The Advanced Cyber Security Center (ACSC): A Cyber Threat Information Sharing Consortium Bruce J. Bakis, The MITRE Corporation
Outline
■ Essence
■ Goals
■ Member value proposition
■ Organization ■ Milestones ■ Sharing model ■ Elements ■ Differentiators ■ Challenges
■ ACSC is a cross-sector collaboration among industry, university, and government entities organized to address the most critical cyber security challenges
■ Founding premise: advanced cyber threat too complex/sophisticated to battle alone
– Need force multiplier: power of collaboration and unclassified information sharing
– Need diversity of subject matter expertise: technology, policy, behavioral science, modeling, economics, legal, education
– Need to improve cyber security ROI: leverage the investments of members
– Need to develop next-gen cyber defenses and warriors: R&D and education
■ Organizing entity: Mass Insight Global Partnerships
■ Leverage and establish New England as a leader in cyber security defense, R&D, education programs, and policy development
– Be a thought and action leader in the cyber defense ecosystem – Serve as proof-of-concept test bed and blueprint for global
federated sharing of unclassified cyber threat information – Facilitate the advancement of membership cyber maturity
levels
– Create talent cluster as incubator and engine for a cyber economy
– Operate a leading university cyber security research center – Shape and enable cyber defense education
– Operate a leading cyber security operations and crisis center
■ Cyber threat information sharing, including incident data, analysis techniques, collection and monitoring techniques, malware analysis, and defensive techniques
– Better deal with advanced cyber threat – Increase cyber security ROI
■ Access to effective and emerging cyber security strategies, tools, products, experience, research
■ Shape cyber research agenda to the benefit of members
■ Multi-disciplinary perspective
■ Deeper access to next gen cyber counter-insurgent warriors through university-industry relationships
■ Cyber security policy analysis and influence
■ To be incorporated in MA as a 501 (c) (3) nonprofit
■ 20 charter members: major Boston financial services firms and the FRB of Boston, leading MA defense nonprofits,
utilities, IT products and services organizations, healthcare, universities, and the Commonwealth of Massachusetts
■ For 1st 3 years, mostly funded by membership, then blended
funding with state and federal grants
■ Governance
– Mass Insight is organizing entity – Board of Advisors
– Steering Committee
– Working Groups: Threat Evaluation & Data Sharing, Policy-Legal, University-Industry
■ 2007
– Mass Insight Global Partnerships develops kernel of idea for cross-sector collaborative R&D center
– MITRE suggestion: work cyber defense cross-sector
■ 2008: Begin work on “MA IT Security Center”
■ 2009
– First Advisory Board meeting at MITRE (Bedford, MA) with defense sectors representative to discuss opportunity for collaborative information security center
– Renamed ACSC
■ 2010
– Steering Committee organized with cross-sector representation to drive Center development
– Initial ASCS “tech group” sharing launched at MITRE
■ 2011
– 3 Work Groups formed
– All members sign Phase I participant agreement – University-Industry engagement begins
– Developed university cyber research resource guide
– Reviewed existing and proposed state (MA) and federal cyber security and privacy policy
– September 20 Launch Conference
■ Ahead
– ACSC incorporation in MA as 501 (c) (3) nonprofit
– Announcement of first industry-funded R&D project led by university partners
– Strategic research agenda
– ACSC internships and work-study partnerships in place through industry members
■ Post-to-All: members communicate directly with each other – Intrusion attempt information (e.g., malware sample, social
engineering attack method)
– Use standardized alerts with a common taxonomy that can be ingested and interpreted through automation
■ Hub-and-Spoke: members (spoke) communicate through the centralized ACSC (hub)
– Intrusion attempt information plus more sensitive information on incident response, vulnerabilities, and depth of “kill-chain” penetration
– Provide anonymization (as needed) and value-added analytical services
– Provide repository of advanced cyber threat information (e.g., malware samples, best practices, policies)
■ Distributed Database: structured threat information database fed by information from the other models
■ Physical: ACSC MITRE Bedford, MA – Functions as cyber security ops center
– Cyber ops and cyber researchers work side-by-side
– Focus on research that translates more quickly into practice (translational research) as well as strategic research
– Proving ground for new and prototype products
– Provide cyber security incident response capability for
members and function as a response center in the event of a regional cyber disaster
Core Elements: ACSC Notional Cyber
Operations & Research Facility
(4/8)■ Face-to-Face
– Cyber Tuesdays
– Technical Exchange Meetings (TEMS) – Committee meetings
■ Virtual
– MITRE cyber threat information sharing portal: wiki and forum, information and tools repository
– Email list server
– Tool for online innovation brokering and collaboration (planned)
– Structured threat information database (future)
– Standards-based automated sharing of cyber threat information (future)
Core Elements: Portal Authentication
(7/8)■ Cross-sector membership
■ Strong focus on advanced persistent threat (APT)
■ Operate cyber security ops center
■ Cyber ops and R&D work side-by-side
■ Hybrid information sharing model: hub-and-spoke, post-to-all, distributed database
■ Cyber disaster recovery center for members
■ Hybrid funding: members, state, and federal grants
■ Shape and enable cyber education programs
■ Incubator and engine for regional cyber economy
ACSC Key Differentiators when Compared
with Other Cyber Threat Information
■ Establishing strong trust among members
■ Right-sizing the organization (trust relationships don’t scale well)
■ Organizations with global operations have non U.S. citizens, which currently limits (under Phase I participant agreement) sharing of sensitive information
■ Reciprocal participation among members
■ IP ownership of research and products (Phase II participation agreement)
■ Delivering on the value proposition
■ Maintaining due diligence awareness of other players
■ Automated yet human-readable exchange of cyber threat information in standardized format
■ Federation with other cyber threat information exchanges
http://www.massinsight.com/initiatives/cyber_security_center/
■ Blue Cross Blue Shield of Massachusetts ▪ Commonwealth of Massachusetts ▪ CSC ▪ Draper Laboratory ▪ Federal
Reserve Bank of Boston ▪ Fidelity Investments ▪ Foley Hoag, Counsel ▪ Harvard University ▪ John Hancock Financial
Services ▪ Liberty Mutual Group ▪ Massachusetts Institute of Technology ▪ MIT, Lincoln Laboratory ▪ MITRE ▪ Northeast Utilities ▪ NSTAR Electric & Gas ▪ Partners Healthcare
System ▪ RSA/EMC ▪ State Street Corporation ▪ University of Massachusetts ▪ Veracode
■ Active engagement by ▪ Babson College ▪ Boston University
▪ Brandeis University ▪ Middlesex Community College
▪ Northeastern University ▪ Tufts University ▪ Worcester Polytechnic Institute