Provide a cybersecurity situational awareness solution for local public administrations in line with the current and upcoming legal cybersecurity framework in the European Union and its member states.

The main objective for this project is to provide a cybersecurity situational awareness solution for small- to medium-sized IT infrastructures. This solution enables detect, classify and visualise cybersecurity incidents in real-time, supporting the prevention or mitigation of cyber attacks. The solution will be a big step towards automation of cyber incident detection, classification and visualisation, and will be based on mature big data analysis tools and methodologies provided by consortium partners. To account for the recent legislative initiatives in the context of cybersecurity, most notably the NIS directive and European cybersecurity strategy (but also the General Data Protection Regulation GPDR), that have been put in place in recent years to improve cybersecurity in Europe and beyond. Cooperation, collaboration and information sharing are a key aspect of those initiatives. With this solution we provide an enabling technology for the information sharing efforts of recent cybersecurity initiatives that is in line with the (currently actively developing) information sharing communities. Furthermore, the project takes advantage of existing shared cybersecurity related information to enable and refine incident detection.

Advance the automation of cyber incident detection, classification and visualisation to provide situational awareness. This includes socio-technical system analysis, data collection, data analysis and decision making as well as the visualisation of the findings.

Identifying, extracting and storing information and events about potential cyber incidents it is not enough. The volume and speed such cyber related information can be generated is overwhelming and neither the human brain or basic screening systems can process the Big Data incidents. Therefore our approach will be to employ complex decision making algorithms to facilitate the identification of the most probable threats and incidents and then automatically pass them to both specialists and other automated systems for processing and action upon them.

While we aim to automate the cybersecurity incident detection, correlation and visualization process as much as possible, we realize that a fully automatic solution is currently infeasible. Real systems are complicated, fuzzy, messy, ill defined and influenced by social and organizational factors. And above all, organizational set-ups in each LPA will differ from each other. Therefore, CS-AWARE provides a system and dependency analysis based on soft systems thinking as a basis for the cybersecurity automation goal of the project. This allows us to identify, on a socio-technological level, the most valuable assets of an LPA, the dependencies among those assets and measurements that allow to monitor the cybersecurity state of those assets. This allows us to implement automatic data collection from within LPA systems and correlate it with relevant data from public sources such as NIS competent authorities or even social networks.

Illustrate that cyber situational awareness is a key technology in cybersecurity by building advanced features like system self-healing on top of the situational awareness capabilities.

Situational awareness is one of the most important aspects for cybersecurity defence. Only with a clear overview of ongoing attacks and incidents, proper defence and mitigation strategies can be invoked. To illustrate the importance of situational awareness in this context, a self-healing component that builds upon the incident classification and situational awareness component will be part of the solution. The self-healing aspect of this project refers to the ability to react to a detected incident automatically (or with minimal user interaction) with previously-defined defence strategies that could prevent or mitigate an incident. For example, when a denial-of-service attack is detected, the mechanism could switch to back-up systems or, scale up the service if such cloud mechanisms are available. If an intrusion is detected, the mechanism could lock access to sensitive assets to prevent the incident to spread to other areas of the IT system.

Include a cybersecurity information exchange framework that embraces the collaboration and cooperation initiatives of European cybersecurity strategies. This includes the utilisation of cybersecurity data for threat detection as well a sharing of newly discovered cyber incident data.

Sharing information regarding cyber-threats is very beneficial among the entities that receive it and is regarded as being one of the most important weapons against cyber-crime nowadays. Knowing the particulars of a newly detected threat has a positive impact in multiple ways:

  • It can help in quickly determining whether it can be a potential threat to a given information system (according to the OS and/or applications it targets).
  • It can be used for proactively tightening the security of a given system (e.g. blocking offending ports and/or IP addresses).
  • It can aid the assessment of existing cyber-security solutions with respect to how well they can detect unknown threats.
  • Finally, it can be used for performing a “post-mortem” analysis on past data to detect the existence of a given threat that was unknown at that time (e.g. for digital forensics).

In CS-AWARE we want to benefit from, and provide information to, cybersecurity related information sharing communities.

Evaluate and validate the user needs through end-user involvement and pilot testing. This includes the evaluation of the balance between automation and user control, usability features like multi-lingual support as well as the evaluation of business needs.

While the increased automation in cybersecurity proposed in this project is a very important aspect, it is equally important that users (in this case, administrators of small- to medium-sized IT infrastructures) retain full control over the actions, by either specifically allowing automated processing or requiring user interaction. End-user control will be possible in all steps of the CS-AWARE solution. Aside from user control, usability of the proposed solution is a major aspect within this project. A simple to use interface that will allow quick reaction times to incidents and present unambiguous user actions will be of utmost importance. Furthermore, due to the European multi-lingual context that is expected within this project, multi-lingual semantics support will be provided. Furthermore, the aim of this project is to provide a cybersecurity situational awareness that is able to adapt to the business needs of small- to medium-sized companies or public administrations, where the cybersecurity specific expertise and the resources for investing in cybersecurity solutions might be low. Local public administrations representing the end users of this solution will be involved throughout the project to adequately capture end users requirements and needs.