IRIS Enhanced MeliCERTes Ecosystem
The IRIS Enhanced MeliCERTes Ecosystem (EME) extends the MeliCERTes v2 open-source platform by enabling, through further development and integration of CTI components:
- Secure and efficient security information representation in standardized formats (STIX v2.1 / CACAO / MISP), which enables interoperability in information sharing both within the IRIS integrated platform as well as with other external relevant systems and platforms
- Secure disclosable AI & IoT-relevant CTI and incidents information sharing at the time of occurrence or aggregation
- Wider awareness of emerging threats and incidents within communities with the need to know to further allow better preparedness and response
- Definition and enforcement of sharing policies and communities of trust among all types of involved stakeholders: CERTs/CSIRTs and OESs/Critical Infrastructure Operators
- Secure communication and collaboration within and across CERT/CSIRT authorities and CI Operators
- Secure storage and augmentation of AI and IoT focused cybersecurity knowledge base at a European level
- Provision of unified dashboard/SIEM for incident reporting, situational awareness, response actions configuration and recommendation, customizable per type of target end user
The IRIS Enhanced MeliCERTes Ecosystem attains a distributed architecture, with instances of it deployed at stakeholders’ premises (CI Operators & CERTs/CSIRTS authorities) to enable the seamless secure exchange of information in interoperable ways and collaboration among them. In the following figure, an example is shown for the Energy Critical Infrastructure sector, of different instances of EME running at different stakeholders involved in information sharing and collaboration within a European country and across European countries in the case of a cyber-attack and detected incident at an Energy CI operator site. Not only information sharing is made possible among the specified by the prior configured sharing policy and trust community but this happens at the time of occurrence to facilitate much faster and improved management of the incident, response and recovery but also allow for better preparedness and prevention of a similar attack to similar CIs with the support and guidance of the responsible CERT/CSIRT authorities. Information sharing is facilitated even if the stakeholders do not deploy an IRIS EME instance as long as the platform in operation is capable of producing/consuming CTI information in STIX 2.1/CACAO or MISP formats.
Cross border Energy CTI and Incidents Information Sharing and Collaboration among involved Stakeholders
IRIS capitalizes on well-known cybersecurity standards for CTI information representation and sharing, thus promoting and guaranteeing interoperability, in two ways:
- CTI standardized data format (STIX v2.1) is used to describe CTI data, allowing them to be shared in a consistent way across different systems, guaranteeing interoperability (cross-domain and cross-sector). The ability to convert from MISP Objects (MISP standards) to STIX and back is further provided.
- CERT/CSIRT authorities and CI Operators can leverage CACAO playbooks to establish standardized, scalable, and consistently effective incident response procedures for common threats.