What is the Canadian Shared Security Operations Centre (CanSSOC) proof of concept (POC)?
The POC for a shared Security Operation Centre (SSOC) was inspired by OmniSOC, a U.S.-based initiative that helps its members in the higher education sector reduce the time between detection of a security threat to mitigation. It was founded by Indiana University, Northwestern University, Purdue University, Rutgers University and the University of Nebraska — all members of the Big Ten Academic Alliance.
The CanSSOC POC’s six university members are: University of Alberta, University of British Columbia, McGill University, McMaster University, Ryerson University and the University of Toronto. These universities are working closely with the National Research and Education Network (NREN) to align this initiative with other Canadian efforts to better secure information and data in the higher education sector.
Can I join the CanSSOC POC?
No, the POC is limited to the six core universities who have committed resources to completing this work by December 2019. By that deadline, a model for a production service will be available.
Can I connect my security Information and event management (SIEM) system to the CanSSOC POC?
This option is not currently available. That being said, the project team will be exploring how we may connect to the NREN SIEM system.
What are the primary objectives of the CanSSOC POC?
The main objective of the CanSSOC POC is to strengthen cyber security within higher education settings. The initiative is identifying ways to improve return on security investment through:
- A prioritized list of services necessary to support the ongoing requirements for the participating institutions.
- Documentation of the data and resources required from the institutions that will participate in an ongoing operational shared SOC.
- An outline and cost model for the recommended operational technical architecture.
- A process for interaction between the institutions and the operational shared SOC.
- A detailed start-up and ongoing operational budget, including necessary specialized staff to manage and operate the shared SOC.
- Metrics for the ongoing evaluation of the effectiveness of the shared SOC.
- A recommended delivery mechanism for the operational shared SOC.
- A recommended governance structure.
- Feedback on possible integration with an OmniSOC network and/or other relevant SOCs.
I’ve heard that the Canadian NREN partner organizations are purchasing SIEMs, will they be connected to the CanSSOC POC?
The CanSSOC participants and the NREN have been working closely together on the development of the initiatives. Part of the work of the POC is to explore the opportunity of sharing indicators of compromise (IOCs) from these SIEMS and also sharing threat information from the POC to the SIEMS. They will also consider how this may work with other SIEMs.
Will the CanSSOC POC be investigating cyber threats that may affect me, and if so, will they let me know?
The POC is not a production service. It will explore how this can be done for future capability, but it will not be a service offered during the POC stage.
Can the CanSSOC POC provide a threat feed to my SIEM?
Currently, we are not considering this option. That said, the project team will be exploring how it may provide threat feeds to external SIEMs.
What happens to the CanSSOC POC after the POC is completed?
The intent is that the POC will lay out a roadmap for creating a national shared SOC with a broad membership (beyond the original six universities) that may integrate with other higher education SOCs or other partner organizations.
How does the Community, Health, Environment, Communications (CHEC) program in Ontario relate to the CanSSOC POC?
CHEC is an extension of the shared chief information security officers (CISO) project between eight Ontario schools and ORION. This project has moved beyond the POC stage and is expanding membership and introducing additional services, such as assessment. How this may intersect with CanSSOC will be explored during the POC, including whether it would be a good model for allowing schools without significant expertise or capacity to interact with a shared SOC.
My regional NREN partner organization is talking to me about a shared SIEM POC. Should I participate in it or wait for the CanSSOC POC to be completed?
At this point, these are complementary projects, both building expertise, capacity and the ability to share threat intelligence.
Will I be able to join CanSSOC once the POC is complete?
If the POC is successful it will outline a roadmap that will include information related to membership and/or participation in a shared SOC.
Who will operate the CanSSOC should it continue post POC?
That will be determined during the POC. We are looking at various options, from a single entity to a distributed network across various partners.
There is the NREN SIEM project, CHEC, shared SIEM initiatives and the CanSSOC POC. It seems like these initiatives are all trying to solve the same problem. Why so many projects?
The problem is complex and will probably require a partnership of complementary solutions provided by different agencies. We are working closely with other initiatives/partners to evaluate possible collaboration or sharing of information to allow us to most effectively achieve our collective goal to better secure the higher education sector in Canada.
The NREN SIEM deployment project has a primary goal to secure the research and education network. The CanSSOC POC is looking to determine the requirements to provide a shared SOC for universities. Some of the provincial NREN partners are exploring a proof of concept to support small and medium educational institutions. There is some overlap in the outcomes of these two initiatives, but the two initiatives are looking at different solutions to a similar challenge. Close collaboration and communication will allow the two initiatives to understand how each might serve the community.
What is CANARIE’s role in the CanSSOC POC?
CANARIE brings skills, knowledge, capacity and leadership to the project. CANARIE has strong relationships with the federal government, provincial and territorial organizations and other stakeholders. CANARIE is also supporting the CanSSOC POC by bringing international perspectives through the Global Research and Education Network (G-REN).
What are the provincial NREN organizations’ role in the CanSSOC POC?
The provincial NREN organizations are partners in the POC and future shared SOC services in several ways. As a network provider, they offer safe and secure internal equipment. As such, they would consume IoCs from the shared SOC into their own SIEMs, as well as share threat intelligence generated from their SIEM’s with the SOC. We see the SIEM projects as complementary to what we are doing.
It is possible that some of the provincial organizations may end up acting as a conduit to schools that would otherwise struggle to effectively interact with CanSSOC given their size, skills and resources. The model evolving in Ontario is of great interest, but keep in mind that each province may tackle this differently. Overall, we need to work together to enhance our national cyber security defense and ensure our services are complementary.
How will updates and information be shared?
Can you expand on the threat Intelligence processes and the technologies you’re exploring?
We’re planning to leverage the profile of the CanSSOC POC to establish partnerships with Canadian and global sources of threat intelligence data. We’re also increasing our understanding of the raw event data that we see by analysing that data through the lenses of:
- IOCs (Indicators of Compromise)
- Lists of known bad hosts
- Behavioural analysis
Ideally, we will achieve increased visibility into event data, enabling us to identify not only attacks to individual institutions, but also simultaneous attacks to multiple institutions and pivot attacks from one institution to another.
What are the advantages of ingesting feeds from Malware Incident Sharing Platform (MISP) to MineMeld?
While MineMeld is good at collecting and aggregating feeds of Indicator of Compromise (IOC), it has limitations when it comes to curation and management of data. At a high level:
- Very basic tool for automated processing of streams of IOCs that cannot do advanced correlation and analysis.
- It is not built for sharing IOCs with their context, and as a result requires more work to integrate new IOC sources.
- The interface has limited capabilities and can be difficult to use to manually manage IOCs.
- Built specifically for sharing detailed data with other organizations, it has a user-friendly interface for manual analysis and managing metadata.
- Allows for correlation and enrichment of indicators including built-in capabilities for complex indicator scoring rules.
- Uses the concept of events with associated attributes. This allows for more effective sharing of threat intelligence.
The CanSSOC collaboration platform currently leverages both MISP and MineMeld to take advantage of the strengths of each initiative. MISP is a much more refined product for event-based IOC sharing. The MISP platform is complimented with MineMeld which allows for the provision of an automated feed to numerous types of protection devices. As the development of the MISP platform continues and the feature set expands, it is anticipated that the use of MineMeld could be phased out.
Short answer: MISP is the backbone of the Threat Feed service; MineMeld is purely a distribution channel.
I leverage Threat Feed on my local infrastructure?
Threat Feed allows a lot of flexibility and this will depend upon each organization. Anything is possible from leveraging the CanSSOC platform exclusively to standing up your own MISP platform or even going toward an hybrid model. While you could decide to manually log into MISP and see the various IOCs published on a regular basis, we recommend that you take advantage of the MineMeld blacklist feeds and integrate them with your protection devices in order to reap the full benefits of having an automatic protection against known threats.
Does MISP provide institutional data obfuscation to remove institution identifiers?
The goal of MISP is to share external threat indicators and would not likely contain anything confidential. The CanSSOC goal is to share as much information as possible to ensure participants maximize their protection. While transparency is required in some cases to ensure there isn’t duplication of receiving feeds, in the case of institutions sharing events they have seen locally, we expect this to be anonymized in almost, if not all, cases. Institutions will always have full control over what they decide to share.