1、 ETSI GS ISI 003 V1.2.1 (2018-01) Information Security Indicators (ISI); Key Performance Security Indicators (KPSI) to evaluate the maturity of security event detection Disclaimer The present document has been produced and approved by the Information Security Indicators (ISI) ETSI Industry Specifica
2、tion Group (ISG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS ISI 003 V1.2.1 (2018-01) 2 Reference RGS/ISI-003rev_2 Keywords ICT, security ETSI 650 Route des Luciole
3、s F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards
4、-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents be
5、tween such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Infor
6、mation on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright
7、Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyr
8、ight and the foregoing restriction extend to reproduction in all media. ETSI 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are trademarks of ETSI registered for the benefit of its Members and o
9、f the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members. GSM and the GSM logo are trademarks registered and owned by the GSM Association. ETSI ETSI GS ISI 003 V1.2.1 (2018-01) 3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 5g3Intr
10、oduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 7g33 Definitions, symbols and abbreviations . 7g33.1 Definitions 7g33.2 Symbols 7g33.3 Abbreviations . 7g34 Background 8g34.1 Key Performance Indicators . 8g34.2 Key Performance Security Indicators . 8g34
11、.3 SANS CAG 9g35 Key Performance Security Indicators . 10g35.1 How to use KPSIs to assess the organizations overall maturity level in security event detection and response posture . 10g35.2 How to use KPSIs as a first step to evaluate the detection levels of security events 10g35.3 KPSIs description
12、 table 11g35.4 Description of the relevant KPSIs 11g3Annex A (normative): Recap of available KPSIs 16g3Annex B (informative): SOC example 18g3Annex C (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secr
13、etariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates
14、on the ETSI Web server) which are, or may be, or may become, essential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being
15、 the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Group Specification (G
16、S) has been produced by ETSI Industry Specification Group (ISG) Information Security Indicators (ISI). The present document is included in a series of 9 ISI specifications. These 9 specifications are the following (see figure 1 summarizing the various concepts involved in event detection and interac
17、tions between all specifications): ETSI GS ISI 001-1 1: addressing (together with its associated guide ETSI GS ISI 001-2 2) information security indicators, meant to measure application and effectiveness of preventative measures. ETSI GS ISI 002 3: addressing the underlying event classification mode
18、l and the associated taxonomy. ETSI GS ISI 003: addressing the key issue of assessing an organizations maturity level regarding overall event detection (technology/process/ people) and to evaluate event detection results. ETSI GS ISI 004 4: addressing demonstration through examples how to produce in
19、dicators and how to detect the related events with various means and methods (with a classification of the main categories of use cases/symptoms). ETSI GS ISI 005 i.1: addressing ways to produce security events and to test the effectiveness of existing detection means within an organization. More de
20、tailed and more a case by case approach than the present document and therefore complementary. ETSI GS ISI 006 i.2: addressing another engineering part of the series, complementing ISI-004 and focusing on the design of a cybersecurity language to model threat intelligence information and enable dete
21、ction tools interoperability. ETSI GS ISI 007 i.3: addressing comprehensive guidelines to build and operate a secured SOC, especially regarding the architectural aspects, in a context where SOCs are often real control towers within organizations. ETSI GS ISI 008 i.4: addressing and explaining how to
22、 make SIEM a whole approach, which is truly integrated within an overall organization-wide and not only IT-oriented cyber defence. ETSI ETSI GS ISI 003 V1.2.1 (2018-01) 5 Figure 1 summarizes the various concepts involved in event detection and the interactions between the specifications. GS ISG ISI
23、Series Summary DefinitionReal eventsSecurity prevention measuresEvent detection measuresFake events (Simulation) Event reaction measuresDetectedeventsResidual risk (event model-centric vision)Figure 1: Positioning the 9 GS ISI against the 3 main security measures Modal verbs terminology In the prese
24、nt document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables
25、except when used in direct citation. Introduction The present document addresses the event detection aspects of the information security processes in an organization. The maturity level assessed during event detection can be considered as a good approximation of the overall Cyber Defence and SIEM ma
26、turity level of an organization. ETSI ETSI GS ISI 003 V1.2.1 (2018-01) 6 1 Scope The present document defines and describes a set of Key Performance Security Indicators (KPSI) to be used for the evaluation of the performance, the maturity levels of the detection tools and processes used within organ
27、izations for security assurance. The response is not included in the scope of the present document. In particular, the purpose of the present document is to enable organizations to: assess the overall maturity level of the security event detection; provide a reckoning formula to assess detection lev
28、els of major security events as summarized in ETSI GS ISI 001-1 1; evaluate the results of measurements. This work is mainly based on the CIS Controls 5. The target groups of the present document are Head of detection, reaction teams, Cyber defence team and head of security governance. 2 References
29、2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amen
30、dments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at https:/docbox.etsi.org/Reference/. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. T
31、he following referenced documents are necessary for the application of the present document. 1 ETSI GS ISI 001-1: “Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of operational indicators for organizations to use to benchmark their security posture“. 2 ETSI GS ISI 001-2:
32、 “Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to select operational indicators based on the full set given in part 1“. 3 ETSI GS ISI 002: “Information Security Indicators (ISI); Event Model A security event classification model and taxonomy“. 4 ETSI GS ISI 004: “Informatio
33、n Security Indicators (ISI); Guidelines for event detection implementation“. 5 CIS Controls V6.1. NOTE: Available at https:/www.cisecurity.org/controls/ for an up-to-date version. 6 ISO/IEC 27002:2013: “Information technology - Security techniques - Code of practice for information security controls
34、“. ETSI ETSI GS ISI 003 V1.2.1 (2018-01) 7 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version o
35、f the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but
36、 they assist the user with regard to a particular subject area. i.1 ETSI GS ISI 005: “Information Security Indicators (ISI); Guidelines for security event detection testing and assessment of detection effectiveness“. i.2 ETSI GS ISI 006: “ISI An ISI-compliant Measurement and Event Management Archite
37、cture for Cyber Security and Safety“. i.3 ETSI GS ISI 007: “ISI Guidelines for building and operating a secured SOC“. i.4 ETSI GS ISI 008: “Information Security Indicators (ISI); Description of a whole organization-wide SIEM approach“. i.5 The Capability Maturity Model Integration CMMI V1.3 (Softwar
38、e Engineering Institute/Carnegie Mellon University, 2001). NOTE: Available at https:/resources.sei.cmu.edu/asset_files/presentation/2011_017_001_23331.pdf. i.6 OGC PSM3 V2.1: “Portfolio, Programme and Project Management Maturity Model (2008). NOTE: Available at http:/ 3 Definitions, symbols and abbr
39、eviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ETSI GS ISI 001-2 2 apply. 3.2 Symbols For the purposes of the present document, the symbols given in ETSI GS ISI 001-2 2 apply. 3.3 Abbreviations For the purposes of the present document, the abbr
40、eviations given in ETSI GS ISI 001-2 2 and the following apply: CC Critical Control CMMI Capability Maturity Model Integration CSIRT Computer Security Incident Response Team KPI Key Performance Indicators KPSI Key Performance Security Indicators MSSP Managed security service provider SOC Security Op
41、eration Centre ETSI ETSI GS ISI 003 V1.2.1 (2018-01) 8 4 Background 4.1 Key Performance Indicators Key Performance Indicators (KPIs) are quantifiable variables which can measure the performance of an organization, evaluate the success of specific activities and support decision making processes. KPI
42、s are metrics that allow to measure progress and deficiency. The metrics have to be well-defined and quantifiable to be useful. KPIs can be used to assess the performance of IT services. Examples of IT KPIs are the availability of IT systems and services, the Service Level Agreements (SLAs), the Mea
43、n Time Between Failures (MTBF) and the Mean Time To Recover (MTTR), and Mean-Time-Between-System-Incidents (MTBSI). The usage of KPI in the field of Information Assurance is at its early stage. Defining KPIs for the Security Assurance processes is difficult because of the complexity of regulations,
44、certifications, technical and organizational issues, and budget constraints. Hence it is a complex task to quantify clear Security Assurance objectives and performance in terms of KPIs. 4.2 Key Performance Security Indicators Key Performance Security Indicators (KPSIs) can measure the maturity level
45、 of the information security processes (detection and detection-related processes). A Maturity Model to measure the performance in the Security Assurance field can be based on the five level maturity framework adapted from The Capability Maturity Model Integration CMMI (Software Engineering Institut
46、e, 2001) i.5 and Portfolio, Programme and Project Management Maturity Model P3M3 (OGC, 2008) i.6. Organizations using these models, can assess the maturity level of their performance management practices in the five dimensions of the model: 1) Initial: Processes are managed ad hoc. No measure of the
47、 performance is requested. 2) Managed: Processes characterized for projects and are often reactive. 3) Defined: Processes are tailored for the organization and are proactive. 4) Quantitatively Managed: Processes are measured and controlled. 5) Optimizing: Continuous Process Improvement. To adapt the
48、se models to security event detection and detection-related reactions, a simplified 3-level scale is proposed: The present document, level 1 corresponding to CMMI levels 1 and 2. The present document, level 2 corresponding to CMMI levels 3 and 4. The present document, level 3 corresponding to CMMI l
49、evel 5. ETSI ETSI GS ISI 003 V1.2.1 (2018-01) 9 The three levels can be defined as follows: 3 maturity levels in Cyber Defense and SIEM approaches- Infrastructure monitoring- Technical focus (log collection and retention)- Plain incident response- Merged operations (Security/IT)1 Regulatory compliance enfor-ced and forensics enabled2 Cyber Defense capabilities(against major known attacks)3
