Share

Related Links

Top 5 Stories

News

Proactive Detection of Network Security Incidents: a new report from ENISA

07 December 2011

The European Network and Information Security Agency (ENISA) has released a new report designed to help improve the proactive detection of security incidents. It is the result of questioning a wide range of leading CERTs combined with ENISA’s own expert input. It is a report largely by national CERTs for national CERTs; but has general relevance for any company determined to improve its security stance – and especially those that operate their own internal CERT.

Of particular value are sections 5 and 6. The first lists and evaluates a range of services to help identify new threats as early as possible, and tools that can combat those threats. The second provides a reasoned evaluation and recommendation of the top 5 services (data feeds) for the early detection of network security incidents. These include the Shadowserver Foundation, the Zeus/SpyEye Tracker and Google Safe Browsing Alerts. It also includes the top ‘must have’ tools under standard, advanced and ‘upcoming tools and mechanisms’. The last are client honeypots, sandboxes and passive DNS monitoring (all of which are more relevant to a CERT than an average company).

While this first part of the report discusses how to improve rapid awareness of new threats, the second part discusses the effective use of that information. Section 7 isolates and analyses the primary existing shortcomings for effective proactive detection of incidents; and gives recommendations on how to improve matters. Shortcomings range from false positives and poor timeliness to the inadequate correlation of existing data. Data protection and privacy laws also hinder data exchange between CERTs.

Section 8 makes recommendations on how to improve matters. ENISA could, it offers, “advise the relevant EU and national bodies on how to reach a balance between privacy protection and security provision needs and clarifying how sensitive security data can be shared between data providers, consumers and intermediaries such as national CERTs.”

Overall, the study concludes that CERTs are currently not using all available external sources to their best effect; and that they neither collect nor adequately share incident data about other constituencies with other CERTs. Lack of effectively sharing data is the key finding of the report, and comes at a time when security experts believe that data sharing is their biggest weapon in the fight against cybercrime. Cyberwarfare is asymmetric warfare in favour of the criminals, and incident sharing is considered the best way to rebalance the battlefield.

The message of the ENISA report almost exactly mirrors the UK’s new Cyber Security Strategy, which states that by 2015, private organizations will work “in partnerships with each other, Government and law enforcement agencies, sharing information and resources, to transform the response to a common challenge, and actively deter the threats we face in cyberspace.”

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×