Thursday, December 8, 2011

Proactive Detection of Network Security Incidents

EU Agency ENISA launches report on proactive detection of cyber security incidents to make “digital fire-brigades” more effective.The Agency launches a report which identifies 16 shortcomings in detection of network security incidents. The report reveals that not all available tools are used widely enough by the ‘’digital fire-brigades’’, the Computer Emergency Response Teams (CERTs) to effectively fight cyber threats. Therefore, the Agency issues 35 recommendations to data providers, data consumers, and at EU/national levels to mitigate the shortcomings.

The study has identified that the CERTs are currently not fully utilizing all possible external sources at their disposal. Similarly, many CERTs neither collect, nor share incident data about other constituencies with other CERTs. This is concerning, as information exchange is key to effectively combating malware and malicious activities, which is extremely important in fighting cross-border cyber threats.

The 16 shortcomings in detection of incidents are examined in depth. Top technical gaps include insufficient data quality (false positives in provided data, poor timeliness of delivery), lack of standard formats, tools, resources and skills. The most important legal problem involves privacy regulations and personal data protection laws that hinder information exchange.

35 recommendations to mitigate the shortcomings
For data providers, the key recommendations focus on how to better reach CERTs, better data format, distribution, as well as data quality improvement. For data consumers, they include additional activities by a CERT to verify the quality of data feeds, and specific deployments of new technologies recommended. Finally, at the EU or national level balancing of the privacy protection and security needs is necessary, as well as facilitating the adoption of common formats, integration of statistical incident data, and research into data leakage reporting.

Proactive detection of incidents is the discovery of malicious activity, before the complaints and incident reports about it are received. As such, it is a cornerstone for an efficient CERT services portfolio. It can greatly boost a CERT’s efficiency in operations, thus strengthening CERT’s Incident Handling capability which is one of the core services of national / governmental CERTs.

The report production was commissioned to CERT Polska / NASK.Authors: Katarzyna Gorzelak, Tomasz Grudziecki, Paweł Jacewicz, Przemysław Jaroszewski, Łukasz Juszczyk, Piotr Kijewski (CERT Polska / NASK).Editor/contributor: Agris Belasovs (ENISA)