The CyberSANE system is to be an innovative dynamic security and response system based on knowledge and collaboration. It therefore allows for continuous learning during the life cycle of a cyber incident, all the while increasing the agility of the investigators. To do so, CyberSANE is composed of five system components :
The following image shows the different interactions between the CyberSANE components themselves, as well as other outside sources, such as Government Agencies or the Deep web.
LiveNet (Live Security Monitoring and Analysis) is the CyberSANE platform component capable of preventing and detecting threats and, in case of a declared attack, capable of mitigating the effects of an infection/intrusion. It actually serves as the interface between the underlying Critical Infrastructure and the CyberSANE system.
DarkNet (Deep and Dark Web Mining and Intelligence) allows the exploitation and analysis of security, risks and threats related information embedded in User Generated Content (UGC) via the analysis of both the textual and meta-data content available from various electronic streams.
HybridNet (Data Fusion, Risk Evaluation and Event Management) provides the intelligence needed to perform effective and efficient analysis of a security event based on one hand on information derived and acquired by the LiveNet and DarkNet components; and on the other on information and data produced and extracted from itself. It consists of three elements:
- Anomaly Detection Engine: It analyses a large amount of data delivered from the all other CyberSANE components in order to further evaluate and correlate attack-related patterns associated with specific malicious or anomalous activities in the CIIs.
- Incident Analysis & Respond: Once an event has been considered (by the Anomaly Detection Engine above) as a real security incident, it is further investigated in order to identify, evaluate and propose mitigation steps for all vulnerabilities, threats and risks associated with the CIIs; provide near real-time notifications regarding potential vulnerabilities (related to the assets of the CIIs); and identify all type of interdependencies (at physical, system, technological and business levels).
- Decision-Making, Warning and Notification: It orchestrates and facilitates the forensic analysis which includes the scrutiny of the attacker’s actions and identification of the means that were employed by the attacker, and in overall and understanding of how the attack originated and evolved.
ShareNet (Intelligence and Information Sharing and Dissemination) provides the necessary threat intelligence and information sharing capabilities within the CIIs and with other involved parties, allowing them to determine the trustworthiness of each information sources, and also identify them, as soon as the data is received.
PrivacyNet (Privacy & Data Protection Orchestrator) manages and orchestrates the application of the innovative privacy mechanisms and maximizes achievable levels of confidentiality and data protection towards compliance with the highly-demanding provisions in the GDPR in the context of protecting sensitive incident-related information within and outside CIIs.