|
 |
|
|
|
Interview with Lëtzebuerger Gemengen,translation by itrust consulting.
By aiming to bring all European entities considered essential or important to the functioning of its Member States to a high level of maturity in terms of cybersecurity, the European NIS2 directive is challenging many organisations in terms of monitoring. To help them achieve compliance, Arash Atashpendar, Cofounder & CTO, Agnese Gini, R&D Specialist, and Camar Houssein, Security Consultant at itrust Abstractions Lab, are unveiling IDPS-ESCAPE, an open-source solution powered by artificial intelligence that has been available since 1 September.
An intelligent trio
itrust Abstractions Lab, a spin-off from itrust consulting, has just published the alpha version of one of the six sub-projects of CyFORT, a research project developed in collaboration with itrust consulting and aimed at providing cybersecurity tools with permissive licences to offer alternatives to "proprietary vendor lock-in". Called IDPS-ESCAPE, short for "Intrusion Detection and Prevention Systems for Evading Supply Chain Attacks and Post-compromise Effects", it meets the new requirements of the European NIS2 directive on the security of networks and information systems. "All entities providing services considered critical or highly critical to the functioning of Member States, whether public or private, will be subject to certain obligations, including the monitoring of their IT infrastructure. That's what our intrusion detection and prevention system offers", explains Arash Atashpendar.
IDPS-ESCAPE, developed according to C5-DEC and its tools (beta version published on 19 July), is a three-component solution that captures a flow of information and analyses it within a centralised system. The open-source software Wazuh and Suricata collect and monitor data from computers and networks respectively. "These agents, which are responsible for observing everything that runs on a computer and everything that enters it via the network, will capture a large amount of information and centralise it. On their own, these tools often generate false alarms. IT managers then have to act quickly, in a rush that simply doesn't allow them to analyse all the data collected by the system. Sometimes, they are forced to shut down the entire infrastructure, and therefore the services provided by their organisation, even though the anomaly in question may not represent any risk. That's why IDPS-ESCAPE contains a 3rd component of our own, ADBox, for "Anomaly Detection Box", which is based on an machine learning model trained to learn the normal behaviour of a system. After some time, this AI has so much knowledge of the system, so many contextual elements to refine its model, that it establishes its own definition of what constitutes a deviation. The likelihood of it raising a false alarm is therefore considerably reduced. Like a detective taking fingerprints at a crime scene, it distinguishes between those of authorised users and those of criminals. If the criminals have already operated, it may be able to recognise their modus operandi and the type of attack in progress so that an appropriate response can be made. Automation not only saves a lot of time, but it saves a lot of money", explains Arash Atashpendar.
Adaptability is the watchword
itrust Abstractions Lab works directly with its customers to implement its product. "We take care of all the technical aspects: we configure the solution so that it adapts to the needs of the system in place, because each organisation composes, organises and uses its IT environment differently. We then help our customers to deploy the tool. Although we use Wazuh and Suricata by default - because they are open source and can drastically reduce costs - we are not bound to these technologies. Our solution is flexible enough to integrate any type of data collection software. Our aim is to provide an incident management approach that relieves organisations of a significant proportion of their NIS2 obligations, so that they can concentrate on their core business", says Camar Houssein.
The advantage of open source
The reason why the project is supported by players such as the French Ministry of the Economy is that it enables small and medium-sized businesses to benefit from tools that are as advanced as those offered by the tech giants, but at a lower cost. "In Europe, according to the European Commission and ENISA, 99% of businesses are SMEs, and over 80% of them consider cybersecurity to be essential to their activities. However, they do not necessarily have the resources of Amazon, Microsoft or Google to allocate monitoring their risks. The European initiatives that promote projects like ours aim to counter the monopoly of the few by offering products that smaller companies have neither the means nor the time to reinvent. The Ministry has provided us with resources that have enabled us to develop a solution that any company can use, but also correct if they have the necessary skills. Anyone who modifies IDPS-ESCAPE and markets an improved version must nevertheless respect the terms of our licence, i.e. publish the source code. It is by building on this more ‘sustainable’ economy that technologies with advanced capabilities can be developed at low cost", says Arash Atashpendar.
But open-source software is not just economically advantageous. It also guarantees transparency. By its very nature, an intrusion detection and prevention system capture all an organisation's data. How does it process it? Where does it send it? The answers to these questions are known in the case of open-source software. "And while developers may sometimes lack the time or resources to draw up all the necessary documentation, itrust Abstractions Lab has produced a very comprehensive manual that explains how to use the tool and presents its technical specifications in great detail", continues Agnese Gini.
From alpha to beta
Published on 1 September, IDPS-ESCAPE is taking its first steps out of the lab. After a few months in the hands of users, a more stable and more economical version should be available. "As we install the tool at our customers' sites, we will inevitably come back to our R&D department with observations and comments raised in the field. Additional elements will probably have to be put in place to meet the day-to-day needs of certain organisations and any shortcomings identified. This will enable us to stabilise the solution, but also to optimise the algorithms so that the solution as a whole consumes fewer resources", reveals Camar Houssein.
The tool has also been designed to keep pace with developments in AI. "Machine learning is a branch of artificial intelligence that is developing very rapidly. That's why we've created ADBox so that new technologies in this field can be integrated as simply as possible. If a better algorithm were to emerge, we could use it without the user even being aware of it. Of course, they will be informed to a certain extent because our solutions are open source, but they will not have to rectify their use of the tool", concludes Agnese Gini.
itrust Abstractions Lab S.à r.l.
12, rue du Chateau d’Eau
L-3364 Leudelange
itrust consulting is excited to announce an upcoming training session designed to help you develop essential skills and boost your expertise.
The Network and Information Security directive NIS2 is due to be transposed and applicable on 17 October 2024. In order to strengthen management accountability and prevent cyberattacks, the regulators have mandated the decision maker to be trained in cybersecurity.
This course teaches managers without technical knowledge on NIS2 requirements:
Abstractions Lab released the Alpha version of IDPS-ESCAPE on GitHub.
IDPS-ESCAPE, part of the CyFORT suite of open-source cybersecurity software solutions, addresses various aspects of cybersecurity as an ensemble, targeting different user groups, ranging from public to private and from CIRT/CSIRT to system administrators. The design of IDPS-ESCAPE is targeted to cloud-native deployments, with an eye on CERT/CSIRT-operated monitoring systems.
Click here to read the whole article
itrust Abstractions Lab released the Beta version of C5-DEC on GitHub. This release includes many new functionalities, mainly to assist with Common Criteria evaluations and efficient creation of technical documentation throughout the Secure Software Development Lift Cycle (SSDLC).
We will be happy to receive your feedback at info@abstractionslab.lu
Interview with Smart Cities, translation by itrust consulting.
The NIS2 Directive, Europe's cybersecurity legislation, introduces legal measures designed to strengthen the protection of networks and information in a Europe faced with increasingly sophisticated threats and malicious acts. It will come into force in Autumn, at which time public and private entities actors will be requested to proof their credentials to the regulator, responsible for sanctioning any related breaches. Carlo Harpes, founder and managing director of itrust consulting, an expert in cybersecurity since 2007, sheds light on the challenges of compliance, and presents the tools specially developed by the
company to meet those challenges.
The European NIS2 directive will come into force this autumn. What do we need to know about it?
Its noble aim is to prepare the public sector and certain new private sectors for the challenge of cybersecurity. It must be transposed by October 15, 2024, by which time all European entities concerned must be compliant. From that date onwards, they will be expected to manage cybersecurity according to "applicable international standards", based on an "assessment of the probability and consequences" of a series of risk scenarios. It should be noted that they will be obliged to justify themselves to a national regulator, namely the Institut luxembourgeois de Régulation (ILR) or the CSSF for the financial sector.
This second draft of the directive is worrying because it announces penalties similar to those for non-compliance with the GDPR and gives the ILR the right to impose measures including the removal of the top management. What the penalties will really punish is ignorance. Thus, top management is allowed to knowingly refuse to invest in important security measures and choose to run a risk, provided that such decisions are documented and justified. But it will not be entitled to ignore a request for information, or a binding instruction the regulator.
How do your customers react to these requirements?
They're fed up with regulation and compliance. But there's no point complaining: it's all part of the zeitgeist. When we carry out GDPR compliance projects, we observe that about a third of the work is linked to documentation and may indeed seem tedious. But another third is devoted to training and empowering staff, a very productive step that many entities neglect. The final third of the effort consists of better implementing security measures. These include e.g.: commissioning an independent expert to play the role of hacker and test the security of a system and the data it contains – a practice long approved and applied in the financial sector, but rare in others; auditing access annually – an administrative task, but justified by the number of errors identified, or the business continuity plan exercise. When it comes to cybersecurity, everyone is responsible, especially in the public sector, where employees take an oath. However, standards stipulate that any breach of good security practices can be attributed to an individual. This means that security rules, policies and procedures must be clearly documented and explained to employees. Of course, the behaviour of agents and employees is not everything. Once good organizational practices have been identified, it's time to install threat and vulnerability monitoring solutions, technologies that are making increasing use of artificial intelligence, just as attackers are already making extensive use of it to find ways of infiltrating their targets' systems.
Could you describe OpenTRICK, the solution you created to meet the requirements of NIS2 and ILR?
OpenTRICK (Tool for Risk management of an ISMS based on a Central Knowledge base) is a risk analysis tool that we extended as part of CyFORT (Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience), a research project aimed at addressing security issues, particularly in the cloud. As the name suggests, it's an open-source solution that anyone can use and contribute to, as long as they publish any changes they make.
Since the entry into force of the first NIS directive, ILR has been encouraging stakeholders to assess risk scenarios that it has predefined itself, and requires the results obtained by filling in multiple parameters for each combination of assets and risks to be entered manually on its website, or imported into a publicly known, but rather complex, json format, supported by MONARC.As MONARC, which is also open source, does not have an API (Application Programming Interface) enabling information to be easily imported, we developed Trick2MonarcApi, an open-source interface facilitating the migration of risk information into the data format required by the regulator.Then, our OpenTRICK tool used TRICK2Monarch API to put customer data into the json format. The advantage of this solution is that the customer continues to name assets and risks in his internal well known way and uses correspondence grids for export data to the ILR. OpenTRICK also has the advantage of allowing knowledge to be imported and exported in Excel spreadsheet format, displaying graphs and adding an economic estimate, such as the average annualized losses and cost parameters of measures to be considered, which is not foreseen in the ILR tool SERIMA.
Nevertheless, OpenTRICK, like MONARC and SERIMA, provides an overview of threats, but is no substitute for in-depth knowledge of a specific process or system, or for unravelling the individual vulnerabilities of that system. The most effective approach for this is collaboration, among internal business experts and external risk experts.
As one of these experts, what advice would you give your customers in a context where cyberthreats are increasingly present?
Be proactive and show that you have succeeded in implementing a reasonable level of security before an attack occurs and before the regulator imposes measures. The latter is rarely inclined to compromise after an incident. That's why we recommend implementing "quick wins" before regulators demand them.
itrust consulting published the open source version of TRICK Service and added it the list of publications. OpenTRICK is a web-application supporting risk assessment and treatment.
OpenTRICK (formerly called TRICK Service) is a full-featured risk management tool, assisting in assessing risk, planning actions, as required by an ISO/IE 27001 compliant information security management system (ISMS).
itrust consulting published a set of tools for risk assessment and management, audit reporting, key performance indicator monitoring, and policy and procedure management specific to cloud services to implement and assess the security requirements and risks for cloud infrastructures and services on GitHub and all publication are also added to the list of publications.
CS-GRAM, short for “Cloud Services-Governance, Risk management, Audit, and Monitoring”, a toolset providing cloud security governance features such as policies, risk assessment models, audit templates, and KPI, is a sub-project of the CyFORT project, which in turn stands for "Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience".
ARIANA (on GitHub), short for “Assistance for Reporting on Information system Audits with Normative Assessment”, is designed as an add-on to Microsoft Word and Excel applications and provides a simple and reliable process for creating policies, creating or updating audit reports, managing Excel and Word-based records of processing activities compliant with GDPR, and providing additional Word and Excel utilities useful to consultants in their day-to-day work, published on itrust consulting website.
OpenARIANA (on GitHub), has been developed to address the repetitive task of creating policies, particularly Information Security Management System (ISMS) policies, published on itrust consulting website.
DRAW (on GitHub), is used to graphically represent assets and their corresponding dependencies as well as to synchronize with TRICK Service, published on itrust consulting website.
Trick2MonarcApi (on GitHub), a Java API for MONARC, which allows risk information from other sophisticated risk management tools such as TRICK Service to be imported by facilitating changes to the MONARC JSON data file, published on itrust consulting website.
