►
From YouTube: CI WG Demo: C3ISP (Collaborative/Confidential Information Sharing and Analysis for Cyber Protection)
Description
Date: 4/5/2019
Presenters: Claudio Caimi and Mirko Manea
Institution: HP Enterprise (Italy)
A
Here,
but
so
today
we
have
coming
in
from
Hewlett
Packard
Enterprise
in
Italy
they've
come
in
later
at
night.
They
should
probably
be
out
drinking
wine
right
now.
Yeah
Flavio
and
I'm
going
to
watch
some
Italian
names,
because
I
I'm
used
to
Irish
names
but
kind
of
guy
me
and
Mirko
Minaya
I,
believe
are
coming
in
to
tell
us
about
collaborative
and
confidential
information,
sharing
and
analysis
platform
protection,
which
is
a
c3
ISP.
A
Nadia
is
the
program
manager
for
the
IT
security
team,
hewlett-packard
Italy
and
at
the
data
cloud
Europe
Claudio
is
representing
Discovery
Project.
The
European
Commission
funded
to
streamline
collaboration
in
R&I
amongst
European,
United,
States
and
Canadian.
Folks
and
Mirko
is
a
senior
consultant
for
HP
working
for
HPC,
consulting
and
security
assurance
practices.
His
areas
focus
on
software
and
cloud
security,
application,
security,
penetration
testing
and
static
code
analysis,
mierqis
currently
engaged
in
the
cocoa
cloud.
A
Ec
foundation,
fp7
project
as
a
senior
technical
collaborator,
and
they
are
here
to
talk
about
their
c3
ISP
mission,
which
hopefully
will
help
us
with
sharing
confidential
and
but
collaborating
and
confidential
information,
which
is
something
we
are
all
are
going
to
need
to
do,
and
more
and
more
information
is
going
to
become
confidential.
As
as,
as
we
understand,
house,
privacy
will
proceed
so
with
that
Claudio.
You
want
to
take
it
off.
Yeah.
B
Thank
you
so
much
so,
first
of
all,
thanks
for
having
us
today's
meeting
very
much
appreciated.
So,
as
we
said,
we
talked
about
the
crisp
project
that
we
consider
could
be
relevant
for
your
activity,
so
the
Cris
project
is
a
horizon.
2020
that
start
in
2006
Dean
in
October
is
last
seen
three
years
in
and
in
this
September
2019
and
and
this
let
me
proceed
with
the
next
slide.
Okay,
so
is
a.
B
Collaborative
you're
researching,
you
know
the
innovation
project,
where
the
goal
is
to
provide
a
flexible
framework
to
allow
confidential
and
Shannon
of
information.
So
they
is
a
collaborative
project,
so
we
have
many
partner.
All
of
them
are
from
Europe
and
we
have
the
industrial
partner
that
are
you
let
Parker
Enterprise,
SAT
and
British
Telecom,
and
then
we
have
Research
Center
like
the
left
corner
up
is
a
CNR
that
is
the
biggest
research
center
in
Italy.
B
So
and
we
treat
cyber
threat
information
that
is
considering
any
information
that
can
be
kept
in
organization
to
identify,
assess,
monitor
response
to
cyber
threat.
Those
are
our
information
that
flows
inside
our
framework
and
the
framework
enables
collection
of
cyber
threat
information
from
various
sources.
Then
we
share
them
securely
to
analyze,
response
that
informs
the
color
reaction
and
we
appropriate
protecting
formation
from
confidentiality
and
privacy,
we're
using
privacy
presenting
technique,
and
everything
is
based
on
the
concept
of
data
sharing
agreement,
where
we
use
sticky
policy
to
attach
to
every
data.
B
So
that's
that
bundle
goes
around
so
once
you
have
to
access
your
data,
you
have
to
look
first
to
know
how
you,
who
can
ask
the
data
and
using
which
obligation
or
any
other
technique
to
to
you
to
see
your
data,
and
this
is
the
main
framework.
So
you
see
you
have
those
are
called
prosumer
that
are
a
producer
and
consumer.
So
you
have
many
seattle
city,
I
information
source,
you
have
a
sensor
data
tree,
3,
port
vulnerability
and
logs
for
internet
usage.
Lock.
B
All
this
data
comes
in
our
collected
in
South,
IR
assist
our
system
and
every
user
has
the
ability
to
use
prophecy
preserving
technique
in
advance,
so
we
can
protect
specific
data
using
different
techniques.
That
Mirko
will
explain
and
of
these
data
then
flows
inside
on
a
data
Lake
where
you
can
analyze
you
some
analysis
tool
and
the
result
is
sent
back
to
the
tumor
that
can
use
those
data
to
react
properly
to
the
cyber
threat
attacks.
B
C
C
So
if
you
start
thinking
about
having
some
perfumers,
we
call
perfumers
actors
that
basically
produce
and
consume
information.
At
the
same
time
and
of
course,
this
informational
cgi
cyber
trace
information
and
so
think
about
these
prosumers
that
want
to
to
start
improving
the
capabilities
of
to
spot
malware
inside
their
companies.
C
So
what
they
can
do
is
start
sharing
anti-malware
log
files,
so
this
is
a
specific
type
of
CGI
cyber
threat
information
that
is
called
cyber
observable,
so
think
about
simple
log
files,
the
the
one
that
you
can
find
in
any
antimatter
antivirus
solution
that
is
deploying
in
in
imagine
enterprises
or
different
companies.
So
you
have
these
kind
of
logs.
As
you
can
see
here,
we
have
a
simple
track:
a
simple
set
of
records
where
you
have,
for
example,
a
timestamp
for
you.
You
can
have
the
name
of
the
computer
that
is
being
infected.
C
For
example,
you
could
have
also
IP
addresses
whatever
some
some
information,
the
demand
where
that
has
been
infected,
that
machine
and,
as
you
can
see,
these
are
all
information
that
might
be
sensitive
in
nature.
But
what
you
want
to
understand,
if
is
if
there
is
a,
for
example,
a
malware
outbreak
campaign.
C
So
this
could
be
your
your
specific
analytics
that
you
want
to
Tehran
to
try
to
find
if
there
is
a
campaign
that
is
in
actor
and
please
proceed
the
next
slide
and
the
idea
is
that
many
pursue
math,
so
we
have
on
the
Left
prosumer
a
b
and
c
can
share
their
data,
and
so
basically
they
share
the
same
data,
as
you
saw
in
the
previous
slide,
where
they
they
share
data
individually.
It
comes.
C
It
appears
that
there
is
no
major
issues,
because
you
are
not
able
to
understand
that
there
is
a
specific
tress
that
is
undergoing.
So,
for
example,
you
are
below
a
specific
threshold
of
infection
inside
your
your
your
set
of
machines
in
your
company,
but
please
next,
but
if
you
you
are
able
to
take
all
these
advanced
in
in
a
single
as
a
single
set
of
of
data
you
can.
You
can
see
that
a
specific,
maybe
a
specific
tress
is
exam,
is
to
start
spreading.
At
least
next.
C
And
and
that's
and
that's
of
course,
a
something
that
can
already
be
be
done
today
with
what,
with
the
capabilities
and
tools
that
we
have
today,
but
there
could
be
some
issue
here
to
do
to
take
care.
For
example,
you
you
might
be
concerned
about
to
the
privacy
of
your
specific
details
of
your
network.
For
example,
you
don't
want
to
share
IP
addresses
or
you
don't
want
to
share
the
Oster
name
of
your
network.
C
You
don't
want
to
share
the
fact
that
you
have
been
infected
with
the
specific
malware,
but
still
you
want
to
talk
allowed
to
have
these
collaborative
analysis
and
that
can
find
some
results
only
if
you
put
more
data
together.
So
if
you
emerge
data
from
different
producers
or
four
different
prosumers,
and
that's
the
challenge
that
we
are
trying
to
to
address
with
the
c3
isp
project,
what
we
called
secure
collaboration
data
analytics,
which
is
a
in
fact,
a
way
to
try
to
preserve
privacy
while
being
able
to
spot
security
threats
at
the
same
time.
C
In
fact,
the
first
thing
that
so
we
have
three
compromiser
subsystems
that
we
call
data
sharing,
agreement,
manager
or
DSA
manager,
information
sharing
for
structure
information,
analytics
infrastructure
data
sharing
agreement
manager.
Is
that
the
the
part
of
the
system
that
allows
perfumers
to
agree
on
the
rules
that
allows
you
to
exchange
data
and
expects
change?
Secondly,
data.
So,
for
example,
you
might
decide
that
you
write.
The
total
is
a
rule
that
allows
you
to
share
the
data
only
if
specific
fields
are
encrypted
or
are
anonymized
or
whatever
other
privacy-preserving
technique.
C
We
attach
the
data
sharing
agreement
to
the
object
that
is
being
shared,
for
example,
the
malware
the
anti-malware
logs
and
we
encrypt
in
a
secure
container,
and
this
container
is
then
stored
safely
in
the
information
sharing
for
structure
until
an
analysis
need
appears.
So
when
we
rerun
in
analytics.
Basically,
what
happens
is
that
the
information
ethics
infrastructure
takes
the
data
obeying
to
the
rules
that
are
prescribed
in
the
the
sharing
agreement.
The
analytics.
C
Discover
of
sports-specific
traffic,
so
basically
it
analytics,
for
example,
that
there
is
a
malware
outbreak
campaign
enacted
by
looking
at
the
thresholds
that
I
described
before
and
please
next.
The
result
is
itself
submitted
into
the
system
into
the
information
share
infrastructure
and
on
its
own,
protected
by
a
data
sharing
agreement
specific
to
the
result.
C
So
this
way
we
have
that
the
result
is
sent
back
to
the
user
when
it
is
needed,
and
in
this
way
we
also
enable
results
to
be
submitted
again
to
the
system
becoming
data
protected
data
on
their
own,
and
so
the
the
flow
can
start
again.
So
you
can
use
result
data
as
if
it
were
original
shared
data
and
on
this
data
you
can
also
perform
other
analytics.
D
B
Can
start
answering
so
the
project
still
in
under
development
so
and
will
be,
and
this
September
now
we
have
a
number
of
pilots,
so
I
draw
July.
This
has
real
pilot
running
by
real
company,
so
we
have
one
run
by
a
British
Telecom
that
is
targeting
the
medium
small,
medium
enterprise
customer.
Then
we
have
one
done
by
SAT,
then
we
have
to
run
in
Italy
one
considering
this
earth
and-
and
it
was
the
other,
considering
the
register
or
or
IP
for
industry
in
Italy
and
maybe
Mirko.
C
Yes,
yes,
so
if
you,
for
example,
they
served
pilot
is,
is
concerned
with
detecting
spam
campaign
and
and
in
fact
they
are
using
this
infrastructure
to
securely
share
email
addresses
and,
as
you
can
imagine,
my
address
could
be
a
sensitive
field,
and
so
this
fields
need
to
be
protected
and
still
being
able
to
to
perform
some
analysis
to
detect
that
there
is
a
time
campaign
in
act.
So
that's,
for
example,
one
of
the
use
case
that
we
are
developing.
B
It
may
be
the
one
from
British
Telecom,
if
you
say
I
can't,
say
some
world
as
well,
because
I,
you
know-
and
there
are
probably
two
or
these
three
or
this
project
that
we
gonna
adopt
the
the
project
result
in
real,
because
one
day,
a
team
tested
on
a
system.
There
are
considering
series
considering
to
use
for
the
production
system
that
is
British
Telecom
and
the
cert
in
Italy.
So
you
can
see,
say
some
word:
meat
and
kebab
the
British
Telecom
Daniel.
Yes,.
C
Yes,
basically,
they
related
to
the
many
security
services,
so
they
they
employ.
They
already
in
place
many
security
services
infrastructure
to
collect
the
data
from
the
customers,
protect
data
from
the
customer
and
enable
them
to
collectively
and
securely
analyze
the
data
from
possibly
from
different
customer.
So
this
is,
of
course
an
advantage
is
something
that,
before
the
project
that
they
were
not
able
to
do-
and
we
object
at
the
end
of
the
project,
they
will
be
able
to
achieve
such
a
result.
D
Yeah
I
guess
I
get
I'm
wondering
if
well,
okay,
so
I'm
coming
out
from
a
perspective
of
of
looking
at
essentially
a
relatively
new
area
where
the
Internet
of
Things
is
expanding
into
essentially
food
and
Ag,
but
but
and
and
and
I
tend
to
think
about.
How
will
we
secure
you
know
this
Internet
of
food
as
it
becomes
more
driven
by
information
technology
and
more
susceptible
to
all
of
the
security
issues
that
IT
and
IOT
bring
and
I'm
just
wondering?
If
there's
you
know
a
you
know
we
can.
D
B
C
C
Basically,
all
kind
of
information,
so
this
is
a
architecture,
is
specialized
for
cyber
threat
information,
but
the
information
share
infrastructure
is
quite
general
and
is
able
to
share
sexual
information
between
parties
regulated
under
the
rules
that
you
can
write.
This
data
sharing
agreement
in
the
data
sharing
agreement
is
this:
set
of
rules
is
a
retainer
in
a
quite
easily
way,
because
we
we
employ
a
specific
control
and
natural
language
which
is
very
similar
to
English.
So
it's
a
it's
something
that
that
is
even
easy
to
write.
E
Hi,
this
is
Jay,
I
have
a
question
regarding
your
infrastructure.
You
know
earlier
in
the
slides
about
me
aware
example,
with
specific
edge
views
and
fields.
Do
you
consider
that
to
be
very
flexible,
you're
scheming
wasn't
getting
at
least
a
new
information
sharing
from
structure?
Is
the
schema
very
flexible
how
flexible
it
is?
You
share
more
about
that
yeah.
C
We
we
employ,
basically,
we
encode
CGI
information
in
sticks,
structure,
first,
information
exchange,
sander
and
for
what
concerned
the
specific
log
files
we
encode
these
in
community
and
formats
under
which
is
an
industrial
standard
of
representing
log
files,
so
provides
and
is
supported
by
many
vendors.
So
already
different
vendors
for
security
device
is
considered
firewall
or
anti-malware
solution,
cm
or
whatever
already
some
some
day
and
also
generates
data
in
CF
format,
so
the
infrastructure
being
able
is
to
so.
C
E
C
C
These
data
sharing
agreement
between
different
parties
or
different
parties
agree
on
a
specific
specific
rules
to
be
shared,
that
they
will
be
used
to
regulate
the
sharing,
and
we
consider
these
some
kind
of
or
part
of
a
contract
that
man
might
design
by
the
parties
free
or
to
sharing,
of
course,
prior
to
sharing.
You
have
to
create
this
data
sharing
agreement,
let's
say
offline
and
then
at
runtime.
This
data
sharing
limit
is
used.
Thank
you.
You're
welcome.