10 Sep 2019
Session Block—Cybersecurity 11:40 - 12:00

Sharing large amounts of information between organisations is traditionally driven by policy-level agreements and ad hoc configurations of networked infrastructure. Inadvertent sharing of sensitive data may lead to unintentional breach of regulations such as GDPR or NDAs and may as a consequence also lead to different types of harm. Few automated tools deliver auditing capabilities or enforcement of information sharing compliance in real-time. In this presentation, I will overview the development of an automated information sharing compliance framework. This tool is a deployable, configurable run-time monitoring tool that provides the building blocks to check whether cleartext data that is about to be shared from one networked node to another (e.g. between organisations) is likely to violate GDPR or an NDA, based on a ruleset that has been defined and configured by an engineer or analyst. I will discuss the tool in the context of GDPR compliance and Cyber Threat Intelligence (CTI) sharing between public Computer Security Incident Response Teams (CSIRTs). I will give a real-time demonstration of how we check against regular expressions (credit cards, phone numbers, sensitive IP addresses, common names, personal email addresses), blacklists, whitelists, markups, contextually-driven logics (e.g. time of day, recipient), and how to configure the rules.

The basic framework is open-source as part of the PROTECTIVE CTI sharing platform and we provide a basic ruleset that acts as a starting point, with built in compliance-rule templates that security analysts and policy-makers can make use of. While intended to audit and enforce compliant CTI sharing, it can operate as a standalone, generic module that can audit and act on any cleartext content leaving one machine and being sent to another. I will demonstrate how the tool can check single CTI events at production environment rates, and how a distributed approach can handle more events. The PROTECTIVE project is currently evaluating its detection performance in a pan-European pilot, identifying challenges in doing so and will present our approach and findings to date at the workshop.

University of Oxford
Research Fellow


Discussion not started yet.