Real World Information Exchange: Challenges and Insights

CERT-EU's mission is to enhance the security of the information and communications technology infrastructure of the EU institutions, bodies and agencies (its 'constituents'). It supports incident prevention, detection, mitigation and response by acting as the cyber-security information exchange and incident response coordination hub for its constituents. It is based in Brussels. Collecting and managing cyber threat information and using it in the detection infrastructure is key in risk mitigation strategies. Information exchange with external and internal partners is crucially important to realize the potential added value. CERT-EU actively and intensively engages in cooperation and partnerships with its peers and partners in the IT community and as such it is recognised as a leading player in information exchange, both on the theoretical level as in its real world implementation. CERT-EU has also made important advances in the way it exchanges information with its constituents to make the information actionable, relevant, useful and specific and to avoid as much noise and false positives as possible.

A good understanding of the specific threats at any given moment increases the chances of mitigation. An organization may be more concerned by cyber-threats targeting its sector, its supply chain or its geographical area and it may handle in priority cyber-threats potentially causing the most damage, being the most persistent or having a specific motivation. Monitoring these aspects and acting accordingly allows organizations to mitigate the threats that are the most pertinent at a given time. As cyber threat information sharing matures, it is necessary to consider how it should be optimized and what it should deliver on the consuming end. This implies that information exchange should meet minimal quality criteria in terms of contextualization, timeliness and actionability.

Faced with an extremely dynamic cyber-threat landscape, the challenge is also to automate information sharing and make it immediately actionable. But in addition, the process should also include escalation and alerting functions to trigger immediate attention to the most severe of threats.

The talk will highlight the insights derived from CERT-EU practical experience in the past few years, presenting concrete success factors for cyber threat information exchange. It will also highlight some remaining challenges and unresolved problems.