20 OPEN
Virtualized
environment
Training Management
team Training management environment
A Cyber academy training environment implementation
Virtualized Game Field
User 1
User 2
User 3
User 4
User 5
Teacher
Cybels SensorIDS
Traffic Management Tool
Admin
SIEM
SAN
BACKUP
Virtualized Game Field
User 1
User 2
User 3
User 4
User 5
Teacher
Cybels SensorIDS
Traffic Management Tool
Admin
SIEM
SAN
BACKUP
Trainees Access/ roles
Blue Hats
Red Hats
Virtualized Game Field
User 1
User 2
User 3
User 4
User 5
Teacher
Cybels SensorIDS
Traffic Management Tool
Admin
SIEM
SAN
BACKUP
21 OPEN
Virtualized Game Field : One Topology example
Red Team
Access
Blue Team
Access
Internet NOC/SOC
DMZ
LAN Access
Cooking Blog
Web Site
Hacker
Web Site
Honey
Pot
IDS
WAF
Bank
BDD Bank Web Site
IDS
AD
BDD
FW FW FW
Metasploitable
OWASP
BWA
Kali
Prod
BDD
Supervision
Core level
Distribution level
Kali
22 OPEN
X virtualised systems
Classroom 1
Classroom 2
Cloud
Cyber Range : On line training
Mobile
Classroom
Other
systems
23 OPEN
Netherland :
▌ Thales to set up a cybersecurity training and testing facility for the department of
Defence Cyber Command of the Dutch Ministry of Defence.
▌ Realistic cyber-attacks and incidents can be simulated and cyber-defence tactics
tested in the “Cyber Range”.
“The Cyber range is an important step for the Defence Cyber Command (DCC). It is a
facility at which many forms of cyber operations can be simulated. This is essential for
training our staff and testing our systems.’’
Hans Folmer : Brigadier General and Commander of Defence Cyber Command (Dutch Armed Forces)
Intl References
24 OPEN
Platform overview
25 OPEN 2016/08/30 – NEC Cybersecurity 25
CyberLab Ecosystem in Belgium
Platform in Belgium
Defense Ecosystem Industrial Ecosystem
CIP Ecosystem
Academic & Start up Ecosystem
Thales Belgium Tubize
Defense, Transport & Security 31KM from NATO HQ Brussels 26KM from NATO SHAPE Mons
www.thalesgroup.com OPEN
New SOC Capabilities
27 OPEN
Infrastructure & Operations in Customer Premises
▌Full internal Customer owned solution Dedicated/internalized solution
Operated by the Customer
Mainly Capex
Infrastructure in Customer Premise ; Operations in Thales
▌Remotely Operated CSOC Customer owned solution (Thales CSOC as a Product)
Operated by Thales (dedicated or pooled)
Capex + Opex
Infrastructure & Operations in Thales
▌CSOC as a Service Thales CSOC in Thales premise operated by Thales
Pooled resources with clear demarcation
Mainly Opex
CSOC delivery models Adapted to different customer business needs
28 OPEN
Combining the power of Standard SIEM and Big-Data
SIEM
(SOC) Big-Data
Risks
Non predictive analytics Predictive analytics
Threat
Intelligence
(SIC)
Standard and Custom
Detection Rules
Machine Learning Behavioral Analysis Hunting
Storage
Compliance
Reports
Data visualization
Incident dashboards /
Indicators
Business Modeling / Decision Tool
29 OPEN
Big Data Analytics Thales Lab
▌ Big Data platforms as the natural evolution for
Thales solutions
Driven by Data: volumetry, diversity
Distributed frameworks, virtualization, scalability
Parallelization, new algorithms
Dynamic & interactive visualization
▌ Applied to different uses cases
Behavioral analytics for cyber security
Predictive maintenance
Smart transport and smart city
Crowd analytics
▌ A Thales Lab dedicated to Big Data
80 data scientists (Fr, Nl, Can, Sgp)
10 patents & 20 publications
Big data community (Hadoop, Spark summit)
30 OPEN
From SOC to ngCSOC Overall Evolution
Logs F/W, Servers, etc.
L1/2/3 Analysis
SIEM
Explicit Rules
IT/Network Ops Portal
Basic SOC
for alert generation
IoC TTP
Business
Oriented
Communication
Governance
Risk Management
Compliance
Vulnerability
Management
Threat
Intelligence
ngProbes
Sandboxes
Logs F/W,
Servers, etc.
Database
L1/2/3 Analysis
SIEM
IoT
Indust. Env.
Networking
Flows
Application
Level
Cloud
XaaS
Multiple
Sources
Explicit Rules Big Data Behavioral Analysis Dynamic Rules
Data Mgt
IT/Network Ops Portal
End
Points
ngCSOC
as a Tower Control
Log collection
Aggregation &
Correlation
Analysis
Ticketing
Reporting
Artificial intelligence & Big Data, for enhanced detection
Integrated with automated
detection & response
Extended Scope, incl. Public Cloud, Industrial Env., etc.
Threat Intelligence for efficient focus on business critical issues
Other Improvements & Platform Evolutions, e.g. PDIS
Business Risk Management
Large scope for data input
Large set of tools / expertise for
detection, analysis, remediation,
supervision
Integrated with Threat Intelligence
31 OPEN
CSOC Based Services Overall Roadmap
2016 2017 2018
Scope Cloud SaaS Specific OT
Probe integration
OT Behavioral
Analysis
Automated Thales + Cisco Trusted Anti-
Malware
Managed Sovereign
Probe
Other ngPortal PDIS
Compliant
CSOC
TI Threat
Intelligence IOC & TTP
IoC detection in past logs
Global Thales CTIP
AI Behavioral
Analysis Behavioral
Analysis PoC Deep Learning
Detection
Advanced Log retention &
management
NIS/European Compliant
CSOC
2019+
Fully integrated TI &
Risk Mgt
Further Cloud
Cyber Surveillance
Managed Sovereign Endpoint
protection
Thales R&T on AI algorithms for Cyber Sec.
32 OPEN
Integrating the “OT” scope in the SOC monitoring
▌ Weapon or platform systems
embedding “OT” components are
currently subject of R&D activities
Very different approach according to type of platform systems
▌ Thales has developed an industrial
Security offer related to ICS cyber
security
Thales will have ICS probes and test
bed
▌ Integration of OT scope is the
ultimate stage of the digital
transformation program
33 OPEN
OT / MILITARY SYSTEMS : THALES METHODOLOGY
▌ Five classes of systems stand at the core of QAF’s defence. They vary in terms of cybersecurity.
▌ 3 of them Information Technology (IT) systems:
C4ISR (C4ISR) systems cover a wide range of functionalities, Modern C4ISR systems take cybersecurity into account while previous generations can be provided with monitoring appliances and applications.
Communication (COM) systems range from tactical radio communications and software-based radio through SATCOM and communication electronic warfare to large battlefield resilient communication networks.
Office & Information Management (OIM) systems include applications ranging from messaging to payroll and are very similar to those found on civilian markets
▌ The other two are founded upon Operational Technologies (OT):
Weapon (ARM) systems for Land, Sea and Air combat are extremely varied and their technologies are very diverse, ranging from full mechanics to the most advanced electronics and software platforms.
Platform & Life Automation (LIFE) systems (lifts, doors, ventilation, lighting, fridges, etc.) are similar to Industrial Automation & Control Systems (IACS)
34 OPEN
Deployable SOC
▌ Rapid Response Team tool for
Assessment of the level of security of a
system before SOC deployment
Post attack surveillance and
remediation
Additional surveillance for highly
critical assets
▌ Operation Theatre support
Mobile, rugged SOC platform for
forward operational base
www.thalesgroup.com OPEN
More on R&T to come
36 OPEN
Overview ICT&Sec tech scope, trends, challenges
softwarization
cloudification
virtualization
AREAS ICT/SECURITY
TRENDS As Digital Transformation
datafication
A.I.
▌ Key Topics
Anomaly detection, Malware & APT analysis for Cyber
Threat Intelligence,
Blockchain & smartcontracts technology usages,
Formal verification of protocols,
Homormophic encryption applications and verifiable
computation
SDN & NFV vulnerabilities analysis, …
▌ Digital Scounting, Performance assessment
Hybrid detection (anomaly & scenarios-based) for CSOC,
HE libraries for confidential detection for Cybels-Sensor.
Blockchain for decentralized authorization and ABAC
access control policy management
Secure orchestration, deployment & maintenance of
Services in 5G infrastructures
Deep learning for Steganographic malware detection
37 OPEN
Collaborations
▌ Involvements
ECSO (European Cyber Security Organization)
5G PPP: Thales is the lead of transverse security group
Cyberdefense for Naval Systems and Cybersecurity for Air Force Systems Chairs
ENISA CIIP experts
▌ Partners
Academic :
- Ecoles de l’Institut Mines-Telecom – Réseau thématique RT5 « Sécurité des systèmes et
des services Numériques »
- Ongoing PhDs with “Telecom SudParis”, “Centrale-Supelec “ and Inria
- Academic working group : IRISA Security GDR, PEC (Cyber Security centre of excellence) CC laboratory & standardization bodies, SMEs:
- Oppida, Amossys, IRT/SystemX, …
- OWE, ETSI, …
AIOTI
cPPP
www.thalesgroup.com/cic OPEN