The Sharing and Analysis of Security Events in the Czech Republic
The goal of the SABU project is developing a system for intelligent analysis and effective transmission between security teams. The system enables predicting a development of attacks and eliminating their potential impact on national cyberspace.
CSIRT-MU cooperates on this project with CESNET association.
Cyber protection of computer networks, operated services and users are currently ensured by separated subjects (network providers, service provider, security teams). Based on the results of security events, incidents and attacks detection, which could influence the infrastructure, protective countermeasures are deployed. But just some of the security information is shared between security teams, which is the reason, their full potential cannot be used for the whole infrastructure.
Our prime objective in this project is developing and implementing a pilot system for effective transmission and analysis of detected security events among security teams in the Czechia, including National and Governmental security team. An early exchange of information between involved organizations will simplify prediction of attack´s expansion and it will also help organizations with preparation for the threats. In this manner, the systém will eliminate the attack´s consequences on national cyberspace.
Technology and specifics
Collecting and sharing of security events
The system will permit extension of distributing and collecting security events originating from a huge spectrum of compiled security elements generating those events. A library enabling to easily connect various systems (e. g. honeypots, behaviour analysis systems, logs) and so-called third-party systems (e. g. N6, ShadowServer, UCEPROTECT) will be designed and implemented.
Intelligent analysis of security events
The research is focused on methods for correlation of different types of security reports, on methods for correlation an event in place and in time, on methods of determining the credibility within the reported event and on credibility within the entities themselves reported inside the events. The final outcome will be deriving aggregated and correlated information from the enormous amount of security events. The analysis of the spreading threats will open the possibility of long-term observing security trends and it will also continuously make the Czech cybersecurity system increasingly effective.
Correlation of different types of national cyberspace security events
The project includes creating correlations with primary data acquired from network CESNET2 (packets, flows, logs) in order to events´ verification, enriching mined data and system calibration. We will design and pilot deploy a manner of integration of acquired information with the aim of supporting the avoidance of the impending attack.
Increased security of organizations
In order to increase the security of involved organizations against attacks, we will develop connections on chosen elements ensuring network security (e. g. firewall, IPS, filters). That will allow distribution of intelligent analysis results and their use for securing the infrastructure.
Enriching of mined data and expanding detection abilities of event producers
We will be researching and developing tools for selective collecting and analysing the network traffic data in order to determine new threats and to verify and analyse existing threats. Optional level of detail will enable a deeper understanding of threats.
Support for filtration and possibility to (partly) anonymize shared data
The primary goal is to ensure high quality of data in all aspects. We consider our priority to preserve delicate data under the control of involved organizations. Due to private information transmission between different subjects, we reflect the law aspects of sharing and using the information (with respect to privacy protection).
Law aspects of events' sharing identification
This partial goal has its presence in all the areas the project is dealing with. The main intention is analysing potentially problematic procedures and processes from the law perspective and suggesting a methodic strategy for using current and developing technologies.
We are planning to transfer the technology abroad next year and to establish not just international cooperation, but also increasing security caution and sharing on the international level.