20 OPEN

Virtualized

environment

Training Management

team Training management environment

A Cyber academy training environment implementation

Virtualized Game Field

User 1

User 2

User 3

User 4

User 5

Teacher

Cybels SensorIDS

Traffic Management Tool

Admin

SIEM

SAN

BACKUP

Virtualized Game Field

User 1

User 2

User 3

User 4

User 5

Teacher

Cybels SensorIDS

Traffic Management Tool

Admin

SIEM

SAN

BACKUP

Trainees Access/ roles

Blue Hats

Red Hats

Virtualized Game Field

User 1

User 2

User 3

User 4

User 5

Teacher

Cybels SensorIDS

Traffic Management Tool

Admin

SIEM

SAN

BACKUP

21 OPEN

Virtualized Game Field : One Topology example

Red Team

Access

Blue Team

Access

Internet NOC/SOC

DMZ

LAN Access

Cooking Blog

Web Site

Hacker

Web Site

Honey

Pot

IDS

WAF

Bank

BDD Bank Web Site

IDS

AD

BDD

FW FW FW

Metasploitable

OWASP

BWA

Kali

Prod

BDD

Supervision

Core level

Distribution level

Kali

22 OPEN

X virtualised systems

Classroom 1

Classroom 2

Cloud

Cyber Range : On line training

Mobile

Classroom

Other

systems

23 OPEN

Netherland :

▌ Thales to set up a cybersecurity training and testing facility for the department of

Defence Cyber Command of the Dutch Ministry of Defence.

▌ Realistic cyber-attacks and incidents can be simulated and cyber-defence tactics

tested in the “Cyber Range”.

“The Cyber range is an important step for the Defence Cyber Command (DCC). It is a

facility at which many forms of cyber operations can be simulated. This is essential for

training our staff and testing our systems.’’

Hans Folmer : Brigadier General and Commander of Defence Cyber Command (Dutch Armed Forces)

Intl References

24 OPEN

Platform overview

25 OPEN 2016/08/30 – NEC Cybersecurity 25

CyberLab Ecosystem in Belgium

Platform in Belgium

Defense Ecosystem Industrial Ecosystem

CIP Ecosystem

Academic & Start up Ecosystem

Thales Belgium Tubize

Defense, Transport & Security 31KM from NATO HQ Brussels 26KM from NATO SHAPE Mons

www.thalesgroup.com OPEN

New SOC Capabilities

27 OPEN

Infrastructure & Operations in Customer Premises

▌Full internal Customer owned solution Dedicated/internalized solution

Operated by the Customer

Mainly Capex

Infrastructure in Customer Premise ; Operations in Thales

▌Remotely Operated CSOC Customer owned solution (Thales CSOC as a Product)

Operated by Thales (dedicated or pooled)

Capex + Opex

Infrastructure & Operations in Thales

▌CSOC as a Service Thales CSOC in Thales premise operated by Thales

Pooled resources with clear demarcation

Mainly Opex

CSOC delivery models Adapted to different customer business needs

28 OPEN

Combining the power of Standard SIEM and Big-Data

SIEM

(SOC) Big-Data

Risks

Non predictive analytics Predictive analytics

Threat

Intelligence

(SIC)

Standard and Custom

Detection Rules

Machine Learning Behavioral Analysis Hunting

Storage

Compliance

Reports

Data visualization

Incident dashboards /

Indicators

Business Modeling / Decision Tool

29 OPEN

Big Data Analytics Thales Lab

▌ Big Data platforms as the natural evolution for

Thales solutions

Driven by Data: volumetry, diversity

Distributed frameworks, virtualization, scalability

Parallelization, new algorithms

Dynamic & interactive visualization

▌ Applied to different uses cases

Behavioral analytics for cyber security

Predictive maintenance

Smart transport and smart city

Crowd analytics

▌ A Thales Lab dedicated to Big Data

80 data scientists (Fr, Nl, Can, Sgp)

10 patents & 20 publications

Big data community (Hadoop, Spark summit)

30 OPEN

From SOC to ngCSOC Overall Evolution

Logs F/W, Servers, etc.

L1/2/3 Analysis

SIEM

Explicit Rules

IT/Network Ops Portal

Basic SOC

for alert generation

IoC TTP

Business

Oriented

Communication

Governance

Risk Management

Compliance

Vulnerability

Management

Threat

Intelligence

ngProbes

Sandboxes

Logs F/W,

Servers, etc.

Database

L1/2/3 Analysis

SIEM

IoT

Indust. Env.

Networking

Flows

Application

Level

Cloud

XaaS

Multiple

Sources

Explicit Rules Big Data Behavioral Analysis Dynamic Rules

Data Mgt

IT/Network Ops Portal

End

Points

ngCSOC

as a Tower Control

Log collection

Aggregation &

Correlation

Analysis

Ticketing

Reporting

Artificial intelligence & Big Data, for enhanced detection

Integrated with automated

detection & response

Extended Scope, incl. Public Cloud, Industrial Env., etc.

Threat Intelligence for efficient focus on business critical issues

Other Improvements & Platform Evolutions, e.g. PDIS

Business Risk Management

Large scope for data input

Large set of tools / expertise for

detection, analysis, remediation,

supervision

Integrated with Threat Intelligence

31 OPEN

CSOC Based Services Overall Roadmap

2016 2017 2018

Scope Cloud SaaS Specific OT

Probe integration

OT Behavioral

Analysis

Automated Thales + Cisco Trusted Anti-

Malware

Managed Sovereign

Probe

Other ngPortal PDIS

Compliant

CSOC

TI Threat

Intelligence IOC & TTP

IoC detection in past logs

Global Thales CTIP

AI Behavioral

Analysis Behavioral

Analysis PoC Deep Learning

Detection

Advanced Log retention &

management

NIS/European Compliant

CSOC

2019+

Fully integrated TI &

Risk Mgt

Further Cloud

Cyber Surveillance

Managed Sovereign Endpoint

protection

Thales R&T on AI algorithms for Cyber Sec.

32 OPEN

Integrating the “OT” scope in the SOC monitoring

▌ Weapon or platform systems

embedding “OT” components are

currently subject of R&D activities

Very different approach according to type of platform systems

▌ Thales has developed an industrial

Security offer related to ICS cyber

security

Thales will have ICS probes and test

bed

▌ Integration of OT scope is the

ultimate stage of the digital

transformation program

33 OPEN

OT / MILITARY SYSTEMS : THALES METHODOLOGY

▌ Five classes of systems stand at the core of QAF’s defence. They vary in terms of cybersecurity.

▌ 3 of them Information Technology (IT) systems:

C4ISR (C4ISR) systems cover a wide range of functionalities, Modern C4ISR systems take cybersecurity into account while previous generations can be provided with monitoring appliances and applications.

Communication (COM) systems range from tactical radio communications and software-based radio through SATCOM and communication electronic warfare to large battlefield resilient communication networks.

Office & Information Management (OIM) systems include applications ranging from messaging to payroll and are very similar to those found on civilian markets

▌ The other two are founded upon Operational Technologies (OT):

Weapon (ARM) systems for Land, Sea and Air combat are extremely varied and their technologies are very diverse, ranging from full mechanics to the most advanced electronics and software platforms.

Platform & Life Automation (LIFE) systems (lifts, doors, ventilation, lighting, fridges, etc.) are similar to Industrial Automation & Control Systems (IACS)

34 OPEN

Deployable SOC

▌ Rapid Response Team tool for

Assessment of the level of security of a

system before SOC deployment

Post attack surveillance and

remediation

Additional surveillance for highly

critical assets

▌ Operation Theatre support

Mobile, rugged SOC platform for

forward operational base

www.thalesgroup.com OPEN

More on R&T to come

36 OPEN

Overview ICT&Sec tech scope, trends, challenges

softwarization

cloudification

virtualization

AREAS ICT/SECURITY

TRENDS As Digital Transformation

datafication

A.I.

▌ Key Topics

Anomaly detection, Malware & APT analysis for Cyber

Threat Intelligence,

Blockchain & smartcontracts technology usages,

Formal verification of protocols,

Homormophic encryption applications and verifiable

computation

SDN & NFV vulnerabilities analysis, …

▌ Digital Scounting, Performance assessment

Hybrid detection (anomaly & scenarios-based) for CSOC,

HE libraries for confidential detection for Cybels-Sensor.

Blockchain for decentralized authorization and ABAC

access control policy management

Secure orchestration, deployment & maintenance of

Services in 5G infrastructures

Deep learning for Steganographic malware detection

37 OPEN

Collaborations

▌ Involvements

ECSO (European Cyber Security Organization)

5G PPP: Thales is the lead of transverse security group

Cyberdefense for Naval Systems and Cybersecurity for Air Force Systems Chairs

ENISA CIIP experts

▌ Partners

Academic :

- Ecoles de l’Institut Mines-Telecom – Réseau thématique RT5 « Sécurité des systèmes et

des services Numériques »

- Ongoing PhDs with “Telecom SudParis”, “Centrale-Supelec “ and Inria

- Academic working group : IRISA Security GDR, PEC (Cyber Security centre of excellence) CC laboratory & standardization bodies, SMEs:

- Oppida, Amossys, IRT/SystemX, …

- OWE, ETSI, …

AIOTI

cPPP

www.thalesgroup.com/cic OPEN