PROTECTIVE

Introduction

PROTECTIVE is a Security Situational Awareness Manager (SSAM) that enables CSIRTs adopt a proactive risk management posture. The system is intended for National Research Education Network (NREN) Computer Security Incident Response Teams (CSIRTs) initially to understand, correlate, prioritize and share cyber threat intelligence for enhanced decision-making capabilities.

We aim to provide NRENs with improved security alert management capabilities, through uses of meta alerts, alerts that summarise many threats and incidents in order to understand the bigger picture of the threat landscape, provide better context awareness and enhance existing cyber threat intelligence sharing capabilities through automation while remaining General Data Protection Regulation (GDPR) compliant

The  monitoring, analytics and cyber threat intelligence (CTI) sharing capabilities of the PROTECTIVE SSAM were utilised  by participants during the second project  pilot.  Participants found CTI sharing to be a positive experience as it gave them an increased cyber threat situational awareness. SME participants reported that PROTECTIVE enabled them to take a more proactive approach to threat detection.

PROTECTIVE concentrated on starting exploitation from the NRENs and progressively expanding to other domains including a critical infrastructure operator, Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs)– and ultimately, reaching SMEs (clusters of SMEs managed by MSPs). Twenty-five CSIRT-like organisations were contacted for pilot two, with six committing to the pilot, and another ten engaging with the pilot to varying degrees e.g. through webinars and email conversation. These included two NRENs from Africa. Our observations noted that SMEs do not have the expertise in-house to deal with cyber security and hence would not be a direct target of the project. One MSSP has processed shared TI from PROTECTIVE and leveraged context aware information to enrich the services they provide downstream to MSPs and SMEs. 

Who is the project designed for?

Public Computer Security Incident Response Teams (CSIRTs), initially targeting NRENs.
Managed Security Service Providers (MSSPs).

The end-users are security operation centre operators and analysts that make decisions based on cyber threat intelligence and alerts generated internally.

How is your project benefitting the end-user?

Enhancing cyber threat intelligence sharing through:

• Applying Correlation and Prioritization methods w.r.t. your own constituency.
• Computational Trust, being able to score confidence about the data received.
• Automation, by moving away from solely relying on email ticket systems to share cyber threat intelligence.
• GDPR compliance through development of run-time monitoring.
• MSSPs will be able to benefit CTI from NRENs in order to protect SMEs from the latest observed threats.
• Integration with MISP communities

Please briefly describe the results your project achieved so far

A community of NREN active users (of the PROTECTIVE ecosystem) has been established.

PROTECTIVE demonstrated new capabilities in production environments, including creating a community of threat intelligence sharing CSIRTs,  information sharing compliance,  improved situational awareness and integration with MISP communities. The tool delivered can be assessed overall to be at TRL level 7.

PROTECTIVE's approach to Pilot activities has been recommended for use by other H2020 projects. Pilot planning distinguished between ‘demos’, ‘testbeds, ‘field trials’, ‘monitoring’ and ‘pilots’. For pilot execution, PROTECTIVE was deployed at several CSIRTs and a TI sharing community was created. Feedback was gathered from different types of users including NRENs, MSSP/MSP SMEs, Enterprise and a Critical infrastructure. The approach captured both opinions and performance of the tool in use.

PROTECTIVE used a staged approach to introducing and implementing the Ethics framework to address data privacy concerns, and minimise data protection risks.  . An information sharing compliance tool was included in the PROTECTIVE platform and where appropriate, data protection entities (such National Data Protection Agencies), were informed of PROTECTIVE's approach to data privacy.

What are the next steps for your project?

To increase the potential for technology take-up, PROTECTIVE has been open-sourced with extensive documentation for ease of deployment and to enable further development. To reduce the reluctance in sharing data, a new information sharing compliance module is included in PROTECTIVE. To increase impact further, connectors have been prototyped to demonstrate interoperability of PROTECTIVE with MISP communities. Moreover to carry-on the results beyond the project, the core PROTECTIVE community – consisting of internal NRENs – has expressed the willingness to continue sharing TI data.