If you are providing security services for your customers, you are surely interested in protecting them better, more efficiently and more effectively. The Enterprise Pilot of C3ISP focusses on this challenge, tackling a concrete problem: i.e. how to improve early detection of threats and your analytical tools by using customer's data.Normally your customers are pretty conservative about what you can and can't do with their data. However would your customers be more assured about sharing their threat intelligence data if you offered them capabilities such as:
- advanced sanitization measures, including differential privacy techniques
- sophisticated information sharing mechanisms, allowing the definition of fine grained control policies (in natural language!) for data processing
- specially crafted analytics, fully compliant with data policies previously defined, adopting AI or Full Homomorphic Processing for maximum confidentiality
- an effective sharing model, able to give back credit and advantages to the customers willing to share their data for additional purposes
We are working to deliver all these capabilities, as part of our engagements in the C3ISP project. We are targeting enterprise use cases coming from Managed Security Service (MSS) providers. We defined models where malware spreading is studied considering data coming from multiple customers, using differential privacy techniques (especially geo-indistinguishability) to blur identifiable attributes (e.g. identities, locations) of infected systems at the same time, preserving the utility of the remaining data. These capabilities provide to MSS customers, analysts and also third parties like CERTs, with the business benefits that come from early Threat detection and Malware spreading forecasts.We also aim to optimize the business case for using these services, by understanding the appreciation of our proposal by customers and thus by studying how it can be best introduced in today's market. So if you are interested, if you want to know more or even share your thoughts on these ideas, feel free to get in contact through our social media.
Focusing on the business case for SMEs and relevance of C3ISP:The aim of the C3ISP SME Pilot is to enable SMEs to collect and share their Cyber Threat Information (CTI) data with the C3ISP platform in such a manner that each SME remains in full control of what is shared and how it is shared, preserving the confidentiality of their sensitive data. Vendors or service providers of Managed Security Service (MSS) solutions (such as the BT Intelligent Projection Service) can enhance their offerings with the C3ISP-enabled CTI sharing capability. This allows for constant feedback from SMEs about threats detected by their MSS agents deployed on their infrastructure. This threat intelligence can be rapidly promulgated to the other C3ISP partners and thus enhance the product/service capability and the SMEs experience and level of protection.Where SMEs wish to outsource the security management aspect of their infrastructure by using MSS solutions, Managed Security Service Providers (MSSP), who typically only offer services to large enterprises, could consider extending their market to include SMEs. Usually the complexity and ROI to deal with many SMEs would be prohibitive, but the integrating capability of C3ISP should enable sufficient automation and scale to allow a group of SMEs to be effectively treated as a single enterprise, in order to derive a cost-effective solution tailored to SMEs needs.The business value of joining the C3ISP platform for an SME derives from the effective scale that the sharing of CTI brings, which means that an SME gains access to what is effectively an enterprise-scale threat intelligence and response capability that it would otherwise not have access to. The scale derives from the sharing community of SMEs which together should see a range of CTI analogous to that seen across a larger enterprise. The quantity and quality of this capability can be further augmented by C3ISP's ability to share CTI with other organizations including ISPs and CERTs etc. The sharing of CTI data on C3ISP helps provide earlier detection of cyber threats and attacks on the SME participants with the potential to significantly reduce and or avoid business impacts
The High Institute of Information and Communication Technologies (ISCOM), which is a Directorate of the Italian Ministry of Economic Development (MISE), hosts the Italian CERT, which is the main public organization in Italy informing private users and companies of novel cybersecurity threats, and fosters the adoption of good practices for system security. The CERT provides services of custom notification about cybersecurity information, to both large and small companies in Italy, by pairing news about threats and vulnerabilities, with those companies whose have an actual interest in specific subtopics. The process of information and news collection, and subsequent delivery to the correct interested party(es) has been done up to now by a human operator in a semi-automated way. This is a limitation to the amount of information that can be processed and introduces the possibility of mistakes. Furthermore, the privacy of exchanged information is at risk, exposing the CERT at legal risks such as those specified in GDPR. The introduction of C3ISP in the CERT operations, aims at tackling all these issues by providing a platform able to handle data in a completely privacy aware manner, which gives to data providers tools to define their own security and privacy policies, which will be enforced in a way, which is totally transparent to the CERT. Furthermore C3ISP empowers the CERT operative workflow by adding a large set of new operations that can be performed on data, providing cutting-edge, research-based technologies for the analysis of spam emails and traffic, and malware detection . Through C3ISP the CERT becomes able to process automatically larger set of information, delivering new and more accurate information to the interested recipient, with limited to no active user interaction. This also improves the timeliness in which information is extracted and delivered, in an environment where being faster than the attacker might imply the difference between receiving or not damages, whose recovery and consequences might cost even millions of Euro. For this reason, several major companies have already shown their interest in the C3ISP technologies and in the new services offered by the CERT. The main new services offered by the CERT through C3ISP are in a nutshell:
- Spam email filtering: Automatic analysis of large email sets, which separates good emails (ham) from unsolicited ones (spam).
- Spam email classification and campaign clustering: Currently spam emails are used to damage recipients in several ways, from distributing malicious software, to steal user credentials by performing phishing attacks. C3ISP is able to classify spam email files according to their type, so as to make the user(s) aware of the actual risks contained in received emails.
- Malware classification: Binary analysis for malware detection, exploiting features which make the system able to identify also new and unknown threat (Zero-day attacks).
The C3ISP framework is able to operate also on anonymized pieces of information, hence it is possible to use the functionalities offered by the CERT as-a-service, without having to disclose the actual information content to the CERT itself. This would improve the user acceptance of the CERT offered services.
This pilot aims at performing collaborative analysis of data coming from a federation of Internet Service Providers (ISPs) to detect cyber-crimes attempts in time and to quickly identify cyber-security attacks. ISPs provide to single subjects or companies access to the Internet and additional related to services like DNS, mail, news, FTP, and so on. Since cyber-security has become a relevant topic in the ISP world, there is an open debate (https://www.techrepublic.com/article/should-isps-be-accountable-for-overall-internet-security/) trying to clarify whether ISPs should provide strong security solutions to protect themselves and their customers. In particular, should ISPs proactively protect their resources and customers with security controls and filters or are customers responsible for their own security? On one side, the CIO magazine with the article, “Seeing No Evil: Is It Time To Regulate the ISP Industry?”(https://www.cio.com/article/2448243/it-strategy/seeing-no-evil--is-it-ti...) claims that ISPs should provide security solutions. Instead, from the ISP point of view, security solutions cannot be supported only by ISPssince customers are responsible for keeping their own systems secure. In any case, since ISPs have an advantageous position in the network, they can have a much wider impact on the overall state of security. In fact, a lack of security management at the ISP layer can generate security issues that may impact the ISP itself and its customers. As an example, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are aimed at disabling access to various Internet services for legitimate users, or Domain Name System (DNS) information may be exploited to redirect Internet traffic with malicious intent.This pilot focuses on providing security analytics to ISPs that can benefit from a federation that securely and privately exchanges Cyber Threat Information (CTI). In addition, ISPs will benefit from data-manipulation operations, e.g., data-anonymisation and Data Sharing Agreements (DSAs) to protect, regulate and guarantee an expected privacy level of the data with the C3ISP Framework. In addition, part of the ISP pilot is Registro.it, which is the Italian registration authority for Internet domains and manages registration requests and information from about 1400 Italian Registrars (most of them act as Internet Service Providers – ISPs). In particular, within the ISP Pilot, Registro.it aims at expanding its business by offering security services to ISPs to protect their servers and services. The most important services offered to ISPs, which benefit from the collaboration sharing of CTI within C3ISP, are:
- Monitoring of connections to malicious hosts. This refers to the analysis of network logs, e.g., NetFlow, using homomorphic encryption to discover malicious traffic and connections in a privacy-preserving way.
- Monitoring of Domain Generation Algorithm DNS-request. This aims at detecting DNS requests that malwares may generate usign time-based algorithms, e.g., www.fgd2iwya7vinfutj5wq5we.com
- Detection of brute force and DDoS attacks on services. This aims at detecting brute-force and DDoS attacks by executing security analytics on log of services
- Malware spreading analysis. Malware commonly spreads as email attachements. Replying on e-mails analysis, the C3ISP security analytics creates profiles of the malicious emails (e.g., sender, email body) and their attachements (e.g., document name) to support mail servers for blocking malicious emails and preventing spreading.
C3ISP partner 3DRepo organised the British Information Modelling Event on Wednesday the 27th of June 2018 at the Shard, London, UK. Leading players from the construction industry came together for an evening seminar and networking event, where they also had the chance to get hands-on with some of the newest Building Information Modelling technology. You my read 3DRepo's press release on the event here.
On the 2nd of May the proposed budget of €100 billion and the name of the next EU Research and Innovation Framework Programme was announced by the Commission. The Commission adopted its proposal for Horizon Europe and following this, negotiations will commence with the Council and European Parliament before adoption and launching Horizon Europe on 1 January 2021. Commissioner Moedas explains the rationale for the new name of Horizon Europe (2021-2027) in his blog published on the 2nd of May 2018. The C3ISP project will continuesupporting the Commission right through this challenging process in ensuring that it gets the best outcome possible, as EU funds for research & innovation are vital. The Commission invites all to tweet their own message of support (using the #InvestEUresearch #HorizonEU #EUBudget hashtags) from now until final adoption of the proposal. Let’s do our best to ensure that we secure an EU budget for research and innovation that Europe deserves, for the coming years!
The workshop titled “Building a route to market for new cyber security technologies” held at Digital Catapult Centre on 14 March 2018.
This was the first workshop as part of a programme of 3 workshops and one engagement event.
The aim of the programme is to investigate where the commercial opportunities of the C3ISP technology are, define potential value propositions and business models and promote the adoption of the new cyber security technology.
The programme intends to bring together consortium partners and external organisations into discussions to understand market needs and find ways to commercially exploit this R&D project.
The programme is structured as follows:
1. Workshop #1 (UNDERSTAND): Light-touch exploration of the market gap,
understanding value, barriers for adoption and potential business models
2. Workshop #2 (VALIDATE): Test assumptions with a view to refine the value
3. Workshop #3 (VALIDATE): Test assumptions with a view to refine business model
and the commercial opportunity
4. ENGAGEMENT EVENT: Engage the European cyber security ecosystems to
promote adoption of the C3ISP framework
A video of the day has been produced:
See the video (italian version) of our attack on Android In-Vehicle Infotainment (IVI) system presented during the CyberSecurity Lab at Pisa (16th of November).
Same video at the Cnr WebTV La tua auto ti spia
The Third Project Meeting is the 7th and 8th of June in Sophia-Antipolis, France, hosted by SAP France.