ENSIA Identifies 16 Areas Where CERTS Fail on Proactive Detection of Network Security Incidents
In a report detailing the findings of a study on proactive detection of network security incidents, the European Network and information Security Agency (ENISA) has identified 16 areas where Computer Emergency Response Teams (CERTs) are being hindered by process gaps that are impacting their job performance and overall effectiveness.
According to ENSIA, CERTs are not fully utilizing all the possible external sources of information at their disposal. Similarly, many CERTs neither collect, nor share incident data about other constituencies with other CERTs. This, the agency said, is concerning, “…as information exchange is key to effectively combating malware and malicious activities, which is extremely important in fighting cross-border cyber threats.”
“The most important technical gaps identified include problems with data quality (such as the existence of false positives in reports, poor timeliness of delivery, lack of contextual information, no validity indicators, unclear data aging policies), and lack of automation and correlation, partly due to data quality issues, but also due to the lack of standard formats, tools or simply resources and skills,” the report noted.
Moreover, the report adds, the most important legal problem the CERTs face involves privacy regulations and data protection laws in the EU, which often hinder the exchange of information. Such an obstacle is commonly faced by CERTs, but unfortunately not by criminals responsible for network attacks.
For each issue discovered, ENSIA offers one or more recommendations to address it.
“National/government CERT managers should use the report to overcome identified shortcomings, by using more external sources of incident information, and additional internal tools to collect information to plug the gaps,” said the agency’s Executive Director, Professor Udo Helmbrecht.
In total, 45 CERT responded to the survey. While it is a bit of a read at 144 pages, the report’s worth examining if your organization has its own CERT-based team. The full report is available here.