ISI Leaflet

Download PDF
107 downloads 6475 Views 514KB Size Report
Comment
to ISO 2700x IT security standards: - ISI Indicators (ISI-001-1 and its associated Gui- .... ISO 27003 or NIST 800-37. NIST 800-92 NIST 800-137. IETF RFC 3227.
indicators and how to detect the related events with various means and methods (with categories of use cases/symptoms),

Filling the gap in the Cyber Defence and SIEM standardisation fields Currently reference frameworks in the Cyber Defence and SIEM fields are often missing or are still very poor, thus hindering IT security controls

-

ISI Event Testing (ISI-005), which proposes a way to produce security events and to test the effectiveness of existing detection means.

benchmarking. As a result, we need IT security indicators, which are related to event classification models.

Address the full scope of main missing security event detection issues

The objective of the ISI ISG is to overcome realEvent reaction measures

world difficulties on such matters (standards are often too technical, ill-positioned or not well structured), by relying on a strong vision, while at the

Fake events (Simulation) Security prevention measures

same time focusing on standards’ implementation. In other terms, it is necessary to find out the balance between security governance and pure technical work, in order to gain support from IT and security

Real events

Event detection measures

Detected events

Residual risk (event modelcentric vision)

managers and decision makers. Experience gathering being key in this matter, the ETSI ISG ISI initiative (launched during fall 2011) is based on 4 years of hands-on experience as well as

The strength of these Group Specifications (GSs) lies in the fact that the first two are already in use in

frameworks of the European network of Club R2GS “clone” grassroots user associations in Cyber Defence and SIEM (France, UK and Germany).

about 50 very big companies or organisations on a world-wide scale and have proven their effectiveness in several directions: -

Objectives of ISG ISI

threats and vulnerabilities through detailed stateof-the-art figures regarding the main types of security events (Building up future advanced

The ISG ISI objectives are to address the full scope of main missing security event detection issues

threat intelligence),

through 5 Work Items, while being strictly compliant to ISO 2700x IT security standards: -

-

ISI Indicators (ISI-001-1 and its associated Guide of use ISI-001-2), which is a powerful way to

-

ISI Event Model (ISI-002), which is a comprehensive security event classification model covering incidents, vulnerabilities and nonconformities (with detailed taxonomy and representation),

-

ISI Maturity (ISI-003), which aims at assessing the maturity level regarding overall event detection through dedicated KSPIs (technology/people/process) and to weigh event detection results,

-

ISI Event Detection (ISI-004), which will demonstrate through examples how to produce

Reconcile top-down (security governance) and bottom-up (IT ground operations) approaches, through clear event detection objectives unleashing all stakeholders’ convergent energies,

assess security measures level of effectiveness (through a full set of some 100 indicators),

Have a far more accurate knowledge on both

-

Bring new information to decide the best tradeoffs between IT security prevention and security event detection and response.

These contributions are decisive stepping stones for the way towards a truly professional and more mature “Dynamic IT security” (beyond Risk management and ISMS).

Description of the 5 Work Items Dedicated to security operational indicators ISI-0011 and ISI-001-2 Group Specifications provide a set of measurements offering a relevant coverage, in order to provide management with a reasonable

level of confidence as regards to the continuous assessment of organization’s security settings. In addition, such indicators enable the analysis of figures among various advanced user organisations; and the feasibility of benchmarking (of the level of assurance and effectiveness of their security measures) based on these state-of-the-art figures has been proven, as the selected items lead to reasonably similar results depending on industries or organisations.

is therefore of utmost importance to measure the systems and tools performance.

A major contribution to world-wide standards As shown in the figure below, this 5-part series complements all major existing standards with continuous assurance at the operational level, and with clear correspondence or compatibility with most of them.

Closely related to the above mentioned two specifications, GS ISI-002 aims at providing a full taxonomy to thoroughly describe all IT security events (and also some non-IT security events) and, based on it, to present an original classification

ISI Work Items positioned against other standards Whole specifications

model that leverages the current international best practices and allows for a range of diversified and powerful uses. Concerning these uses, there are clear connections with risk assessment method

“how” aspects) is strongly related to GS ISI-005 on event detection testing.

Specific reference frameworks

-

Investments as it dramatically improves the event detection rates which nowadays are very low for so many types of events. Being able to rely on precise testing scenarios for a typical set of security events

Projects

Security policy

Risk Analysis

Contracts

BCP

Phys. Sec.



Act Action Plans

Indicators

Event Model MITRE CAPEC Reaction Plans MITRE CEE NIST 800-86 Forensics Glossary IETF RFC 4765/ NIST 800-126 MITRE CEE (SCAP) 5070/6045/5424 (CLS/CLR)

Across the board frameworks to be published in all industry sectors (which could complement the Mitre SCAP standard, which deals in particular with naming and categorizing vulnerabilities and nonconformities),

-

Establishment of dependable European state-ofthe-art figures, with the possible build up of centralized databases (getting therefore further than some existing large databases, such as DataLossDB or the Identity Theft Resource

ISI-004 GS is the “engineering” part of the series,

ISI-005 GS is the key for credibility and Return on

Protect. Prof.

ISO 27004 or NIST 800-55 ISO 27035 or NIST 800-61 IETF RFC 3227 IETF RFC 2350 US CAG NIST 800-92 NIST 800-137

The various results stemming from the availability of this 5-part series will be the following:

ISI-005 (which is a more in-depth and more focused on a case-by-case approach).

goal is also to demonstrate some powerful means and methods of detection.

ISO 15408

… Security Table

1 Base (or technical) frameworks

scale, based on hands-on experience and relying on

and will present a comprehensive classification of the main symptoms/use cases to be sought after in systems traces in order to reveal stealthy incidents. Through examples of frequent security events, the



ISO 27003 or NIST 800-37

2

ISI-003 GS aims at building a dedicated maturity some of the US CAG reference framework critical controls. This is another missing piece in the overall event detection. The level of maturity in this area is among the weakest in IT security. It complements

Cobit V4.1

Continuous assurance specifications

ISO 20000

ISO 27002 or NIST 800-53

3 Implementation frameworks

classifications, with operational risk models or classifications (such as Cobit or Basel 3), with continuous checking (based on such reference frameworks as SANS CAG Consensus Audit Guidelines), with reference frameworks for reaction plans, and of course with security indicators in general. The taxonomy (especially the “what” and

4 Global frameworks

Center), -

Basis for a full set of metrics to evaluate the quality and actual effectiveness of security equipment (bringing closer the two different worlds of Cyber Defence and Product Certification).

Contact Gerard Gaudin (Chairman of ISG ISI) Tel.: +33 6 78 79 56 16

http://www.etsi.org