ENISA Study Critical of National CERTs16 Shortcomings Identified in Detection of Security Incidents
National computer emergency response teams, or CERTs, in Europe aren't using all the weapons in their arsenals to detect network security incidents, the European Network and Information Security Agency said in a report issued Wednesday.
ENISA identified 16 shortcomings in detection of network security events and issued 35 recommendations on how national CERTs - which the agency characterized as "digital fire brigades" - should be more proactive to mitigate deficiencies.
"National and government CERT managers should use more ... external sources of incident information, and additional internal tools to collect information to plug the gaps" ENISA Executive Director Udo Helmbrecht said in a statement accompanying the release of the report, entitled "Proactive Detection of Network Security Incidents."
The study found that many CERTs neither collect nor share incident data with other CERTs. "This is concerning, as information exchange is key to effectively combating malware and malicious activities, which is extremely important in fighting cross-border cyberthreats," the report said.
The top technical gaps identified by ENISA include insufficient data quality such as false positives in provided data or poor timeliness of delivery, lack of standard formats, tools, resources and skills. The most important legal problem involves privacy regulations and personal data protection laws that hinder information exchange, the agency said.
For data providers, key recommendations focused on how to better reach CERTs, better data format, distribution and data quality improvement. For data consumers, the recommendations included additional activities by a CERT to verify the quality of data feed and specific deployments of new, recommended technologies recommended.
"At the EU or national level, balancing of the privacy protection and security needs is necessary, as well as facilitating the adoption of common formats, integration of statistical incident data and research into data leakage reporting," ENISA said.
ENISA said proactive detection of incidents - the discovery of malicious activity before CERTs receive complaints about security incidents - represents the cornerstone of an efficient CERT services portfolio. Being proactive, ENISA said, "can greatly boost a CERT's efficiency in operations, thus strengthening CERT's incident handling capability, which is one of the core services of governmental CERTs."