Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity Information Sharing Act of 2015(CISA) and Automated Indicator Sharing (AIS) Presentation is about 45 minutes with 15 Q&A.

Published byAugusta Katrina Allison Modified over 6 years ago

Similar presentations

Presentation on theme: "Cybersecurity Information Sharing Act of 2015(CISA) and Automated Indicator Sharing (AIS) Presentation is about 45 minutes with 15 Q&A."— Presentation transcript:

1 Cybersecurity Information Sharing Act of 2015(CISA) and Automated Indicator Sharing (AIS)
Presentation is about 45 minutes with 15 Q&A

2 CISA – Title 1 Authorizes companies to share cyber threat indicators and defensive measures with each other and with DHS, with liability protection. Identifies permitted uses of cyber threat indicators and defensive measures. Authorizes companies to monitor their own information systems and to operate defensive measures on their systems. Establishes privacy protections required of the sharing entity and receiving government agency. Increase the sharing of cyber threat information and defensive measure between private entities and between federal government and the private sector More fully enable private entities to monitor their own information systems or those of clients Administration has been seeking cyber threat information sharing legislation since 2010 CISA seeks to balance the need for increased sharing with the need to maintain privacy and civil liberties Takes into account matters of importance to industry, concerns of privacy and civil liberties groups, and needs of government

3 Cyber Threat Indicators and Defensive Measures
An observable plus a hypothesis about a threat. An observable is an identified fact. Defensive Measures Efforts applied to an information system or information that is stored on an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability. Both can be shared and applied to network defenses before an adversary can launch an attack. More fully enable private entities to utilize defensive measures on their own systems or those of clients Must comply with lawful restrictions placed on indicator or defensive measure by the sharing entity Can only use shared indicator or defensive measures for cybersecurity purpose Information that is necessary to describe or identify: malicious reconnaissance or malicious cyber command and control; a method of defeating a security control or exploitation of a security vulnerability; a security vulnerability, including anomalous activity indicating its existence; a method of causing a user to unwittingly enable the defeat of a security control or exploitation of a vulnerability; the actual or potential harm caused by an incident, including a description of the information exfiltrated; or any other attribute of a cybersecurity threat, if disclosure is not otherwise prohibited by law. An action, device, procedure, signature, technique, or other measure – (1) applied to an information system or information; (2) that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability; (3) but does not destroy, render unusable, provide unauthorized access to, or substantially harm an information system or information not owned by the entity operating the measures or that entity’s client.

4 Liability Protection CISA extends liability protection to private entities for sharing of a cyber threat indicator or defensive measure through the Federal government’s capability and process operated by DHS as long as the sharing is conducted in accordance with the Act. For more information please see: Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (available at or Section 106 of CISA. Liability protection if through DHS capability Cannot be used for federal or state regulatory purposes No waiver of privilege or protection attached to information Information designated commercial, financial, or proprietary must be treated accordingly Exemption from state and federal FOIA laws Sharing to DHS gets you liability protection, as does sharing with other non-Federal entities. Just cannot share directly with other D/As. Foreign powers are excluded.

5 Privacy Protections CISA includes various privacy protections for the receipt, retention, use and dissemination of cyber threat indicators. One main privacy protection requires Federal and Non-Federal entities, prior to sharing to: Review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that such Federal/Non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or Implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the Federal/non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual. Must remove “personal information of a specific individual or information that identifies a specific individual” not “directly related to a cybersecurity threat” prior to sharing Must protect against unauthorized access to indicator or defensive measure Entities sharing required to do a privacy scrub/review, then DHS does one as well before re-sharing

6 Capabilities Required by CISA
Automated Real-Time Capability: Automated Indicator Sharing (AIS) Uses the Structured Threat Information eXpression (STIX) specification (machine-readable XML format) and Trusted Automated eXchange of Indication Information (TAXII) protocol Manual: Web Form and Three ways DHS receive info. , web form and automated piece which leads into the AIS built on top of STIX and TAXII. Less technical audience will give a real high level of definitions. STIX is format, TAXII is transport. Think HTML and HTTPS.

7 AIS in Context of Other DHS Programs
NCCIC Quick review of ECS, CISCP and E3A. Other data being shared with DHS and where it goes.

8 How AIS Works Entities format cyber threat indicators in STIX and submit via TAXII to DHS server. Server code reviews submission to validate, anonymize (if requested), conduct automated privacy review and enrich. Indicators requiring review go to DHS analysts. Finally, indicators are published back out to everyone connected to the DHS server. 2 4 1 Talk about formatting of indicators according to AIS profile. Specifically consent and sharing of submitter’s identity. Walk through each step in process. Talk about indicator enrichment, metadata, etc. (kill chain, confidence, likely impact). Once you have indicators (step #4), then decisions on what to do with them: apply directly to security devices or use as part of cyber threat intel. 3

9 Another Look at Feeds and Flow
Indicators submitted, processed and disseminated real-time via TAXII feeds, and then also used by DHS analysts as part of other cyber threat intelligence products posted sometime later. Non-Federal Entity A (AIS-only) INGEST Non-Federal Entity B (AIS and CISCP) AIS DHS Automated Processing & Brokering CISCP Talk through automated processing and flow, compared to “human speed” CISCP feed. Federal Entity FEDGOV DHS Analysts Real-time Not real-time

10 CISCP and AIS Cyber Information Sharing and Collaboration Program (CISCP) supports broad sharing of cyber threat data (indicators, analytic content, etc.) in multiple formats with direct company analyst to DHS analyst collaboration and access to the NCCIC operations floor. Automated Indicator Sharing (AIS) is about sharing cyber threat indicators near-real-time in STIX format. CISCP is 170+ companies. Different type and depth of relationship with DHS. Higher barrier to entry. AIS is far and wide sharing, lower barrier to entry.

11 Private sector companies
How CISCP Builds On AIS Classified threat briefings with specific intelligence information regarding threat actors and campaigns. Classified threat briefs Additional unclassified analytic context (e.g., tie indicators to campaigns and threat actors). CISCP Private sector companies Automated processing and sharing of cyber threat indicators in near-real-time for network defense. AIS

12 AIS Connection Process
Sign and return the appropriate participation agreement (non-Federal vs. Federal). Build or buy a TAXII capability. Sign an Interconnection Security Agreement. Finally, exchange PKI certificates and whitelist IPs. Poll feed to receive indicators. TAXII capability: (1) build your own, (2) take DHS one that is in github, or (3) buy one. Commercially, a number of products now “speak” STIX and TAXII and there are a few generic threat platforms that do as well. Discuss PKI certs.

13 AIS Snapshot (as of 27Jun16)
Feed Indicators Published AIS 5,023 CISCP 22,762 FEDGOV 3,426 Preston will have this updated prior to the presentation. Will incorporate some other slides from Dan which Andy sent to Preston. Will talk to CISPC folks about membership and requirements etc.

14 Questions?

Download ppt "Cybersecurity Information Sharing Act of 2015(CISA) and Automated Indicator Sharing (AIS) Presentation is about 45 minutes with 15 Q&A."

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Protected Critical Infrastructure Information (PCII) Program

Protected Critical Infrastructure Information (PCII) Program
Complying with Privacy to Enable Innovation & Research

Complying with Privacy to Enable Innovation & Research
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Information Security Policies and Standards

Information Security Policies and Standards
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.
Responsible Data Use: Data restrictions Robert R. Downs, PhD NASA Socioeconomic Data and Applications Center (SEDAC) Center for International Earth Science.

Responsible Data Use: Data restrictions Robert R. Downs, PhD NASA Socioeconomic Data and Applications Center (SEDAC) Center for International Earth Science.
Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.

Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.
Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 15, 2012 1.

HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 15,
Computer Emergency Notification System (CENS)

Computer Emergency Notification System (CENS)
Data Warehousing Data Mining Privacy. Reading Bhavani Thuraisingham, Murat Kantarcioglu, and Srinivasan Iyer. 2007. Extended RBAC-design and implementation.

Data Warehousing Data Mining Privacy. Reading Bhavani Thuraisingham, Murat Kantarcioglu, and Srinivasan Iyer Extended RBAC-design and implementation.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.

Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Similar presentations

Ads by Google