This year’s CyberCall is looking for solutions in the following areas:
For a start, CSA has put together a list of end-users who are looking for solutions in some of the areas mentioned above. We welcome more ideas and submissions from industry partners who have innovative ideas that address cybersecurity concerns in sectors like manufacturing, maritime, healthcare, etc.
CS01: End-to-End Normalised Threat-based Cybersecurity Risk Management System
Develop a platform or tool to support end-to-end, threat-based cybersecurity risk management that assist in threat modelling and uses data from existing IT and security tools.
Cybersecurity Challenge
2022 Statements
CS01: End-to-End Threat-based Cybersecurity Risk Management System
Challenge
Develop a platform or tool to support end-to-end, threat-based cybersecurity risk management that assist in threat modelling and uses data from existing IT and security tools.
Background
Cybersecurity risk management is often disjointed. It needs to be integrated to the enterprise risk management and to conduct assessment at each business unit (BU) to ensure sufficient granularity. The importance of dimensions of risks other than vulnerabilities, like the cyber supply chain have emerged and must be addressed as well. In addition, new regulations (e.g., CCOP 2.0) have been published by the regulatory authority.
Companies understand that cyber is an existential risk and the need shift from the compliance-based approach to a threat-based approach in cybersecurity risk assessments (RA). Commercial off-the-shelf solutions typically focus on a specific dimension of risk like vulnerabilities integrated with proprietary threat intelligence, asset criticality or value. This is no longer sufficient.
The current practice uses advisory services and RA remain highly manual. Some platforms do support the process, track compliance, and follow up remediation. However, this is not end-to-end, and compliance to CCOP 2.0 which is a Singapore regulation for Critical Information Infrastructure (CII) is not included. The use of advisory services is also not scalable especially for companies with multiple BUs. A platform or tool that can enable self-service cybersecurity RA by BUs, assisted by the cybersecurity team, could be required. The platform or tool should also have intelligence to suggest risk reduction by re-engineering business process or by adjusting controls (not really implementing new controls) and be able to contextualise risk based on the latest industry-specific and geo-political threats.
Requirements
The proposed solution should contain, but not limited to the following:
- Consolidated view across BUs
- CCOP 2.0 compliance benchmarking or scoring
- Supply chain risk view
- Intelligent suggestions to reduce risk by re-engineering a business process or by adjusting controls (not really implementing new controls)
- Contextualization of threat intelligence vertical or industry wise and geo-political wise
- Ability to ingest data from other tools such as asset management or Configuration Management Database (CMDB) and/or scan the network to derive a cyber digital twin to enable threat modelling for risk-assessment
- Ability to render the network based on collected data to aid planning
- Allow for inputs on Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for cyber resilience planning
- Ability to take in threat intelligence data and suggest the resultant impact on risk
- Allow asset owners to raise risk deviation or acceptance directly in the dashboard
CS02: Automated Governance of Users’ Permissions in Multi Cloud
Environment
Develop a solution that can connect to multiple Cloud Service Providers (CSPs) to track and monitor Identity & Access Management (IAM) permissions automatically using UEBA …
Cybersecurity Challenge
2022 Statements
CS02: Automated Governance of Users’ Permissions in Multi Cloud Environment
Challenge
Develop a solution that can connect to multiple Cloud Service Providers (CSPs) to track and monitor Identity & Access Management (IAM) permissions automatically using User and Entity Behaviour Analytics (UEBA), allowing for easy governance and permission updates.
Background
As more applications are moving to the public cloud, the platform needs to be properly secured. IAM is relatively mature in the on-premises space but not in cloud environment. Also, management of IAM today is cloud vendor-centric, limiting its effectiveness across different CSPs.
As a result, it is difficult to define user permissions properly, whereby users could end up with excessive access to the environment. IAM permission changes are often requested by the application teams. As permissions are usually added and rarely removed, there is no way to keep track of the permissions to determine if they are too excessive.
There is currently a need for a 3rd party to ensure that the permissions are not too excessive, e.g. privileges cannot be escalated, application teams do not have access to security logs, or ability to pivot to other accounts outside what they have.
Users could be a member of multiple roles. For example, the user could have both access to the code and ability to merge the code to production. This should not be allowed with properly assigned separation of duties.
The in-house system (e.g., AWS) is not able to track overall permissions granted because GIC is using multiple CSPs.
Requirements
The proposed solution should contain, but not limited to the following:
- Provides a single pane of glass platform
- Integrates with multiple Cloud Service Providers (starting with AWS and Azure) to track IAM permissions
- Provides an intuitive User Interface (UI) to present IAM permissions in organisation hierarchical level
- Issues multi-cloud permanent and temporary rights to the user through the platform
- Detects automatically and alerts central controller upon detection of suspicious activities
- Extracts IAM logs to provide usage activity
- Utilises UEBA to advise permission rights based on user’s profile and department usage history
- Provides automatic detection of excessive permission or violation of access policy
- Updated when the CSPs change their query mechanism
CS03: Automated Prioritization of Cloud Drift Remediation in Multi Cloud Environment
Develop a solution to detect, evaluate, prioritize, and remediate configuration drifts (CDs) in the multi-cloud environment.
Cybersecurity Challenge
2022 Statements
CS03: Automated Prioritization of Cloud Drift Remediation in Multi Cloud Environment
Challenge
Develop a solution to detect, evaluate, prioritize, and remediate configuration drifts (CDs) in the multi-cloud environment.
Background
With mainstream Cloud Service Providers (CSPs) such as AWS, Azure and GCP, it is possible to generate reports of CDs detected in the various services utilised by organisations. These reports categorise CDs based on severity levels High/Medium/Low (or equivalent, depending on each provider’s terminology).
This categorization is based on the CSP’s standard assessment and inevitably overlooks several important parameters. For example, a CD may be categorised as High severity, but may be occurring within a completely sandboxed service thus have a lower remediation priority. Vice-versa, a CD with Medium or Low severity may have a higher remediation priority if the service is exposed to the Internet or is critical to the business. On top of this, the assessment criteria for CD varies between CSPs, further increases the difficulty of CD categorisation.
Because of these difficulties, manpower is required for manual analysis of each CD. This process is time-consuming, prone to human error, and may not be sufficiently comprehensive. As a result, critical CDs may not be properly prioritised, if left exposed and it could potentially lead to security breaches.
Requirements
The proposed solution should contain, but not limited to the following:
- A single intuitive dashboard to view all the CDs from different CSPs
- Normalised CD reports from multiple CSPs to get a common assessment across the CSPs
- Automated analysis on the CD severity level provided by multiple CSPs (starting with AWS and Azure)
- CD prioritization based on CSPs’ reports and user’s parameter such as potential exploitability of the drifts that could compromise the security of the environment, as well as business criticality of the services impacted, and any compensating controls in place
- Embedded CII CCoP requirements from out-of-the-box
- Prioritized remediation and automated remediation process upon approval
- Address misconfigured cloud resources by reverting them to their last known correct configuration
- Prompt detection to the relevant individual or team
- “Change history” record to capture when, who, what configuration have been changed, including the remediation information
Limitations
Automatic remediation might not be possible as the organisation would have to provide the proposed solution with write permissions. Thus the solution should offer both options:
- Manual remediation with detailed remediation steps listed
- Automatic remediation
CS04: Non-Intrusive Data Collection from Isolated OT System
Develop a data enrichment layer for critical systems that allow remote response teams, with no physical connection to …
Cybersecurity Challenge
2022 Statements
CS04: Non-Intrusive Data Collection from Isolated OT System
Challenge
Develop a data enrichment layer for critical systems that allow remote response teams, with no physical connection to the network nor physical visibility, to better support organizations during the incident response process.
Background
Data is today at the core of a unified IT/OT Security Operation Centre. Increasing the diversity of data flow through the network due to the digitalization of industrial systems (IoT, OT, IT and on-cloud systems) and the spread of attacks via legitimate vectors [1], have made it clear that today’s SOCs can’t only rely on thresholds and indicator of compromise, but also have to understand, analyse and correlate the whole data which is shared across an operating network.
Besides, OT systems can be safety critical and therefore the incident response cannot be automated. Therefore, contextualization of data is necessary to enrich the security events (e.g., evaluate the criticality of the incident) and make them understandable by an operational. Finally, sharing information across an organization (SOC, ICT team, Operational team) within a unique referential (like Digital Twin) is key for the timely incident response as SOC and Operation team must work closely. For instance, since they are most knowledgeable on the systems, operational team are much able to detect any anomaly. Their sharing of relevant information to the SOC is therefore critical.
Example of this background is rail transport rolling stock OT networks with Grade of Automation (GOA) Level 4 technology or any autonomous buses/vehicles that are composed of assets that communicate with proprietary protocols but also of standard OT assets, network equipment or IoT components on the shelf. Getting clear visibility on data flow within this critical system is a priority for an operator who fears malicious command injection or loss of availability: any detected event requires contextualization and data enrichment so that the head of operations can take the right decision, in collaboration with the SOC team.
[1] https://securityintelligence.com/news/cybersecurity-attacks-legitimate-services/
Requirements
The solution should contain, but not limited to the following:
- Collect data and security information across various critical SMRT components (starting with the train network, such as platform screen door and rolling stock) from air-gapped system side channels
- The solution should consider the extraction of data in a cluttered and noisy environment
- Provide an aggregated view of data collected from the components
Limitations
Proposed implementation should not impact the OT system. Solution provider may not have access to certain OEM hardware and software built.
CS05: OT Kernel Prevention of Cyber Attacks
Construct a system within Operational Technology (OT) environment that stops cyber-attacks at the kernel level. Using data provenance and machine learning …