1、 ETSI GS ISI 002 V1.2.1 (2015-11) Information Security Indicators (ISI); Event Model A security event classification model and taxonomy GROUP SPECIFICATION ETSI ETSI GS ISI 002 V1.2.1 (2015-11) 2 Reference RGS/ISI-002ed2 Keywords ICT, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Ced
2、ex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document m
3、ay be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in
4、print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status o
5、f this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced o
6、r utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction exten
7、d to reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare Trade Marks of ETSI registered for the benefit of its Members
8、 and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS ISI 002 V1.2.1 (2015-11) 3 Contents Intellectual Property Rights 6g3Foreword . 6g3Modal verbs terminology 7g3Introduction 7g31 Scope 9g32 References 9g32.1 Normati
9、ve references . 9g32.2 Informative references 9g33 Definitions and abbreviations . 10g33.1 Definitions 10g33.2 Abbreviations . 14g34 Positioning of the proposed event classification model . 16g34.1 Relationship with the ISO 27004 standard . 16g34.2 The critical importance of positioning the model ap
10、propriately . 16g34.3 The necessity for the model to rest on a detailed taxonomy . 18g34.4 Description of the taxonomy 18g34.5 Complex security incidents versus basic security incidents . 20g34.6 The key drivers underlying the representation proposed 21g34.7 The general description of the representa
11、tion . 21g34.8 Link between the event model representation and the list of indicators (and related families) 22g35 Comparison with other event classification models . 22g35.0 Introduction 22g35.1 Risk analysis methods classifications . 23g35.2 CAPEC classification . 23g35.3 FIRST classifications . 2
12、3g36 Detailed description of the proposed representation of the different categories and sub-categories . 24g36.0 Introduction 24g36.1 Intrusions and external attacks (Category IEX) 24g36.2 Malfunctions (Category IMF) 26g36.3 Deviant internal behaviours (Category IDB) 28g36.4 Behavioural vulnerabili
13、ties (Category VBH) . 30g36.5 Software vulnerabilities (Category VSW) 32g36.6 Configuration vulnerabilities (Category VCF) . 33g36.7 General security (technical Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Lat
14、est updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI We
15、b server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Information Security Indicators (ISI). The present document is included in a series of 6 ISI specifications. These 6 s
16、pecifications are the following (see figure 1 summarizing the various concepts involved in event detection and interactions between all parts): ETSI GS ISI 001-1 i.3 addressing (together with its associated guide ETSI GS ISI 001-2 i.4) information security indicators, meant to measure application an
17、d effectiveness of preventative measures. The present document (ETSI GS ISI 002) addressing the underlying event classification model and the associated taxonomy. ETSI GS ISI 003 i.11 addressing the key issue of assessing an organizations maturity level regarding overall event detection (technology/
18、process/ people) in order to evaluate event detection results. ETSI GS ISI 004 i.12 addressing demonstration through examples how to produce indicators and how to detect the related events with various means and methods (with a classification of the main categories of use cases/symptoms). ETSI GS IS
19、I 005 i.13 addressing ways to produce security events and to test the effectiveness of existing detection means within organizations (for major types of events), which is a more detailed and a more case by case approach than in ETSI GS ISI 003 i.11 and which can therefore complement it. ETSI ETSI GS
20、 ISI 002 V1.2.1 (2015-11) 7 GS ISG ISI Series Summary DefinitionReal eventsSecurity prevention measuresEvent detection measuresFake events (Simulation) Event reaction measuresDetectedeventsResidual risk (event model-centric vision)Figure 1: Positioning the 5 GS ISI against the 3 main security measur
21、es Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not
22、“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction A corporate Cyber Defence and SIEM approach implements continuously security improvements with the main goals to: operationally and constantly reduce the residual risk incurred by their Information Systems (see
23、figure 2, which highlights the two associated types of events - incidents and vulnerabilities - and the joint area covered by IT security policy through the concept of usage or implementation drift); and to assess the actual application and real effectiveness of their security policies (or of their
24、ISMS, if they have one), for the purpose of their constant improvement. Such an approach, which to a large extent relies on using the traces available in the Information Systems various components, is organized around an “event-model centric“ vision, and can also be tied up to the PDCA model that is
25、 commonly used in quality and security areas. As such, this primarily involves implementing this models PDCA “Check“ step on the basis of very detailed knowledge of threats and vulnerabilities. ETSI ETSI GS ISI 002 V1.2.1 (2015-11) 8 The 3 kinds of residual riskKnown residual risk(accepted)Unknown r
26、esidual riskActually covered riskIncidents exploitingknown vulnerabilitiesIncidents exploi-ting unknownvulnerabilitiesIncidents not possible (vulnerabilitiesremediated by operational or not practices)Area covered by IT Security policyKnown residual risk(suffered)Incidents exploitingknown but uncover
27、edor not tackled vulne-rabilities due to usage or implementation driftFigure 2: The 3 kinds of residual risks Worldwide trends in ICT security show that significant progress can be accomplished within a few years with the deployment of an organization-wide operational Cyber Defence and SIEM approach
28、. A recent survey by a major consulting firm of 15 major companies and organizations brings to light nine key success criteria. The two most important criteria are: The reliance of the Cyber Defence and SIEM approach on a security event classification model that takes into account both incidents and
29、 vulnerabilities, and that stresses particular attention to malicious and intentional acts, the monitored events themselves being selected on the basis of main relevant CIA risks and associated metrics (e.g. statistics). Training with this model for the relevant people using the Information System,
30、with particular attention to the presentation of concrete examples of disasters associated with inventoried security event main types. As such, the present documents objective is to build a full taxonomy to thoroughly describe all IT security events (and when appropriate and necessary non-IT securit
31、y events) and, based on this, to present an original representation that leverages the current international best practices and enables diversified and complex uses. The choice of a detailed taxonomy, which describes security events through a set of attributes (different for incidents and vulnerabil
32、ities), ensures that all possible situations can be taken into account with the required flexibility (especially thanks to the provided open dictionary), while the representation chosen for the taxonomy, highlighting the main categories generally accepted by industry consensus, makes the event class
33、ification model easier to understand and embrace for stakeholders. The present document is based on work carried out by the Club R2GS, a French association created in 2008, specializing in Cyber Defence and Security Information and Event Management (SIEM), gathering large French companies and organi
34、zations (mainly users). The present document (ETSI GS ISI 002), as well as the other GS of ISG ISI, are therefore based on a strong experience, this community of users having adopted and used the event classification model and the related reference framework for indicators for more than three years
35、on a national and world-wide scale. ETSI ETSI GS ISI 002 V1.2.1 (2015-11) 9 1 Scope The present document provides a comprehensive security event classification model and associated taxonomy (based on existing results and hands-on user experience), covering both security incidents and vulnerabilities
36、. The two latter ones become nonconformities when they violate an organizations security policy. The present document mainly supports operational security staff in their effort to qualify and categorize detected security events, and more generally all stakeholders (especially CISOs and IT security m
37、anagers) in their needs to establish a common language. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific referenc
38、es, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time
39、 of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version
40、 number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guara
41、ntee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 NIST SP 800-126 Revision 2 (September 2011): “The Technical Specification for the Security Content Au
42、tomation Protocol (SCAP): SCAP Version 1.2“. i.2 MITRE CCE List Version 5.20120314 (March 2012): “Common Configuration Enumeration“. i.3 ETSI GS ISI 001-1: “Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of operational indicators for organizations to use to benchmark the
43、ir security posture“. i.4 ETSI GS ISI 001-2: “Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to select operational indicators based on the full set given in part 1“. i.5 ISO/IEC 27000:2012: “Information technology - Security techniques - Information security management system
44、s - Overview and vocabulary“. i.6 draft-ietf-mile-rfc5070-bis-11: “The Incident Object Description Exchange Format v2“. i.7 ISO 27002:2013: “Information technology - Security techniques - Code of practice for information security management“. i.8 ISO 27004:2009: “Information technology - Security te
45、chniques - Information security management - Measurement“. i.9 ISO 27005:2011: “Information technology - Security techniques - Information security risk management“. ETSI ETSI GS ISI 002 V1.2.1 (2015-11) 10 i.10 FIRST Classification (November 2004): “CSIRT Case Classification (Example for enterprise
46、 CSIRT)“. i.11 ETSI GS ISI 003: “Information Security Indicators (ISI); Key Performance Security Indicators (KPSI) to evaluate the maturity of security event detection“. i.12 ETSI GS ISI 004: “Information Security Indicators (ISI); Guidelines for event detection implementation“. i.13 ETSI GS ISI 005
47、: “Information Security Indicators (ISI); Guidelines for security event detection testing and assessment of detection effectiveness“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply (ISO/IEC 27000 i.5 compliant where
48、 applicable): NOTE: See also the summary chart at the end of this list. asset: information asset that has value to the organization and that can be broken down in primary assets (such as business activities, data, application software, etc. which hold the business value) and secondary/supporting ass
49、ets (network or system infrastructure, which host primary assets) assurance: refers to the planned and systematic activities implemented in a management system so that management requirements for a service will be fulfilled NOTE: It is the systematic measurement, comparison with a standard, monitoring of processes and an associated feedback loop that confers error prevention. This can be contrasted with Management “Control“, which is focused on process outputs. base measure: regarding the “indicator“ iss
