Building an Information Sharing Community 16 November 2016 Building an Information Sharing Community Katherine Gagnon United Nations International Computing Centre

Agenda About the Speaker What is UNICC? Mandate Challenges The Answer. Status Roadmap Contact 16 November 2016 Building an Information Sharing Community

About the speaker Working in infosec since 1997 Firewalls Pen testing Consulting & architecture Program management World Bank nearly 7 years Endpoint engineering Cyber intel United Nations assignment 16 November 2016 Building an Information Sharing Community

United Nations International Computing Centre Harmonizing UN ICT Services while Providing Value for Money ICC has over has 45 years of experience providing ICT services to UN organizations. It has a strategic view of ICT support for UN goals, the right expertise and complex knowledge about United Nations ICT environments. Value Proposition ICC offers cost savings, business efficiencies, and volume discounts based on the scale of its engagements. ICC operates on a full cost recovery basis, with surplus funds being refunded at the end of projects or initiatives. 16 November 2016 Common Secure – UNICC Confidential

Mandate The ICT Network of the UN Chief Executives Board recommended to the High Level Committee on Management (HLCM) that a collective approach to incident response would provide a valuable service to UN Agencies Creation of United Nations Information Security Special Interest Group (UN-ISSIG) comprised of CISOs from UN Family organizations The HLCM has included the “Establishment of a UN cross organizational Computer Incident Response Team” as part of its 2013-2016 Strategic Plan Results Framework UNICC, with a mandate from the ICT Network, is working to build a cyber information sharing service available by subscription to the UN family of organizations 16 November 2016 Building an Information Sharing Community

Legislative Landscape Subject Day Month YEAR Legislative Landscape Governments and industry associations are encouraging threat intelligence and collaboration for effective information security management, including: The European Union Directive on Network and Information Security (NIS Directive) - Risk management, collaboration and information sharing within and across member states. German Information Security Law (IT-Sicherheitsgesetz) United States CISPA (Cyber Intelligence Sharing and Protection Act) and CISA (Cybersecurity Information Sharing Act) - Information sharing between government, industry and the academic community. Source: itgovernance.eu Source: sicherheitsmelder.de 16 November 2016 ICC Technical Webinar – Common Secure Confidential, Client

Challenges Horizontal constituency (vs. vertical as in a more traditional ISAC / ISAO) Mature vs. Not Large organization vs. very, very small vs 16 November 2016 Building an Information Sharing Community

What’s a girl to do? Need the big and/or mature guys to want to participate: They have more money They have infrastructure They can mentor my little guys Need the small guys to buy-in too because I can really help them…. 16 November 2016 Building an Information Sharing Community

The Answer. Bring things to the table that most organizations don’t have or might not do so well, like: Well-packaged actionable intelligence Intel enrichment Sharing community HUMINT / OSINT / Risk monitoring, alerting, and takedowns Network of resources outside UN Family …So, build an individual organization’s program overall value so it helps to justify the cost of subscription. And while not requiring direct access to systems from any individual organization, still represent functional assistance to both mature and immature information security programs. 16 November 2016 Building an Information Sharing Community

Talking is free But!! …need to bring other value so Common Secure can recover costs for: Analysts Sources of enrichment Monitoring / Alerting / Takedowns Collaboration platform Relationship building (travel, etc) 16 November 2016 Building an Information Sharing Community

At a glance Be Informed Help Yourself Help Others Get Help Common Secure Community Engagement Awareness Campaign Incident Response Assistance Best Practices Library Vendor Curation Brand Monitoring Takedowns Uptime Notices Threat Actor Tracking Actionable Intelligence & Alerting Situation Awareness Threat Briefings Training Be Informed Help Yourself Help Others Get Help 16 November 2016 Building an Information Sharing Community

(Attributable/Non-Attributable) Low-hanging fruit User awareness campaign Best practices library Malware analysis and IR professional services Training Intel enrichment Contacts across the globe and direct relationship building Threat actor tracking COMMUNICATIONS!!! SHARING (Attributable/Non-Attributable) MENTORING More Mature/Larger Organizations Less Mature/Smaller Organizations 16 November 2016 Building an Information Sharing Community

Basically I want to: Aggregate threat information across the UN system to improve overall situational awareness for the benefit of all members By partnering with Common Secure, any UN family organization can effectively mature their individual cyber security programs by cooperative road mapping and using information provided by Common Secure as an input in to organizational processes Leverage the relationships already in place while building new ones together: Direct contacts with major service providers, researchers, CERTs, vendors for information and action. 16 November 2016 Building an Information Sharing Community

Monitoring as a Service Vulnerability Scanning Malware analysis Complements CISO as a Service Security as a Service Monitoring as a Service Vulnerability Scanning Malware analysis 16 November 2016 Building an Information Sharing Community

Recent WIN! UN Family Organization “A” sends details of infection investigation to Common Secure Common Secure releases non-attributable notice to Common Secure “subscribers” detailing the infection UNICC implements recommended changes to managed client environment <1 day later, UN Family Organization “B” is protected from infection by the rules implemented as a result of “A” org’s share 25 October 2016 16 November 2016 ICC Technical Webinar – Common Secure

Current Status “Beta” distribution of Common Secure Alerts and Notices to interested parties within UN Family Notifications of incidents directly to organizations: 3 separate instances of web servers being compromised Thousands of credential thefts 2 email account compromises Several system infection alerts 1 law enforcement inquiry regarding validity of purported UN document Coordination of a multi-org investigation after being contacted through Intel community from a security researcher of an “issue” Awareness notification of APT actor building “UN-themed” infrastructure for future attacks Japanese nuclear system attack inquiry 16 November 2016 Building an Information Sharing Community

Roadmap Building partnerships outside UN Family and a reputation for action & excellence Maturity over the next 2-4 years as Common Secure builds membership, and therefore builds revenue/resources, with: Automated IOC Sharing Static Malware Analysis Monitoring & SIEM Management 16 November 2016 Building an Information Sharing Community

Questions? Katherine Gagnon Subject Day Month YEAR 16 November 2016 Questions? Katherine Gagnon United Nations International Computing Centre Lead, Common Secure gagnon@unicc.org | commonsecure@unicc.org Confidential, Client