Wednesday, December 07, 2011

EXCELLENT report by ENISA

The European Network and Information Security Agency released publicly today

Proactive detection of network security incidents, report

This report describes available external sources of information and internal monitoring tools which can be used by CERTs to improve their capabilities to detect network security incidents.

This is one of the best reports I've read in a while. Bravo Zulu (that's Navy for great job!) to the authors!

This report is co-authored by a number of folks that I recognized immediately.. many are FIRST (maybe all?) but one of the best things in the report is how CERTs share information, detailing the pros and cons. In the end however, the document calls out data sharing as the most effective way to proactively stop attacks before they're allowed to occur. Powerful stuff. Easier said than done however. 

Data formats must be lite and low in false positives;
Legal constraints are ALWAYS an issue;
Trust between participants is critical... tech feeds without knowing who's on the other end don't work;
The right information must be share in the right way... protected;
Information sharing organizations are less effective when the memberships don't know each other.


It's a long read, but a must read. 
Great job to the authors.


Jeff

No comments: