enisa - eu strategies for cyber incident response
TRANSCRIPT
1
unclassified
Dr Paulo EmpadinhasHead of Administration & Stakeholders Relations European Union Agency for Network & Information Security
4th November 2016
www.CyberRescue.co.uk
ENISA – lessons for CEOs on how to respond to attack
European Union Agency for Network and Information Security
ENISA - Lessons for CEOs on how to respond to a cyber attackDr Paulo Empadinhas | Head of Administration & Stakeholders Relations
CEOS& CYBER RECOVERY | Athens | 04 November 2016
3Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
• “Strategies for Incident Response and Cyber Crisis Cooperation”- Link to the document:
https://www.enisa.europa.eu/publications/strategies-for-incident-response-and-cyber-crisis-cooperation
• Prepared by ENISA as input for discussion for the Network and Information Security (NIS) Platform - Link to the platform:
https://resilience.enisa.europa.eu/nis-platform • Core material developed based on previous
ENISA work in the field of - CSIRTs - Critical Information Infrastructure Protection (CIIP)
• Version 1.1 of August 2016 contains some updates in the light of the NIS Directive
Background information
4Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
Basics definitions and overview of incident response capabilities
Main topics
Incident response mechanismsChallenges in incident
response
Ways of enhancing incident handling
cooperation
Incident response in cyber security strategies
5Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
• Basics definitions, such as:- Cyber/information security incident- Computer Security Incident Response Team (CSIRT), including CSIRT
communities (e.g. TF-CSIRT, TI, FIRST, CSIRT network- Constituency
• Overview of incident response capabilities- Formal capability (mandate)- Operational-technical capability
• external services• internal services
- Operational-organisational capability (e.g. human and technical, resources, infrastructure)
- Co-operational capability (e.g. cooperation with other stakeholders, also at international level)
Definitions and incidents response capabilities
6Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
• Human resources at CSIRTs- Skilled IT security personnel are hard to find
• Processes and procedures- Need for clear, concise, well-documented incident response plan
• Political and legal framework- Importance of an adequate political and legal framework that helps to
define roles and responsibilities and enhance the overall cooperation• Technology: tools and data
- Important decision between self-developed tools or services procured from vendors
Challenges in incident response
7Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
Incident response mechanisms
Typical incident response process retrieved from Good Practice Guide for Incident Management, ENISA, 2010, p. 37 - https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management
8Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
• National cyber security strategy: high-level strategic framework for a nation’s approach to cyber security- Key objectives of cyber security strategies (e.g. of Cybersecurity Strategy of the European Union)
• to develop cyber defence policies and capabilities• to achieve cyber resilience• to reduce cyber-crime• to support industry on cyber security• to secure critical information infrastructures
- Key components• setting the vision, scope, objectives and priorities• identifying and engaging stakeholders• establishing trusted information-sharing mechanisms• developing national cyber contingency plans• organising cyber security exercises• establishing baseline security requirements• establishing incident reporting mechanisms• engaging in international cooperation
- Important role of national cyber security agency/centre but also of national and governmental CSIRT
Incident response in cyber security strategies
9Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
• Cyber crisis cooperation and management - 3 levels of cyber crisis management
• Strategic• Operational• Technical
• Mutual Aid to boost preparedness- Both the public and private sectors to be involved in the mutual aid
agreements• Exercises to enhance incident handling cooperation• CSIRT training to enhance capabilities, such as:
- TRANSIT training- ENISA training material for CSIRT community
• Link to the ENISA’s Cyber Security Training material: https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists
Ways of enhancing incident handling cooperation
Cyber Europe 2016Cyber Exercises
Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
11
Organisation
2010 201220152014 2016
20132011
12
Cyber exercise planning training courses Support in exercise planning
European Commission, EEAS, Eurocontrol, EU Agencies, ..
Cyber Exercise Platform available for the organisation of EU Institutions, incl. Agencies, and Member States exercises Technical Playground
Support
Cyber Europe 2016Overview and status update
14
Simulation of large-scale cybersecurity incidents and EU-wide cyber crises
Business continuity and crisis management situations
Advanced technical cybersecurity incidents
Exciting scenarios, inspired by real-life events
National and international cooperation
Flexible learning experience
What is the Cyber Europe series of exercises?
15
CE2016 high-level goals:1. Test EU-level cooperation processes2. Provide opportunities to test local-level
cooperation processes3. Train EU- and national-level capabilities
Goals
16
Setup
Phase 1: Apr-Oct 2016: focus on technical knowledge enhancement Technical ‘challenge of the month’ released on a regular basis
Build up the crisis, keep participants interested, train participants
Phase 2:Oct 2016: two-days focus on cooperation and operations
17
A united EU cooperated, with the assistance of ENISA, to mitigate the largest and most sophisticated attack against Europe
Companies from the ICT Industry, Financial Institutions, Hospitals and even the Energy sector were under threat
Companies dealt with ransom-ware, cloud service attacks, DDoS, war-dialing, as well as reputation attacks Response to new attack vectors such as drones, IoT
infections and even attacks on core signaling systems such as the telecom signaling system SS7
The cyber security community in EU managed to solve difficult puzzles, and proved that cyber crisis preparedness is increased in the EU
Preliminary findings
18
It is a great opportunity to test internal business continuity and IT security policies
IT security teams will have hands-on incident handling opportunities
Can develop working relationships with competent national authorities and private stakeholders
Find out the actors at national and European level when it comes to cyber crises
Be part of the growing EU community of IT security specialists
Have fun!
Why should I participate in the next exercise?
19
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
www.enisa.europa.eu
Thank you
21
unclassified
www.slideshare.net/kevduffey/presentations
Follow us - www.linkedin.com/company/cyber-rescue-alliance
For other presentations
Practice your Response in Executive Simulations
Bespoke Commercial Response Plan
Commercial Coach for Cyber Attack Response