Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhanced alerting and collaborative incident management

Published byKatherine Dorsey Modified over 5 years ago

Similar presentations

Presentation on theme: "Enhanced alerting and collaborative incident management"— Presentation transcript:

1 Enhanced alerting and collaborative incident management
| How to supervise alerts and incidents in a railway context ?

2 Introduction to cyber-incident management requirements
General requirements Help industries to determine the cause of threats Better predict and mitigate the implications of cyber incidents Involve operators Inform local and state authorities (NIS directive) Rail context July 2016: NIS directive for the establishment of a network of national Computer Emergency Response Teams (CERTs) to assist with cyber-security coordination between Member States Need of a tool-set to give response and recovery methods for cyber security incidents Need for improved coordination between operational alerts and security alerts

3 Alerts and incidents management: scope
Risks Evidence of compromise Vulnerabilities Intrusion & anomalies Threats

4 Alerts and incidents management: practices
Technical staff Organization’s management CERT CTI expert team CSIRT SOC operators and managers Operation teams PRACTICES PHASES INVOLVED ACTORS Alerts: Incidents: Governance Anticipation Monitoring Investigation Risk assessment and management Computer Emergency Response Cyber Threat Intelligence (CTI) Cyber Security Operation Centre (SOC) Cyber Security Incident Response

5 Alerts and incidents management: practices
Technical staff Organization’s management CERT CTI expert team CSIRT SOC operators and managers Operation teams PRACTICES PHASES INVOLVED ACTORS Alerts: when a risk is detected Incidents: risks on assets due to the existence of security breaches, potentially mitigated by existing countermeasures, and/or remediated by reaction plan enforcement. The incident should indicate the effect of the risk and courses of actions to schedule and follow risk mitigation measures enforcement. Governance Anticipation Monitoring Investigation Risk assessment and management Computer Emergency Response Cyber Threat Intelligence (CTI) Cyber Security Operation Centre (SOC) Cyber Security Incident Response Organization’s management : Define critical assets, Decide whether to accept the risk or not (depending on the operational impact) Decide of the investment on countermeasure deployment. Technical staff (architect, operations/business team, cyber expert): Analyze technical impact, probability and technical solutions

6 Alerts and incidents management: practices
Technical staff Organization’s management CERT CTI expert team CSIRT SOC operators and managers Operation teams PRACTICES PHASES INVOLVED ACTORS Alerts: when some new vulnerability are reported Incidents: exposure of vulnerable systems that needs to be eliminated by application of a corrective action (e.g., patch management, changes in parameters such as allowed authentication modes). Governance Anticipation Monitoring Investigation Risk assessment and management Computer Emergency Response Cyber Threat Intelligence (CTI) Cyber Security Operation Centre (SOC) Cyber Security Incident Response CERT: description of vulnerability, along with potential impact and remediation procedures (e.g., patches) SOC: collection and analysis of vulnerability bulletins, leading to the definition of the actual vulnerability exploitation feasibility on the rail infrastructure, along with the real impact.

7 Alerts and incidents management: practices
Technical staff Organization’s management CERT CTI expert team CSIRT SOC operators and managers Operation teams PRACTICES PHASES INVOLVED ACTORS Alerts: raised when a threat is detected, including the potential targets within the company Incidents: targeted threat with effect and countermeasure recommendations, and IoCs. Governance Anticipation Monitoring Investigation Risk assessment and management Computer Emergency Response Cyber Threat Intelligence (CTI) Cyber Security Operation Centre (SOC) Cyber Security Incident Response CTI expert team: collects and analyses threat information, supports the SOC and CSIRT teams during the investigation phase CSIRT (Cyber Security Incident Response Team): brings relevant information to the CTI team, mostly to understand threat actors’ tactics and procedures SOC (Security Operation Centre): requires the CTI team if an observed attack can be linked to a known threat actor, provides data to enhance the CTI knowledge base.

8 Alerts and incidents management: practices
Technical staff Organization’s management CERT CTI expert team CSIRT SOC operators and managers Operation teams PRACTICES PHASES INVOLVED ACTORS Alerts: raised when an intrusion or an anomaly is detected Incidents: violation of policy compliance, attack, abnormal behaviour, mitigated by existing countermeasures, remediated by reaction plan enforcement. Governance Anticipation Monitoring Investigation Risk assessment and management Computer Emergency Response Cyber Threat Intelligence (CTI) Cyber Security Operation Centre (SOC) Cyber Security Incident Response SOC operators (any level) and managers Operation teams to get aware of the existence of ongoing incidents like intrusions or misbehaviours, along with their technical impact and resolution/mitigation recommendations Organization’s managers to agree on closed incidents

9 Alerts and incidents management: practices
Technical staff Organization’s management CERT CTI expert team CSIRT SOC operators and managers Operation teams PRACTICES PHASES INVOLVED ACTORS Alerts: raised when some evidence of compromise has been found Incidents: enrichment of data in the incident reports managed by the SOC (confirmation of doubts raised by the SOC, completion of intrusion report) or creation of an incident report in the case when their intervention was requested on suspicion by the affected organization. Governance Anticipation Monitoring Investigation Risk assessment and management Computer Emergency Response Cyber Threat Intelligence (CTI) Cyber Security Operation Centre (SOC) Cyber Security Incident Response CSIRT (Cyber Security Incident Response Team): collects and analyses evidence of compromise in networks and systems. The organization’s management to get the necessary information to decide: what has been found, and what needs to be done to mitigate and remediate the compromise. The technical staff (architect, operations/business team, cyber expert) to analyze technical impact and define and deploy solutions (temporary solutions during the crisis, long-term solutions to enhance protection). SOC: uses incident reported by the SOC to start a response course of actions. It shares results report to the SOC to complete the incident report. CTI: a CSIRT gets information on tactics and procedures on real cases, valuable to the CTI knowledge base.

10 Alerts and incidents management: technical solutions
Risk assessment and Management solutions RM Threat Intelligence Platforms TIP Security Information and Event Management systems Analytics systems SIEM Security Incident Response Platforms SIRP Incident Management Systems IMS Collaborative and Information Sharing solutions CIS Features Functionalities Usage Existing solutions Identification of existing solutions Informa-tion sharing Capacity to raise alerts and/or create incidents Existing interfaces with external systems Railway specific solutions only deal with intrusion detection systems and incident management. Otherwise TIP, SIEM, and SIRP capacities, when present, are performed with systems as used in other contexts.

11 Detection strategy for CYRAIL
For each threat from the risk analysis, the detection strategy gives the list of detection means along with the list of alerts that could be raised by the alerting system. Assets Threats Detection means ALERTS

12 Detection strategy (example)
Threat Zone Asset Detection means Alert Corruption of data Wayside 1 Wayside_1 Axle Counter N/A [WS1-006] Potential loss of asset integrity due to corrupted data Wayside 2 Wayside_2 Track circuit [WS2-006] Potential loss of asset integrity due to corrupted data Signal Signal (ERTMS level 0 and 1) Mechanisms to monitor and alert the gap between normal activities and abnormal activities. If defined thresholds are exceeded, log an alert. Server controls integrity and raises an alert in case of integrity loss [SGL-001] Unauthorized actions performed. Potential loss of asset integrity Command-on board BTS BTS and secure NTP event logs systematically collected Patch management server controls the integrity of OS and applications, and logs any integrity issue [CMD-006] Potential loss of asset integrity due to corrupted data RBC RBC and secure NTP event logs systematically collected Local ERTMS Control Local ERTMS Control and secure NTP event logs systematically collected Electronic certificate controller logs any security issue

13 Deployment on CYRAIL’s operational scenario
CERT=Computer Emergency Response Team OSINT=Open source Intelligence SIEM=Security Information and Event Management SIRP=Security Incident Response Platform TIP=Threat Intelligence Platform RM=Risk management CIS=Collaborative Incident Sharing IMS=Incident Management System

14 Tier 1: detection means Assets Threats Detection means ALERTS
Detection strategy Identification of sensors and event sources Location in the different zones and conduits Requirements applicable to these detection means Detection means Zone Asset HIDS Command on-board RBC Logs: BTS, RBC and local ERTMS control logs BTS RBC Local ERTMS control Logs: BTS, RBC, local ERTMS and secure NTP event logs Mechanisms to monitor and alert the gap between normal activities and abnormal activities. Conduit Occupancy Signalling ERTMS Balise Wayside 1 Axle Counter Signal ERTMS level 0 and 1 ERTMS level 2 and 3 Requirements: Secure communication between Tiers 1 and Tiers 2. Time synchronization between sources and between zones Local storage of events and alerts at sources level Specific communication channel for administration and rule management Availability of sources of events and alerts

15 Tier 1: detection means Risk analysis Threats Detection means ALERTS
Detection strategy Identification of sensors and event sources Location in the different zones and conduits Requirements applicable to these detection means Detection means Zone Asset HIDS Command on-board RBC Logs: BTS, RBC and local ERTMS control logs BTS RBC Local ERTMS control Logs: BTS, RBC, local ERTMS and secure NTP event logs Mechanisms to monitor and alert the gap between normal activities and abnormal activities. Conduit Occupancy Signalling ERTMS Balise Wayside 1 Axle Counter Signal ERTMS level 0 and 1 ERTMS level 2 and 3 Requirements: Secure communication between Tiers 1 and Tiers 2. Time synchronization between sources and between zones Local storage of events and alerts at sources level Specific communication channel for administration and rule management Availability of sources of events and alerts

16 Tier 1: detection means Risk analysis Threats Detection means ALERTS
Detection strategy Identification of sensors and event sources Location in the different zones and conduits Requirements applicable to these detection means Detection means Zone Asset HIDS Command on-board RBC Logs: BTS, RBC and local ERTMS control logs BTS RBC Local ERTMS control Logs: BTS, RBC, local ERTMS and secure NTP event logs Mechanisms to monitor and alert the gap between normal activities and abnormal activities. Conduit Occupancy Signalling ERTMS Balise Wayside 1 Axle Counter Signal ERTMS level 0 and 1 ERTMS level 2 and 3 Requirements: Secure communication between Tiers 1 and Tiers 2. Time synchronization between sources and between zones Local storage of events and alerts at sources level Specific communication channel for administration and rule management Availability of sources of events and alerts

17 Tier 1: detection means Risk analysis Threats Detection means ALERTS
Detection strategy Identification of sensors and event sources Location in the different zones and conduits Requirements applicable to these detection means Detection means Zone Asset HIDS Command on-board RBC Logs: BTS, RBC and local ERTMS control logs BTS RBC Local ERTMS control Logs: BTS, RBC, local ERTMS and secure NTP event logs Mechanisms to monitor and alert the gap between normal activities and abnormal activities. Conduit Occupancy Signalling ERTMS Balise Wayside 1 Axle Counter Signal ERTMS level 0 and 1 ERTMS level 2 and 3 Requirements: Secure communication between Tiers 1 and Tiers 2. Time synchronization between sources and between zones Local storage of events and alerts at sources level Specific communication channel for administration and rule management Availability of sources of events and alerts

18 Tier 2: cyber security zone
SIEM=Security Information and Event Management SIRP=Security Incident Response Platform TIP=Threat Intelligence Platform

19 Tier 3: Integration in the railway decision-making process
CIS=Collaborative Incident Sharing IMS=Incident Management System

20 Deployment on CYRAIL’s operational scenario
SIEM: Security Information and Event Management systems, and Analytics systems SIRP: Security Incident Response Platforms IMS: Incident Management Systems TIP: Threat Intelligence Platforms RM: Risk assessment and Management solutions CIS: Collaborative and Information Sharing solutions

21 Video Collaborative incident management system

Download ppt "Enhanced alerting and collaborative incident management"

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
GAMMA Overview. Key Data Grant Agreement n° 312382 Starting date: 1 st September 2013 Duration: 48 months (end date 31 st August 2017) Total Budget: 14.837.981.

GAMMA Overview. Key Data Grant Agreement n° Starting date: 1 st September 2013 Duration: 48 months (end date 31 st August 2017) Total Budget:
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Network security policy: best practices

Network security policy: best practices
A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Slide 1 Using Models Introduced in ISA-d99.00.01 Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.

Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.

Similar presentations

Ads by Google