What is the Canadian Shared Security Operations Centre (CanSSOC)?
The Canadian Shared Security Operations Centre (CanSSOC) was created to investigate how shared services can enable greater visibility and mitigation of cyber security threats, in a more cost-efficient and effective way than a single institution could deliver on its own. CanSSOC is unique because it allows participants to explore, develop and test ways to bring together a wide range of needs, partners, technology and data to develop a robust model that raises the security profile of the higher education sector a whole. CanSSOC is currently governed by a steering committee with leaders from McGill University, McMaster University, Ryerson University, University of Alberta, University of British Columbia and University of Toronto.
How can my organization participate in the pilot?
Institutions can indicate their interest by completing an Expression of Interest. Participating institutions will sign a Memorandum of Understanding (MOU) to confirm that they will not share any confidential information provided during the pilot. Participants will also be asked to provide feedback on the pilot services as well as the development of other cyber security initiatives envisioned for the future.
What happens once my organization/institution has been enrolled in the pilot?
Once onboarded, an individual from the institution will be given administrative access to the CanSSOC Malware Information Sharing Platform (MISP) instance where they can create additional accounts for other institutional members as needed. Institutions will be given support, either directly by CanSSOC or in partnership with ORION and other NREN partners, on how to configure the feed directly into their desired end point detection device(s). Finally, institutional members will be given access to channels in CanSSOC’s Slack environment so they can receive support and contribute to discussions about the Threat Feed platform, key indicators and remediation technics, and other valuable information.
What is provided through CanSSOC’s Threat Feed platform?
CanSSOC’s Threat Feed consolidates multiple threat intelligence information sources into a single curated feed, making it easier for institutions to consume and act upon threat intelligence information. As a pilot, CanSSOC members will receive information targeted to the sector in various lists and feeds to allow institutions to automate the use of this information directly through their endpoint protection solutions.
Can my institution receive and monitor threat intelligence information without CanSSOC?
Yes, however, the more information you can acquire, and the easier and faster you can consume that information, the better prepared and proactive you can be in mitigating threats.
Threat Feed will consolidate multiple sources of threat intelligence information in a consistent and standardized manner, CanSSOC analysts will aggregate and curate essential data, and CanSSOC members will be able to share their own threat intelligence back to the Threat Feed platform. Through this initiative, your institution will only need to configure one feed to get access to a wide range of institutions.
How does Threat Feed make it easier to consume and triage threat intelligence information?
Threat Feed’s standardized templates will allow institutions to configure in existing endpoint detection devices, making it easier to directly block, or alert depending on their preference. CanSSOC has developed the Threat Feed with the intent that after a small amount of basic configuration, institutions can “set it and forget it” by using it in their end point detection devices.
Also, CanSSOC analysts will curate the feed in a standard manner, adding metadata and intelligence specifically relevant to the sector. For example, they can identify high probability threats based on threat intelligence information being shared nationally and amongst global partners, allowing for automated action by a member, or identifying which threats institutions need to prioritize.
What makes CanSSOC’s Threat Feed unique from other threat intelligence solutions?
Due to the sophistication of today’s information threats, a risk at one higher education institution can easily create a ripple effect for the entire research and education community. Threat Feed enables Canadian institutions to stay ahead of cyber security threats and draw upon a collective defense that reaches across institutional, provincial and national levels.
Through the pilot, participants will be able to explore, develop and test ways to achieve a wide range of needs and bring together partners, technology and data for the benefit of all. CanSSOC’s vision is to create a community and platform developed by the community for the community that will raise the security profile of the entire sector.
Where is the Threat Feed information sourced from?
As a pilot, Threat Feed will consolidate four main sources of intelligence:
- Canadian Center for Cyber Security (CCCS) Feed – currently available, but will add intelligence
- CanCyber – freely available
- Recorded Future’s commercial feed
- CanSSOC’s own threat intelligence
CanSSOC is also working with global community partners to acquire additional information on the data available through partners’ security operations centres (SOCs) and analysis.
How can I leverage Threat Feed on my local infrastructure?
Threat Feed allows a lot of flexibility and this will depend upon each organization. Anything is possible from leveraging the CanSSOC platform exclusively to standing up your own Malware Information Sharing Platform (MISP) platform or even going toward a hybrid model. While you could decide to manually log into MISP and see the various Indicators of Compromise (IOCs) published on a regular basis, we recommend that you take advantage of the MineMeld feeds and integrate them with your protection devices in order to reap the full benefits of all data sources and to have automatic protection against known threats.
Who is involved in delivering the Threat Feed platform?
The Threat Feed platform has been developed by the community for the community. The staff supporting the initiative are based at the University of Toronto and McGill University, but consideration of the maturity and needs of the broader community has been considered. CanSSOC is working with ORION and BCNET on opportunities for collaboration and we are looking to partner with all interested provincial organizations and National Research and Education Network (NREN) partners to provide additional support to onboarding institutions. One of the objectives of the pilot is to continue the development of the Threat Feed and other initiatives with the input and feedback from the broader community.
What will happen after the Threat Feed completes its pilot phase?
The Threat Feed pilot is laying the foundation for things to come. While it may seem like CanSSOC’s range of pilot solutions are independent, they are all very much interconnected to further enhance the cyber security profile of the entire sector. This goes beyond sending data to individual institutions and instead will work to continue to build on the work done by CUCCIO to build a security community, to take this to the next level to ensure consistent, timely sharing of information, best practices. By leveraging the skills, resources and tools at each individual institution, CanSSOC will enable effective and efficient response to cyber security issues happening across the country.
How does CanSSOC and the Threat Feed pilot fit within the broader higher education cyber security landscape?
You’ve heard about CANARIE’s Joint Security Project (JSP) Intrusion Detection System (IDS), DNS Firewall, NREN Security Information and Event Management (SIEM) project and other initiatives. The exciting thing about CanSSOC’s Threat Feed solution, as well as the other components we are looking at, is that they are not only complementary to those services, but they will also feed into and benefit each other.
A new partnership is also evolving with the Canadian Internet Registration Authority (CIRA) to leverage the CanSSOC Threat Feed in CIRA’s DNS firewall. Institutions that leverage the CIRA DNS firewall will be able to use CanSSOC’s Threat Feed intelligence to further enhance the protection they receive from the CIRA firewall. We are exploring options to feed threat intelligence data from CIRA’s firewall back into CanSSOC’s threat feed such that it can be distributed to institutions who using other endpoint detection devices.We are exploring similar solutions with the IDS systems as part of CANARIE’s JSP project.
Lastly, we are working with NREN partners, such as ORION, to explore opportunities for them use the CanSSOC Threat Feed in their SIEM systems so they too can leverage this intelligence. The next step will be to incorporate their feed intelligence back into CanSSOC’s Threat Feed platform to share across the higher education cyber security landscape.
Can you expand on the threat Intelligence processes and the technologies you’re exploring?
We’re planning to leverage the profile of the CanSSOC proof of concept (POC) to establish partnerships with Canadian and global sources of threat intelligence data. We’re also increasing our understanding of the raw event data that we see by analysing that data through the lenses of:
- IOCs (Indicators of Compromise)
- Lists of known bad hosts
- Behavioural analysis
Ideally, we will achieve increased visibility into event data, enabling us to identify not only attacks to individual institutions, but also simultaneous attacks to multiple institutions and pivot attacks from one institution to another.
What are the advantages of ingesting feeds from Malware Incident Sharing Platform (MISP) to MineMeld?
While MineMeld is good at collecting and aggregating feeds of IOC, it has limitations when it comes to curation and management of data. At a high level:
- Very basic tool for automated processing of streams of IOCs that cannot do advanced correlation and analysis.
- It is not built for sharing IOCs with their context, and as a result requires more work to integrate new IOC sources.
- The interface has limited capabilities and can be difficult to use to manually manage IOCs.
- Built specifically for sharing detailed data with other organizations, it has a user-friendly interface for manual analysis and managing metadata.
- Allows for correlation and enrichment of indicators including built-in capabilities for complex indicator scoring rules.
- Uses the concept of events with associated attributes. This allows for more effective sharing of threat intelligence.
The CanSSOC collaboration platform currently leverages both MISP and MineMeld to take advantage of the strengths of each initiative. MISP is a much more refined product for event-based IOC sharing. The MISP platform is complimented with MineMeld which allows for the provision of an automated feed to numerous types of protection devices. As the development of the MISP platform continues and the feature set expands, it is anticipated that the use of MineMeld could be phased out.
Short answer: MISP is the backbone of the Threat Feed service; MineMeld is purely a distribution channel.
I leverage Threat Feed on my local infrastructure?
Threat Feed allows a lot of flexibility and this will depend upon each organization. Anything is possible from leveraging the CanSSOC platform exclusively to standing up your own MISP platform or even going toward an hybrid model. While you could decide to manually log into MISP and see the various IOCs published on a regular basis, we recommend that you take advantage of the MineMeld blacklist feeds and integrate them with your protection devices in order to reap the full benefits of having an automatic protection against known threats.
Does MISP provide institutional data obfuscation to remove institution identifiers?
The goal of MISP is to share external threat indicators and would not likely contain anything confidential. The CanSSOC goal is to share as much information as possible to ensure participants maximize their protection. While transparency is required in some cases to ensure there isn’t duplication of receiving feeds, in the case of institutions sharing events they have seen locally, we expect this to be anonymized in almost, if not all, cases. Institutions will always have full control over what they decide to share.