Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

An overview of the Cybersecurity Information Exchange Framework CYBEX

advertisement 
DOCUMENT #:
GSC15-GTSC-07
FOR:
Presentation
SOURCE:
ITU-T
AGENDA ITEM:
4.2
CONTACT(S):
chen.jianyong@zte.com.cn
An overview of the
Cybersecurity Information Exchange
Framework
CYBEX
Jianyong CHEN
SG 17 Vice Chairman
Global Standards Collaboration (GSC)
GSC-15
What cybersecurity model?
Contractual
service
agreements and
federations
Intergovernment
al agreements
and cooperation
Legal
Remedies
Tort &
indemnification
Regulatory/
administrative
law
Measures for
threat detection
Criminal
law
Provide basis
for legal
remedies
Investigation
& measure
initiation
Provide
basis for
actions
Forensics
&
heuristics
analysis
Reputation
sanctions
Patch
development
CYBEX Focus
Capabilities
Supported
Measures for
protection
Legal remedies may also
institute protective
measures
Encryption/
VPNs esp.
for
signalling
Resilient
infrastructure
Real-time data
availability
Data retention
and auditing
Provide
data for
analysis
Blacklists
&
whitelists
Identity
Management
Routing &
resource
constraints
Deny
resources
Vulnerability
notices
Provide
awareness of
vulnerabilities
and remedies
Network/
application
state &
integrity
Measures for
thwarting and
other remedies
Information exchange
2
The basic CYBEX model
Cybersecurity
Entities
Cybersecurity
Information
acquisition
(out of scope)
structuring information
identifying and discovering
objects
requesting and responding
with information
exchanging information
over networks
assured cybersecurity
information exchanges
Cybersecurity
Entities
Cybersecurity
Information
use
(out of scope)
3
To whom and to what does CYBEX
apply?
 Because the CYBEX framework provides technology
neutral information exchange specifications for
cybersecurity, it can be applied by
• any system or product using a network
• any vendor, service provider, or network operator
• any agency or organization specifying, managing, or
regulating the above
 The specifications are especially relevant to
• Computer Incident Response Teams (CIRTS) that must
exchange incident information
• Law enforcement authorities that must receive forensics
• Any entity that must deal with the above
4
CVSS
Common
Vulnerability
Scoring
System
CWSS
Common
Weakness
Scoring
System
Vulnerability and State Exchange
Open
Vulnerability
and
Assessment
Language
eXensible
Configuration
Checklist
Description
Format
SCAP
Security
Content
Automation
Protocol
CPE
Common
Platform
Enumeration
CCE
Common
Configuration
Enumeration
ARF
Assessment
Result Format
Highlights of current activities
Specifications and Relationship
Close collaboration with FIRST (Forum of
Incident Response and Security Teams)
FIRST becomes observer of GSC
CVE
CWE
Common
Vulnerabilities
and
Exposures
Common
Weakness
Enumeration
IODEF
CAPEC
Incident
Object
Description
Exchange
Format
IODEF
extensions
Phishing,
Fraud, and
Misuse
Format
Common
Attack Pattern
Enumeration
and
Classification
MAEC
Malware
Attribution
Enumeration
and
Characterization Format
CEE
Common
Event
Expression
Plus CPE, CWE,
CVE, CEE and
OVAL for lowlevel
observables
Events, Incidents, & Heuristics Exchange
OVAL
XCCDF
5
Challenges: How to identify, enable discovery,
trust, and exchange information? (1/2)
Discovery Enabling Cluster for parties,
standards, schema, enumerations,
instances and other objects
Common
Namespace
Discovery
enabling
mechanisms
Identity Assurance Cluster
Authentication
Assurance
Platforms
Authentication
Assurance
Methods
Authentication
Assurance
Levels
Request
and
distribution
mechanisms
Exchange Cluster
Interaction
Security
Transport
Security
6
Challenges: How to identify, enable discovery,
trust, and exchange information? (2/2)
Vulnerability/State Exchange Cluster
Knowledge Base
Platforms
Weaknesses
Event/Incident/Heuristics
Exchange Cluster
Vulnerabilities
and
Exposures
Event
Expressions
State
Security
State
Measurement
Configuration
Checklists
Incident
and
Attack
Patterns
Assessment
Results
Malware
Patterns
Extensions
for:
DPI
Traceback
Smartgrid
Phishing
Evidence Exchange Cluster
Terms and
conditions
Handover of
real time
forensics
Handover of
retained
data
forensics
Electronic
Evidence
Discovery
7
Next Steps/Actions







Will provide three essential capabilities for any system or service:
• Determining cyber-integrity of systems and services in a measurable way
• Detecting and exchanging incident information to improve cyber-integrity
• Providing forensics, when necessary, to appropriate authorities
Includes
• Means for identifying, enumerating and exchanging knowledge about
weaknesses, vulnerabilities, incidents
• Measurable assurance (trust) for information and parties involved
Extensible to any kinds of networks, services, or platforms – present and future
• Applicable to Clouds, Online Transaction Security, Smartgrids, eHealth, …
Open standards – most imported into ITU-T, published & maintained in multiple
languages, and freely downloadable as X-series specifications
Excludes
• Specific implementations (i.e., CYBEX is technology neutral)
• How to implement
CYBEX Framework and some initial stable specifications ready by Dec 2010
Potentially ~20 additional in 2011-2012 timeframe
8
Next Steps/Actions
31 Recommendations and 1 Supplement are in development. Among them,
X.1209 (X.sisfreq) and X Suppl.8 are planned to be approved and the five other
Recommendations below are planned for determination in December 2010
X.sisfreq
Capabilities and their context scenarios for cybersecurity
information sharing and exchange
X.cybex
Cybersecurity information exchange framework
X.cve
Common Vulnerabilities and Exposures
X.cvss
Common vulnerability scoring system
X.gopw
Guideline on preventing malicious code spreading in a
data communication network
X.alerting
Procedures for the registration of arcs under the Alerting
object identifier arc
X.1205
Supplement
8
Draft Supplement to X.series Recommendation - ITU-T
X.1205 – Supplement on best practices against botnet
threats
Conclusions
 Cybex can achieve enhanced cybersecurity and
infrastructure protection, as well as accomplishing
the principal functions performed by CIRTS and
providing Law enforcement authorities.
 Enable discovery, measurable assurance and
enable exchange are three essential technical
capabilities of Cybex.
 GSC-15 should continue GSC14/11 Resolution
with some necessary editorial updates
Supplementary Slides
11
Weblinks
ITU-T
Cybersecurity Portal - http://www.itu.int/cybersecurity/
SG17 - http://www.itu.int/ITU-T/studygroups/com17/index.asp
CYBEX web page - http://www.itu.int/ITU-T/studygroups/com17/cybex/index.html
SG17 Q4 List of Network Forensics and Vulnerability Organisations http://www.itu.int/ITU-T/studygroups/com17/nfvo/index.html
FIRST - http://www.first.org/
ENISA - http://www.enisa.europa.eu/
12
Who is involved*: it takes a global village
Comparable government agencies
of other countries/regions
Australia, Canada, China, EU,
Germany, Kenya, Korea, Japan,
Netherlands, Russia, Switzerland,
Syria, UK, USA (potentially 191
countries)
Vendors/Service Providers
Anatel, China Unicom, Cisco, CNRI,
France Telecom, Huawei, Intel,
KDDI, LAC, Microsoft, Nokia
Siemens, NTT, Syrian Telecom,
Telcordia, Verizon, Yaana, ZTE
Other Bodies
APWG, CA/B Forum, BIS, CCDB,
CNIS, ETSI, FIRST, GSC, IEEE
ICSG, IETF, ISO SC6:SC27:TC68,
other ITU-T SGs, ITU-D, ITU-R,
MITRE, NSTAC, OASIS
*ITU-T Q4/17 participants and contributors. Does not include scores more in development communities 13
Related documents
ITU-T Security Manual -
ITU-T Security Manual -
Address by Deputy Secretary-General Roberto BLOIS Cybersecurity Symposium, Brazil, 4 October 2004
Address by Deputy Secretary-General Roberto BLOIS Cybersecurity Symposium, Brazil, 4 October 2004
Download
advertisement