What is the Canadian Shared Security Operations Centre (CanSSOC)?
CanSSOC was created to investigate how shared services can enable greater visibility and mitigation of cyber security threats, in a more cost-efficient and effective way than a single institution could deliver on its own. CanSSOC is unique because it allows participants to explore, develop and test ways to bring together a wide range of needs, partners, technology and data to develop a robust model that raises the security profile of the higher education sector as a whole. CanSSOC is currently governed by a steering committee with leaders from McGill University, McMaster University, Ryerson University, University of Alberta, University of British Columbia and the University of Toronto.
Who does CanSSOC collaborate with?
In Canada, CanSSOC partners with members of the Canadian National Research and Education Network (NREN), CANARIE and the Canadian Centre for Cyber Security. Together, we’re working to develop collaborative approaches to prevention, detection and mitigation of cyber security threats. CANARIE’s Cybersecurity Initiatives Program (CIP) is one example, enabling CanSSOC to deliver its Threat Feed service to eligible research and education (R&E) organizations at no cost. Internationally, CanSSOC signed a Memorandum of Understanding in 2021 to share intelligence with global partners Jisc, OmniSOC and AARNet.
Why is a collaborative approach to cyber security more effective?
The frequency and complexity of cyber security threats facing higher education institutions are increasing at an unprecedented rate. The Canadian higher education sector must come together to protect and defend itself against criminal organizations trying to extort money and individuals with varying motives. The cost of inaction and lack of coordination will result in substantial financial, intellectual property, reputational and personal information losses across Canada.
How can my institution get involved?
To opt-in for CanSSOC’s Threat Feed service, R&E organizations must first enrol in CANARIE’s CIP. To confirm your organization’s eligibility for the CIP or to initiate enrolment, please contact the NREN partner in your province or territory. If you’re not sure who to contact, reach out to CanSSOC and we’ll help connect you.
What is provided through CanSSOC’s Threat Feed platform?
CanSSOC’s Threat Feed platform consolidates multiple threat intelligence information sources into a single curated feed, making it easier for institutions to consume and act upon threat intelligence information. As a pilot, CanSSOC members will receive information targeted to the sector in various lists and feeds to allow institutions to automate the use of this information directly through their endpoint protection solutions.
How does Threat Feed make it easier to consume and triage threat intelligence information?
Threat Feed’s standardized templates will allow institutions to configure in existing endpoint detection devices, making it easier to directly block, or alert depending on their preference. CanSSOC has developed the Threat Feed with the intent that after a small amount of basic configuration, institutions can “set it and forget it” by using it in their end point detection devices.
Also, CanSSOC analysts will curate the feed in a standard manner, adding metadata and intelligence specifically relevant to the sector. For example, they can identify high probability threats based on threat intelligence information being shared nationally and amongst global partners, allowing for automated action by a member, or identifying which threats institutions need to prioritize.
If your institution already subscribes to other threat feeds, do you still need the CanSSOC Threat Feed?
This initiative is not intended to replace threat feeds you may already have in place but to strengthen them with sector-specific intelligence. The CanSSOC Threat Feed may also contain other feeds that you already subscribe to, such as the feed from the Canadian Centre for Cyber Security. The CanSSOC Threat Feed consolidates and curates several feeds, uniquely focused on risks for the research and education (R&E) sector. Due to the sophistication of today’s cybersecurity threats, a risk at one R&E organization can easily create a ripple effect for the entire sector. The Threat Feed enables Canada’s R&E sector to draw upon a collective nationally based defense to support organizations.
How is this different from receiving the CanSSOC Threat Feed through your CIRA DNS Firewall?
The source of threat intelligence is the same, but the level of protection offered by each is very different. CIRA’s integrated CanSSOC Threat Feed is one of the intelligence sources that the CIRA DNS Firewall uses to determine which malicious DNS entries / sites to block from user access. The direct CanSSOC Threat Feed service is ingested by your next-generation firewall to block external threats from entering your network. It provides threat protection from external sources trying to gain access to your network.
What makes CanSSOC’s Threat Feed unique from other threat intelligence solutions?
Due to the sophistication of today’s information threats, a risk at one higher education institution can easily create a ripple effect for the entire research and education community. Threat Feed enables Canadian institutions to stay ahead of cyber security threats and draw upon a collective defense that reaches across institutional, provincial and national levels.
Through the pilot, participants will be able to explore, develop and test ways to achieve a wide range of needs and bring together partners, technology and data for the benefit of all. CanSSOC’s vision is to create a community and platform developed by the community for the community that will raise the security profile of the entire sector.
Where is the Threat Feed information sourced from?
As a pilot, Threat Feed will consolidate four main sources of intelligence:
- Canadian Center for Cyber Security (CCCS) feed – currently available, but will add intelligence
- CanCyber – freely available
- Recorded Future’s commercial feed
- CanSSOC’s own threat intelligence
CanSSOC is also working with global community partners to acquire additional information on the data available through partners’ security operations centres (SOCs) and analysis.
How can our organization access the CanSSOC Threat Feed Service?
Please contact your NREN partner in your province/territory.
If your organization is already enrolled in the CIP:
- Your NREN partner will send you a link to the CanSSOC Threat Feed selection form.
- Submit your CanSSOC Threat Feed selection.
- CANARIE will send you the CanSSOC confidentiality agreement to execute.
- Once the CanSSOC confidentiality agreement is in in place, your NREN partner will be in touch to set up your technical implementation session so that you can begin to access the Threat Feed.
If your organization is not yet enrolled in the CIP:
- Your NREN Partner will send a link for the CIP Participation Form, where you can also select the CanSSOC Threat Feed.
- After you submit this form, CANARIE will send you an Organization Cybersecurity Collaboration Agreement (OCCA) for execution.
- Once your OCCA is executed, CANARIE will send you the CanSSOC Confidentiality Agreement to execute.
- Once the CanSSOC Confidentiality Agreement is in in place, your NREN partner will be in touch to set up your technical implementation session so that you can begin to access the Threat Feed.
How long does it take to implement this initiative?
The technical onboarding session takes about two hours, fully guided by a representative from the NREN or CanSSOC.
How much maintenance is required?
CanSSOC has developed the Threat Feed with the intent that after a small amount of basic configuration, your organization can “set it and forget it” by using it in your end point detection devices.
What kind of expertise do we need on our team to benefit from this initiative?
The only expertise required is a firewall administrator with the skills and permission to access and make changes to your organization’s firewall.
Are there other cybersecurity tools we must have in place before we can benefit from this initiative?
No, but to maximize the Threat Feed’s value, a next-generation firewall is recommended. The CanSSOC Threat Feed readily integrates with the Cisco Firepower, Fortinet FortiGate and Palo Alto Next Generation Firewall. However, integrations with other next generation firewalls and endpoint detection and protection devices are under development.
Can you expand on the threat intelligence processes and the technologies you’re exploring?
We’re planning to leverage the profile of the CanSSOC proof of concept (POC) to establish partnerships with Canadian and global sources of threat intelligence data. We’re also increasing our understanding of the raw event data that we see by analyzing that data through the lenses of:
- IOCs (Indicators of Compromise)
- Lists of known bad hosts
- Behavioural analysis
Ideally, we will achieve increased visibility into event data, enabling us to identify not only attacks on individual institutions, but also simultaneous attacks on multiple institutions and pivot attacks from one institution to another.
What are the advantages of ingesting feeds from Malware Incident Sharing Platform (MISP) to MineMeld?
While MineMeld is good at collecting and aggregating feeds of IOC, it has limitations when it comes to curation and management of data. At a high level:
- Very basic tool for automated processing of streams of IOCs that cannot do advanced correlation and analysis.
- Not built for sharing IOCs with their context, and as a result requires more work to integrate new IOC sources.
- The interface has limited capabilities and can be difficult to use to manually manage IOCs.
- Built specifically for sharing detailed data with other organizations. It has a user-friendly interface for manual analysis and managing metadata.
- Allows for correlation and enrichment of indicators including built-in capabilities for complex indicator scoring rules.
- Uses the concept of events with associated attributes, which allows for more effective sharing of threat intelligence.
The CanSSOC collaboration platform currently leverages both MISP and MineMeld to take advantage of the strengths of each initiative. MISP is a much more refined product for event-based IOC sharing. The MISP platform is complimented with MineMeld which allows for the provision of an automated feed to numerous types of protection devices. As the development of the MISP platform continues and the feature set expands, it is anticipated that the use of MineMeld could be phased out.
Short answer: MISP is the backbone of the Threat Feed service; MineMeld is purely a distribution channel.
How can I leverage Threat Feed on my local infrastructure?
Threat Feed allows a lot of flexibility, and this will depend upon each organization. Anything is possible from leveraging the CanSSOC platform exclusively to standing up your own MISP platform or even going toward a hybrid model. While you could decide to manually log into MISP and see the various IOCs published on a regular basis, we recommend that you take advantage of the MineMeld blocklist feeds and integrate them with your protection devices in order to reap the full benefits of having an automatic protection against known threats.
Does MISP provide institutional data obfuscation to remove institution identifiers?
The goal of MISP is to share external threat indicators and would not likely contain anything confidential. The CanSSOC goal is to share as much information as possible to ensure participants maximize their protection. While transparency is required in some cases to ensure there isn’t duplication of receiving feeds, in the case of institutions sharing events they have seen locally, we expect this to be anonymized in almost, if not all, cases. Institutions will always have full control over what they decide to share.