Objective 1: Provide SMEs/MEs with a practical framework to assess and manage cybersecurity risks and define their cybersecurity needs.

Challenge: Experts warn against the “security theatre”, the state where misplaced security investments create a false sense of security with little to no reduction to overall risk. While risk assessment products exist in the market, they are usually vendor-specific and create tie-in conditions for the clients or provide a very high-level analysis that cannot be easily translated to actionable policies by non-experts.

PALANTIR’s contribution: The project aims to provide an improved, three-tier risk-based analysis framework. At the first tier, multi-attribute risk assessment is performed on the basis of attack class analysis and by providing feeds of known vulnerabilities from common sources like MITRE, CVSS etc. In the second tier, this information is correlated with threat intelligence data and high-level remediation policies, to provide risk management recommendations. This stage is vendor-agnostic; live feeds or access to historical data from PALANTIR threat intelligence may be used. The third tier connects the output of risk management to the Service Catalogue; clients can be matched with appropriate products. PALANTIR plans to democratize access to the Catalogue for any service developer; this creates a landscape where multiple delivery modes, services/billing models can be provided. However, the multiplicity of selections can easily overwhelm a non-expert user; thus, a cost/benefit forecast can be presented to the SecaaS user for each option, allowing them to select the best products for their indicative budget and control their expenses.

Objective 2: Provide affordable Managed Security Services, in multiple delivery modes.

Challenge: Managed Security Services have created a fast-growing market of products, following two delivery modes: (a) Cloud/Hosted MSS or (b) integrated in Customer Premises Equipment (CPE). In both cases, providers are met with high CAPEX/OPEX costs due to complexities in infrastructures, service management and orchestration, further driving subscription costs to prohibitive levels for SMEs/MEs.

PALANTIR’s contribution: The project will implement multiple cybersecurity services (the PALANTIR SecaaS) according to the MSS models and provide access to them through a Service Catalogue. PALANTIR aims to drastically cut costs and reduce the complexity of MSS products for the providers by (a) introducing many improvements in security and service orchestration platforms, (b) Virtualising the CPE (vCPE), (c) leveraging MEC technology for large-scale deployments of SecaaS. In the case of Management and Orchestration (MANO), the development of a security orchestrator is foreseen; this approach takes into account the on-going standardisation efforts by IETF and ETSI, to provide a framework that deploys and manages security services, controls their functional characteristics (e.g. sends firewall rules, intrusion detection rules etc.) and controls their topology at the click of a button. In the case of vCPE, the use of Network Function Virtualisation (NFV) and Software Defined Networking is a key element towards the necessary flexibility. By using containerization, services can run off low-cost COTS hardware and be easily managed by the CSPs. Furthermore, PALANTIR introduces a third delivery mode in the form of Edge SecaaS, following the Multi-access Edge Computing paradigm. MEC is a key building block of future 5G networks; the PALANTIR concept fits well into MEC, as the edge-hosted SecaaS will be creating an umbrella of protection to all SMEs/MEs on the CSP’s network. PALANTIR will provide HW/SW acceleration features as well as remote attestation, to ensure high reliability and high scalability of Edge SecaaS with carrier-grade quality requirements, whilst being able to prove the trustworthiness of the PALANTIR infrastructure and services through attestation.

Objective 3: Provide novel hybrid incident detection with live threat intelligence sharing.

Challenge: Many simple security incidents in a network environment are still easily identifiable by signature-based systems, rendering traditional IDPS a fundamentally important asset. However, more complex types of threats are not detectable by rule-based methods, being likely to cause most of the problems, especially in the case of targeted attacks. By recreating the logic in identifying anomalous access events through machine-learning and deep-learning models, the detection process can be made more efficient and automated. It is therefore apparent that a hybrid cybersecurity solution should be developed, shifting cybersecurity systems from an exclusive rule-based or behavioural analytics approach to a more synergetic one that encompasses both methods in threat detection. Furthermore, although ML-based approaches have been applied to cybersecurity, research has shown that the detection rate for each method varies significantly and is dependent on the volume and velocity characteristics of the offending traffic.

PALANTIR’s contribution: PALANTIR aims at addressing the shortcomings of the threat intelligence landscape with respect to the behavioral/statistical analysis by using advanced machine-learning. Multiple improvements are foreseen: (a) faster ingestion of network data through a distributed collection approach, (b) PALANTIR will exploit the abundance of network data availability and the live sharing of threat indicators between SMEs&MEs and cyber defence agencies to develop analytics that will efficiently combine heterogeneous data sources (e.g. traffic information, network topology, logs of different network equipment), (c) PALANTIR introduces hybrid Threat Intelligence that will allow for the execution of a number of different analytics models simultaneously –along with virtualized signature-based IDPSs- in order to provide an aggregated, information-driven threat score, (d) a remediation and recommendation module will extract high-level policies to address the identified threats, (e) this information will also be shared along with threat data, among the SecaaS clients. Thus, the knowledge shared among actors will not only be composed of threat data, but by policies that can be translated (at each client site) to actionable security rules. The high-level nature allows for full anonymization of threat and policy data.

Objective 4: Ensure the financial sustainability of PALANTIR cyber defence while disrupting the economic benefits of the attacker.

Challenge: MEs/SMEs have often limited resources to invest on cybersecurity. Purchase of multiple standalone products (e.g. antivirus, firewall licenses etc) can be costly and require a lot of effort to install separately on all devices. Subscriptions to Managed Security Services can be costly and are usually adopted by larger enterprises. This has led multiple Communication Service Providers (CSPs) to offer security products in the form of traditional Customer Premise Equipment (CPE) as an attractive solution for many of their customers. CPEs, however, are incurring large CAPEX/OPEX costs for the CSP and can be very difficult to maintain. At the same time, attackers find attractive targets in unprotected SMEs/MEs and leveraging automation to launch attacks on thousands of victims.

PALANTIR’s contribution: PALANTIR is built on the premise that practical cyber-resilience cannot be achieved when cyber defence costs are in the rise while the attackers’ cost/benefit ratio improves. To disrupt this trend, it is crucial to make cyber defence sustainable both for the SME/MEs and the PALANTIR providers while at the same time, disrupt the benefits to the attacker. From the viewpoint of the SME/MEs, the democratization of cybersecurity through a Service Catalogue where services can be published and billed, the multiple delivery modes, along with the cost/benefit forecast that is part of the PALANTIR risk analysis, ensures that clients will be able to select an appropriate cyber security solution for their budget and needs, thus avoiding “security theatre” pitfalls. From the viewpoint of the Provider, the use of SDN/NFV technology, virtualisation, and service orchestration reduce CAPEX/OPEX costs as well as the complexity of managing services and virtual devices. On the side of the attacker, the rapid deployment of security measures, the live intelligence sharing and the massive improvements in detection time that are foreseen in the Threat Intelligence framework, all work against attackers’ automation to significantly reduce the attack window.