The document discusses the FINSEC project's development of a security knowledge base (SKB) called FINSTIX. FINSTIX extends the existing STIX data model to better represent financial sector infrastructure and integrate both cyber and physical security threats. It defines new domain objects and relationships to model organizations, assets, vulnerabilities, and risks. The SKB will collect threat intelligence from multiple sources and integrate it with monitoring data to calculate dynamic risk assessments. Visualizations of the SKB data will help users manage vulnerabilities and risks across their infrastructure services.
VIP High Class Call Girls Saharanpur Anushka 8250192130 Independent Escort Se...
Digital Finance Academy Security Knowledge Base
1. 1H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Consorzio Interuniversitario Nazionale per l'Informatica (CINI) & INNOV-ACTS, Limited
E-mail: cini@finsec-project.eu , info@innov-acts.com
H2020 FINSEC Project
The FINSEC project is co-funded from the European Union’s Horizon 2020 programme under grant Agreement No
786727
FINSTIX: A Security Data Model for the
Financial Sector
15/04/2020
2. 2H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Objectives
▪ Learn about the security knowledge base model
▪ Understand how STIX was extended to serve the needs of the
FINSEC project
Topic
▪ Understand what a knowledge base is
▪ Learn about the different types of knowledge bases
▪ Understand the basics of Cyber Threat Intelligence
▪ Discover the relevance of Structured Threat Information
eXpression (STIX)
Goal
Existing
solutions - STIX
The FINSTIX
solution
3. 3H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Introduction
▪ Cybersecurity incidents against financial institutions is growing
▪ Benefits
- growing sophistication of recent technological innovations
- complex processes
- multiple organizations
- services are becoming more digitized and interconnected
▪ Need for financial institutions
- Increase their robustness
- Develop integrated approaches for addressing physical and cyber attack
FINSEC project: Integrated Framework for Predictive and Collaborative Security of Financial
Sector
4. 4H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Existing
solutions
5. 5H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Cyber Threat Intelligence
Holistic approach to the automated sharing of threat intelligence
Considered one of the most promising strategies in the cyber-security topic
Propose a classification and distinction among existing threat intelligence types
Summarize and compare the most prevalent information-sharing models
Structured Threat Information Expression (STIX) the most commonly used CTI
standard
6. 6H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Structured Threat Information eXpression (STIX)
▪ STIX:
▪ Provides a modular format that can also efficiently incorporate other standards
▪ Adopted in different contexts of different nature
▪ STIX has been designed with a focus on four different use cases that
include:
▪ Analyzing Cyber Threats
▪ Specifying Indicator Patterns for Cyber Threats
▪ Managing Cyber Threat Response Activities
▪ Sharing Cyber Threat Information
7. 7H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Structured Threat Information eXpression (STIX) (cont.)
Limitations of STIX:
▪very complex to implement
▪lacks support to reasoning
FINSTIX
▪includes both cyber and physical security threats
▪enables the description of organization assets
▪accounts for how they are inter-connected
8. 8H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
STIX Domain Objects
9. 9H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
STIX Domain Objects (cont.)
10. 10H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
STIX Relationship Objects
11. 11H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
The Knowledge Base (1)
▪ Definition: Technology is used to collect, organize, share and retrieve complex
structured and unstructured information representing facts and assertions about
the world.
▪ Difference from a simple database:
▪ Does not consist only of tables with numbers, strings, dates, etc.
▪ Contains objects with pointers to other objects that, in turn, have additional pointers
▪ Two major types of knowledge bases:
▪ human-readable : knowledge base enables the users to access and use the knowledge
▪ machine readable
12. 12H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
The Knowledge Base (2)
▪Two major types of knowledge bases:
▪ Human-readable :
▪ knowledge base enables the users to access and use the knowledge
▪ consist of documents, manuals, troubleshooting information, and
frequently answered questions
▪ interactive and can lead the users to the solutions to their problems, relying
on the information provided by expert users to guide the process
▪ Machine-readable :
▪ stores knowledge in system-readable forms
▪ limited in interactivity
13. 13H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
FINSEC Security Knowledge Base (1)
▪Information from different external sources of Cyber Threat
Intelligence is collected
▪Structure of the knowledge base = definition of relationships
between the different assets and of their interactions as part of the
critical
▪Definitions enable identification and registration of known attack
patterns against the infrastructure
▪Type of knowledge base :
▪mixture of human and machine-readable
14. 14H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
FINSEC Security Knowledge Base (2)
To suit the FINSEC needs, the content of the Security Knowledge
Base satisfies two essential requirements:
1. It should be structured in order to enable automatic processing
2. It should include information on the infrastructure and the
organization assets, for enabling the FINSEC Platform to perform
Cyber and Physical Threat Intelligence
15. 15H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
The
FINSTIX
solution
16. 16H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
The Security Knowledge Base Data Model
▪ To realize a knowledge base, need to design the appropriate data model, which
is the format used to represent the information contained in the knowledge
base
▪ Option #1 :
▪ Define a completely new set of objects coping with the business
requirements of the considered use cases
▪ This approach incorporates the risk of missing other relevant cases
▪ Option #2:
▪ Employ an existing standard (or mix of standards) and then extend is such
that missing components can be added The Edge Tier contains the Actuation
Enabler and a Data Collection module
▪ FINSEC follows option #2
17. 17H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
From STIX to FINSTIX
▪STIX limitations:
▪ it does not provide for an accurate representation of the financial
institution infrastructure
▪ does not envisage physical systems, but it is rather limited to the cyber ones
▪Two possible extensions of STIX:
1. consists in the definition of custom parameters into STIX Domain Objects
already defined by the standard itself
2. consists in the definition of brand-new custom objects.
FINSEC follows both approaches
18. 18H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
FINSTIX Domain Objects (1)
Name Description
Organization Financial organization.
Asset Organizations’ valuable infrastructure. PCs, server rooms, ATMs, applications,
and everything inside an organization that is crucial.
Area of Interest Logical/physical area, for example, an indoor area (server room).
Service A collection of assets forming a publicly exposed service, for example, a web
application.
Probe Object used to support monitoring infrastructure. A Probe usually monitors
one or more areas of interest.
Probe Configuration Data sent to a probe to configure details such as the area under monitoring
or the bit rate of the monitoring process.
Event Information on something happened/happening.
19. 19H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
FINSTIX Domain Objects (2)
Name Description
Collected data A group of observed data collected by the network probe.
Agent Person involved in the events created by the probes.
Risk The calculated risk for a specific asset or service. The upper levels of FINSEC
calculate it in real-time.
Risk Configuration Parameter specification to optimize the risk assessment process. It defines the
triggers and other useful options.
Regulation An object used to depict a regulation violation.
Vulnerability score Rating used to provide a score to a vulnerability.
Cyber-Physical
Threat Intelligence
Data set fed and enriched by threat information as soon as they are gathered
from the probes and processed by the Predictive Analytics module.
20. 20H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Security Knowledge Base Architecture (1)
▪The SKB Database, which stores the knowledge
▪SKB Engine, which manages the operations on the
database. It exposes REST API to interact with the other
modules
▪The connectors (one for each external source), which
translate the information coming from external threat
intelligence sources into the data model to promote
homogeneity and integrity among the FINSEC services
21. 21H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Security Knowledge Base Architecture (2)
22. 22H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
The FINSEC Security Knowledge Base
One of the modules contained in the Data Tier of the FINSEC Reference Architecture
Security Knowledge Base will be to collect information coming from different sources of Cyber Threat
Intelligence
Value of the Security Knowledge Base compared to the existing ones is the definition of the relationships
between different assets and their interactions as part of the critical infrastructures of the financial sector
Service Tier to consume the information contained in the Knowledge Base for producing new Cyber and
Physical Threat Intelligence
Service Tier will feed the Security Knowledge Base with this new information
23. 23H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Integration with the Dashboard and the Collaborative
Risk Management Module
▪The Collaborative Risk Management module:
▪ Retrieves the vulnerabilities and the related scores affecting the assets that
compose the service;
▪ Calculates the individual asset risk for each asset composing the service,
based on the affecting vulnerabilities, the impact and the threat level for the
asset itself;
▪ Calculates the service risk starting from the assets’ individual risks.
▪ The user (e.g., Security Officer, Member of CERT/CSIRT teams) can see
information on the organization services in the Service page of the Dashboard
24. 24H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Visualization of the Criticality of vulnerabilities
25. 25H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Visualization of Vulnerabilities affecting the infrastructure
26. 26H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
The Risk management module
Risk Management module to calculate the risk associated with the
infrastructure services. The Collaborative Risk Management module:
▪Retrieves the vulnerabilities and the related scores affecting the
assets that compose the service;
▪Calculates the individual asset risk for each asset composing the
service, based on the affecting vulnerabilities, the impact and the
threat level for the asset itself;
▪Calculates the service risk starting from the assets’ individual risks.
27. 27H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
Visualization of Risk Associated with the Service