#	Pagina
attuale pagina	/open-h2020/projects/210224/results.html

Report

Teaser, summary, work performed and final results

Periodic Reporting for period 1 - CS-AWARE (A cybersecurity situational awareness and information sharing solution for local public administrations based on advanced big data analysis)

Teaser

Summary

â€¢ The project aims to improve cybersecurity in local public administrations (LPAs) by providing an online monitoring and awareness system that is able to detect security incidents by monitoring the complex organizational systems, and set it in context with information collected from external sources like cybersecurity information sharing communities or network and information security (NIS) competent authorities, as specified by the European cybersecurity strategy.
This allows to classify suspicious events and incidents to concrete threats and attacks, as well as applicable strategies for prevention or mitigation. Furthermore, CS-AWARE is designed to interact with cybersecurity information sharing communities to share information about newly discovered incidents that could not be classified, in order to allow the community to analyze those events and potentially help others affected by the same incident.

â€¢ Cooperation and collaboration among individual actors as a way to improve the security situation for society and economy as a whole is a promising approach. It is in this repsect that reaching beyond the technology-focused boundaries of classical information technology (IT) security, our approach for cybersecurity strongly interrelates with organisational and behavioural aspects of IT operations, and the need to comply with the current and actively developing legal and regulatory framework for cybersecurity.

â€¢ Overall objectives:
1. Provide a cybersecurity situational awareness solution for local public administrations in line with the current and upcoming legal cybersecurity framework in the European Union and its member states.
2. Advance the automation of cyber incident detection, classification and visualisation to provide situational awareness. This includes socio-technical system analysis, data collection, data analysis and decision making as well as the visualisation of the findings.
3. Include a cybersecurity information exchange framework that embraces the collaboration and cooperation initiatives of European cybersecurity strategies. This includes the utilisation of cybersecurity data for threat detection as well as sharing of newly discovered cyber incident data.
4. Illustrate that cyber situational awareness is a key technology in cybersecurity by building advanced features like system self-healing on top of the situational awareness capabilities
5. Evaluate and validate the user needs through end-user involvement and pilot testing.

Work performed

While much of the classification and definition of relevant cybersecurity patterns falls into the second half of the project and is thus outside the reporting period, much groundwork has been done in order to achieve this objective. A technology stack was either adapted or implemented from scratch that is able to achieve the full cybersecurity incident detection, analysis and reaction pipeline, and has been integrated to a stage that a fully operational demonstrator could be deployed. While it can be already concluded that an automation level of incident detection and classification can be achieved in CS-AWARE that goes beyond the state-of-the-art of current cybersecurity incident response solutions, a fully automated stack that requires no expert interaction is, as already assumed in the proposal, still considered unrealistic.
Further to this, a technology component has been fully implemented and delivered that is able to operate in the currently developing collaborative and cooperative cybersecurity information sharing environment. The component is able to interact with relevant information sharing communities and share relevant cybersecurity incident information discovered in LPA systems, if the operator chooses to share this information. Both NIS incident reporting requirements as well as GDPR data breach notifications can potentially be automated using this component.
During the reporting period, it has been shown that advanced features like system self-healing or cybersecurity information sharing can be integrated tightly with a cybersecurity situational awareness system at its base. A strong indication could be observed that situational awareness greatly simplifies such advanced features, especially considering that the interactions with the system operators of such advanced features is much simpler if the problem description as well as the solution can be anchored around situational awareness. While the evaluation of user interactions is not scheduled in the reporting period, the possibility of technological integration of advanced cybersecurity features with cybersecurity situational awareness has been highlighted in the CS-AWARE framework definition, as well as in the relevant technological components development.

Final results

Our main ambition for the CS-AWARE solution has been to provide mechanisms that can both benefit from cybersecurity information sharing as well as giving back information to the community to improve cybersecurity for society as a whole. Since in the current situation no information sharing initiative could act as the single point of contact to get all the relevant information, the CS-AWARE approach is to enable information exchange with all relevant sources, which can range from public or private initiatives that give a high level overview of risks and threats, community provided information (e.g. social networks or Wikipedia), to more in-depth information provided by for example CERTs, as illustrated in a report by ENISA. With the system and dependency analysis the CS-AWARE solution is able to set the different classes of information in relation with with the organisational context (both technological and social), while relying on big data decision support and analysis mechanisms to recognise and rank patterns that indicate cybersecurity incidents based on the collected data.
Two other aspects that definitely bring us ahead of existing competition are:
(a) The intelligent and fully automated part of the CS-AWARE project related to the data collection and storage and the analysis and decision making components. Based on the system and dependency analysis results, the base measurements from internal and external sources are observed and when relevant data points are collected, pre-processed and stored.
(b) In order to deal with the expected language barriers and usability concerns in the context of European local public administrations, multi-lingual semantics support has been included as part of the projectâ€™s solution. Where relevant, security related information coming from within the end user organizations, or information from external information sources, is automatically translated to benefit from the information of different cultural contexts.
Last but not least, regarding the technical work, the STIX 2.0 (Structured Threat Information Expression) language has been adopted as core language for all inter-component communication as well as data analysis for CS-AWARE platform. Since certain components or parts of them had already been developed in Java, a suitable library was developed for facilitating the processing of STIX data by them and as a synergetic result. The developed library was made publicly available as an open-source project, so that the cyber threats analysis community can benefit from its use. We consider this as a major outcome of the project that we aim to further improve and try increase its visibility and the potential impact it may have.