© Cloud Security Alliance, 2015

Cloud Cyber Incident

Sharing Center (CISC)Jim Reavis

CEO, Cloud Security Alliance

© Cloud Security Alliance, 2015

Agenda

• CSA History – CloudCERT

•White House Legislative

Announcements

• How is CSA addressing the

issue of information sharing?

• Cloud CISC Pilot Demo

• Next Steps

• Questions?

CSA History - CloudCERT

• CloudCERT was conceived of at the same time as the Cloud Security Alliance (CSA)• Broad goal is to improve defenses of the cloud ecosystem

against attackers• Emphasis was placed on developing CSA due to broader scope

and potential impact in industry

• CloudCERT initiative was formally announced 2010• Working Group has been meeting once a month since January

2011

White House Legislative Announcements• Enable Cybersecurity Information Sharing• Promotes private sector and

government information sharing as well as private to private via Information Sharing and Analysis Organizations (ISAO’s)• Encourages the development of

ISAO’s by providing targeted liability protection that share with these entities• Requires DHS, DoJ, and Privacy and

Civil Liberties Board to develop disclosure guidelines

White House Legislative Announcements• Modernize Law Enforcement Authorities to Combat Cyber Crime• Enable stronger authority to shut down

botnets and prosecute operators

• Criminalize the sale of US financial information like credit cards and bank account numbers overseas.

• Update the Racketeering Influenced and Corrupt Organizations Act so that it clearly applies to cyber crimes, and clarifies penalties

• Clarifies Computer Fraud and Abuse Act so that “insignificant” conduct does not fall within the scope of the statute, while making it clear it can be used to prosecute insiders.

White House Legislative Announcements• National Data Breach Reporting• Standardize that patchwork quilt of

breach laws in place among 46 states into one Federal statute, and establish a single clear and timely notice requirement to ensure companies notify their employees and customers about security breaches

White House Legislative Announcements• White House Summit on Cyber Security and Consumer Protection• Summit was held on February 13 at

Stanford• Convene government and private

sector leaders• Topics include: information sharing,

creating and improving cybersecurity practices and technologies, and improving the adoption of more secure payment technologies

© Cloud Security Alliance, 2015.

How is addressing the issue

of information sharing?

© Cloud Security Alliance, 2015

The Problem

• Attacks are becoming incredibly sophisticated. Knowing what happened is one thing. Knowing what to look for to see if it is happening to you – is key.• ISAC’s have had limited success• ISAC model is segmented by vertical (Financial Services, Energy, etc.). • View across the sectors is critical to

protecting companies today.• ISACs do not allow for a Cloud

Segment

© Cloud Security Alliance, 2015

The Problem

• ISAC Model requires sending sensitive data to a trusted third party. • Company identity is known.• Snowden incident has made sharing with

trusted third parties undesirable today.

• Need is clear – a trusted method of sharing is required. • Company identity is not known – so not

subject to subpoena’s, etc.• Incident data submission is quick and

simple. • Rapid analysis of data including

correlation with other reports and open source data

• Alerts sent in minutes, not days/weeks• Ability to anonymously discuss attacks

with others and share solutions.

© Cloud Security Alliance, 2015

The Solution – Cloud CISC

CSA Cloud Cyber Incident Sharing Center

Cloud adoption is progressing at an accelerating pace. We are concerned that the lack of a robust, automated incident sharing function will inhibit the timely resolution of security incidents, hamper our ability to minimize the damage caused by incidents, and could ultimately have a serious negative impact on the industry. The CSA Cloud CISC will:

• Provide a truly anonymous, global cyber security incident sharing platform for enterprises;

• Educate the public and private community on Cloud Security

• Develop vendor neutral best practices and technical standards

• Develop policies aligning Cloud CISC to industry and governmental standards on an international basis.

© Cloud Security Alliance, 2015

How to get Involved

•Work Group Co-chair• Currently seeking leadership for

this initiative• 2-3 Co-chairs (1appointed by

CSA)• Co-chair Requirements

• Appointed Co-chair must be an employee of a CSA Member Company

• Additional Co-chairs are decided by vote

• Time commitment required

• Contact research@cloudsecurityalliance.org for additional details and questions

© Cloud Security Alliance, 2015

How to get Involved

•Work Group Participant• Currently seeking Volunteers for

the following areas:• Sub Group to focus on Researching,

Developing & Promoting Vendor Neutral Best Practices

• Sub Group to define technical standards for information sharing

• Sub Group focused on Information Sharing Policy development and outreach

• Sub Group that will liaise with the standard development communities (SDOs)

• Contact research@cloudsecurityalliance.org if you are interested in getting involved

© Cloud Security Alliance, 2015

How to get Involved

•We need support from our CSA Provider Community to participate in Cloud CISC Pilot• CALL TO ACTION: Submit Incident Report Data• Data Types

• Title • Date• Region• Type of Attack• Known Remediation

• Contact pilot@cloudsecurityalliance.org if you are interested in getting involved with the pilot

© Cloud Security Alliance, 2015

How to get Involved

• CISC Pilot Participant•We need support from our CSA Provider Community to participate in Cloud CISC Pilot• CALL TO ACTION: Submit Incident Report Data• Examples:

• Title • Date• Region• Type of Attack• Known Remediation

© Cloud Security Alliance, 2015

How the Cloud CISC Pilot Works• Anonymous Authentication• When users transmit

sanitized reports, we execute a public anonymous authentication protocol that:

• Confirms the user is a member of the community, without disclosing the identity of the user, and

• Delivers a mathematic proof that the user has connected with Cloud CISC and that Cloud CISC does not know identity of the user.

The Cloud CISC methodology allows for easy

sharing while preserving complete anonymity.

Share Unattributable

ReportsProtects company

identity

2

Correlate & Analyze

Immediately correlates report with open source and

other submitted reports

3

Alerts & ReviewAlerts members to new report for review along

with correlated, actionable information

4

Rate & CollaborateReports are rated to

increase relevance and members collaborate

with Cloud CISC Coordinator.

5 ScrubIncident Reports

of Identifying Information

Protects customer PII and corporate IP – mitigating

discovery concerns.

1

Powered by

© Cloud Security Alliance, 2015.

CISC Pilot Demo

© Cloud Security Alliance, 2015

Cloud CISC Next Steps

• Kick-Off Call & Develop a 6 month Information Sharing Pilot Starting in May/June 2015• Develop and deliver educational

programs on Cloud Security and the need for information sharing for both the public and private sector – ongoing based on results• Identify areas of potential CSA

research based on Pilot results Q1 2016• Identify best practices and need for

technical standards Nov 2015 - May 2016• Identify need for policies and

alignment across industries and governments. Nov 2015 – May 2016

??? ?© Cloud Security Alliance, 2015