Only sometimes and when

required for clarification

X (various

choices)

Only someti-mes and when

able to be determined

-



1

SIEM

9

8

7

4

3Global and complete framework of reaction plans (ITIL compatible)

Easier analysis of malicious activity and deviant behaviors (Link with Counter Competitive Intelligence)

Event model

9 uses

5Comparison with public reference statistical figures (by industry sector)

More readable reports (based on a common framework of indicators)

Easier link between SIEM and security policy and rules (ISO 27002) + Link withContinuous Auditing (US CAG)

Possible design of a risk data base on top of a security event data base

Easier link between SIEM and risk assessment methods (EBIOS, OCTAVE, CRAMM, …)

Consistency of the uses between each other thanks to the event model pivotal role

6Support for insurance offerings in cyber-risks

2

Security event testing (Detection effectiveness)

The diversified uses of the event model





Event classifi-cation model

(ISI-002)

Counting of some events (ISI-001-1)

ISI-001 and ISI-002 against the ISO 27004 standard measurement model



The mandatory taking into account of the organization’s SIEM maturity level

A good security event detection level (still often very low today) requires many conditions (tools appropriately configured, advan-ced processes especially for use case creation, seasoned experts)

This overall maturity level can be assessed accurately through 10 KPIs (with a clear correspondence with the 20 US CAG Critical Controls)

Provision (with these KPIs) of a reckoning formula to assess its detection levels with major kinds of security events (and to weigh the results of its own measurements)

This methodology may be complemented by a more dedicated and case by case one based on the production of security events and testing of the effectiveness of existing detection means (for major types of events)

13

ISI-003 specifications



Guidelines to implement effective security incident detection means are missing and required

Security incident detection levels are still too low (Cf. Website intru-sions, stealthy malware, APTs, ...) when monitoring installed systems

Among various reasons, detection is focused too exclusively on pure technical issues and top-down approaches are lacking (reference to challenging statistical figures)

Need for a comprehensive classification of effective symptoms/ hints/artifacts/use cases (or indicators of compromise) to be sought after in IT system traces = the only mean to spot often stealthy incidents

Give some examples of frequent poorly detected security events in order to illustrate some powerful means and methods of detection

More conceptual than technical specifications

14




Guidelines to stimulate security events are missing and are required (same motivations as ISI-003)

Objective of testing of detection means and tools during development and deployment phases (lab and in-operation situations), and of measurement of their effectiveness

Stimulate existing detection means by relevant events (see ISI-002) Try/perform fake incidents (to be identified/count) Introduce vulnerabilities (to be identified/count)

Will rest on existing test patterns (Cf. DIAMONDS project), with provision of catalogs (methods, configurations, scenarios)

Could also be used for penetration testing More technical than conceptual specifications

15




Several standards already available

ISG ISI started in Autumn 2011 = Members of the Unit and of the 5 Work Items are European and US experts

ISI Indicators (ISI-001-1 and ISI-001-2 Companion Guide) and ISI Event Model (ISI-002) have been published last April

ISI Maturity (ISI-003) will be available by the end of 2013

ISI Event Detection (ISI-004) will be available by the end of 2013

ISI Event Testing (ISI-005) started at the beginning of 2013

ISG ISI schedule

16



Specifications already proven (sometimes in use for more than 4 years)

Release notably through the network of Club R2GS associations in Europe (France, UK, Germany, ...), which is structured around ISG ISI specifications = ISI-001-1/-2 and ISI-002 already in use in more than 50 very large organizations in Europe (including government agencies and Ministries), within the banking industry in France, ...

Release through ETSI members Liaison with ISO JTC1 SC 27 WG4 Basis for the constitution of large data bases in Europe =

Independent IT security observatories providing dependable state-of-the-art figures for indicators

This will constitute a genuine step forward for the profession (within 2 to 3 years) ...

Dissemination of ISG ISI specifications

17

ISG ISI (Information Security Indicators) ETSI ISG ISI Standardization (ITU-T SG17 Q4 and Q3/ETSI ISG ISI joint meeting in Geneva) Gerard Gaudin (G²C)

Documents

events isi

isg isi positioning

guide isi

work items isi indicators

q3etsi isg isi joint

event classification

isi work items

isms fields isg isi