1. CTO CYBERSECURITY FORUM London 18 June 2010 An overview of the Cybersecurity Information Exchange FrameworkCYBEX Mike Hird - mike.hird@ties.itu.int (with thanks to Tony Rutkowski, Rapporteur, ITU-T Q4/17 and the Q4 CYBEX CG)

3. identifying and discovering objects

4. requesting and responding with information

5. exchanging information over networks

6. assured cybersecurity information exchangesCybersecurity Entities CybersecurityInformationacquisition(out of scope) CybersecurityInformationuse(out of scope)

7. What information? Event/Incident/Heuristics Exchange Cluster Vulnerability/State Exchange Cluster Knowledge Base EventExpressions MalwarePatterns VulnerabilitiesandExposures Weaknesses Platforms State IncidentandAttackPatterns Extensionsfor: DPI Traceback Smartgrid Phishing AssessmentResults SecurityStateMeasurement ConfigurationChecklists Evidence Exchange Cluster Terms andconditions ElectronicEvidence Discovery Handover of retained data forensics Handover of real time forensics

8. How to identify, enable discovery, trust, and exchange information? Discovery Enabling Cluster for parties, standards, schema, enumerations, instances and other objects Requestanddistributionmechanisms CommonNamespace Discoveryenablingmechanisms Identity Assurance Cluster Exchange Cluster AuthenticationAssurance Methods Authentication AssuranceLevels InteractionSecurity TransportSecurity

9. CYBEX Summary Will provide three essential capabilities for any system or service: Determining cyber-integrity of systems and services in a measurable way Detecting and exchanging incident information to improve cyber-integrity Providing forensics, when necessary, to appropriate authorities Includes Means for identifying, enumerating and exchanging knowledge about weaknesses, vulnerabilities, incidents Measurable assurance (trust) for information and parties involved Extensible to any kinds of networks, services, or platforms – present and future Applicable to Clouds, Online Transaction Security, Smartgrids, eHealth, … Open standards – most imported into ITU-T, published & maintained in multiple languages, and freely downloadable as X-series specifications Excludes Specific implementations (i.e., CYBEX is technology neutral) How to implement CYBEX Framework and some initial stable specifications ready by Dec 2010 Potentially ~20 additional in 2011-2012 timeframe

10. Who is involved*: it takes a global village Comparable government agenciesof other countries/regions Australia, Canada, China, EU, Germany, Kenya, Korea, Japan, Netherlands, Russia, Switzerland, Syria, UK, USA (potentially 191 countries) Vendors/Service Providers Other Bodies Anatel, China Unicom, Cisco, CNRI, France Telecom, Huawei, Intel, KDDI, LAC, Microsoft, Nokia Siemens, NTT, Syrian Telecom, Telcordia, Verizon, Yaana, ZTE APWG, CA/B Forum, CCDB, CNIS, ETSI, FIRST, GSC, IEEE ICSG, IETF, ISO SC6:SC27:TC68, other ITU-T SGs, ITU-D, ITU-R, MITRE, NSTAC, OASIS *ITU-T Q4/17 participants and contributors. Does not include scores more in development communities

11. Questions? But how do we.....................? Additional information: ITU-T Cybersecurity Portal - http://www.itu.int/cybersecurity/ SG17 - http://www.itu.int/ITU-T/studygroups/com17/index.asp SG17 Q4 List of Network Forensics and Vulnerability Organisations - http://www.itu.int/ITU-T/studygroups/com17/nfvo/index.html FIRST - http://www.first.org/ ENISA - http://www.enisa.europa.eu/