Authors: Martin Husák, Pavol Sokol, Martin Žádník, Václav Bartoš, Martin Horák
Abstract
Sharing the alerts from intrusion detection systems among multiple computer networks and organizations allows for seeing the “big picture” of the network security situation and improves the capabilities of cyber incident response. However, such a task requires a number of technical and non-technical issues to be resolved, from data collection and distribution to proper categorization, data quality management, and issues of trust and privacy. In this field note, we illustrate the concepts and provide lessons learned on the example of SABU, an alert sharing and analysis platform used by academia and partner organizations in the Czech Republic. We discuss the initial willingness to share the data that was later weakened by the uncertainties around personal data protection, the issues of high volume and low quality of the data that prevented their straightforward use, and that the management of the community is a more severe issue than the technical implementation of alert sharing.
Introduction
Collaboration and information exchange have been fundamental to cybersecurity since its foundations. The collaboration took various forms; warnings and announcements were distributed via mailing lists, public databases of vulnerabilities or cyber threat intelligence feeds emerged, and best practices in incident response were shared among the cybersecurity teams. A long-term trend is automating information exchange and structuring the information for their automated processing [9, 24, 27, 30]. The motivation for the automated information exchange was the perceived benefit of seeing the “big picture” of the cybersecurity situation and filling the blind spots in one organization with the data from the others in a timely manner. For example, the European Commission states in a working document [5] that insufficient information sharing on threats, risks, and incidents results in sub-optimal preparedness or response. The lack of data and information on computer systems and networks does not allow for conducting appropriate analysis and compiling statistics that could be used to raise awareness of the rising threats and to plan appropriate measures to tackle them. In the EU, the initiatives to share cybersecurity data are backed by the NIS Directive (EU 2016/1148). Similar initiatives can be found around the globe in national strategies and cybersecurity communities.
In this field note, we present the case study of the SABU1 alert sharing platform that is operated in the academic computer network in the Czech Republic and is also used by peers from governments and industry. We first briefly introduce the topic of information sharing in the following subsection. Subsequently, we provide the description of the SABU platform and reasoning for the design choices in Section 2. In Section 3, we present the lessons learned from operating the platform and managing the community. Section 4 concludes the article.
