PROTECTIVE is designed to improve an organisations ongoing awareness of the risk posed to its business by cyber security attacks. The project makes two key contributions to achieve this enhanced situational awareness. Firstly, it increases the computer security incident response team’s (CSIRT) threat awareness through improved security monitoring and increased sharing of threat intelligence between organisations within a community. Secondly, it ranks critical alerts based on the potential damage the attack can inflict on the threatened assets and hence to the organisations business. High impact alerts that target important hosts will have a higher priority than other alerts. Through the combination of these two measures organisations are better prepared to handle incoming attacks, malware outbreaks and other security problems and to guide the development of the prevention and remediation processes.
Contribution and influence to the future Horizon Europe
One of the key challenges that Europe will face in the coming years is further strengthening cybersecurity resilience. Thus “cybersecurity package” was adopted by EC in 2017 with subsequent proposal for the creation of European Cybersecurity competence centre. The competence centre will establish cybersecurity industrial policy by supporting activities related to both R&D and market deployment. PROTECTIVE provides effective tools, that are already close-to market and will support these goals. By open-sourcing core project results, PROTECTIVE provides a stable environment for the development of new, market-centric services, while allowing for close collaboration between academia and industry.
PROTECTIVE delivers the first open-sourced, out-of-the box Security Situational Awareness Manager (SSAM). It enables CSIRTS to actively engage in all phases of the security situational awareness lifecycle and thus adopt a more proactive security posture. PROTECTIVE provides threat detection through the provision of security alert source connecters, threat intelligence sharing and meta-alert correlation capabilities; risk comprehension through organisational context awareness (that maps organisation goals to computing infrastructure to identify critical assets) and meta-alert prioritisation features and attack projection through the application of advanced machine learning techniques.
PROTECTIVE’s advanced security situational awareness capabilities will enable CSIRTS to quickly assess the security risk of their constituency in real-time. They will be able to share and view network security alerts from many sources and utilise the PROTECTIVE advanced meta-alert correlation features to reduce the number of significant alerts they need to consider. They can import asset inventory and combine it with correlated meta-alerts to quickly zoom in on the most critical attacks. PROTECTIVE’s statistical alert handling will enable them to comprehensively analyse visualise incoming alerts and project future trends.