Use cases

Use cases

(#1) Securing private medical practices with lightweight SecaaS

Private medical practices are prime examples of MEs with high security and data protection needs. Private practices frequently suffer from critical data breaches and the staff is usually not in the position to handle a cyber-attack. According to 2016 results from Ponemon, criminal attacks have “increased by 125% since 2010 and now represent the leading cause of healthcare data breaches”. The study cites a report by the Federal Bureau of Investigations (FBI) concluding that “criminals are targeting the information-rich healthcare sector because individuals’ personal information, [..] are accessible in one place, which translates into a high return when monetized and sold”. The Hong Kong CERT has similarly stated that “Medical information costs 20 times that of credit card numbers in the underground market. Fraudsters use this data to create fake IDs to buy medical equipment or drugs [..] or file fake claims with insurers. While credit card data theft can be reported to banks [..] damage of patient data theft cannot be contained similarly”. Personal devices, however, are not the only targeted assets. Medical devices store patient data but without the inherent protections of a computer (e.g. firewall, antivirus etc.). While laptops, PCs, mobile phones receive regular updates and are often changed every 3-4 years, medical devices are usually kept for more than a decade and are rarely upgraded or hardened against new threats.

PALANTIR will illustrate at minimum two cases of attacks prevented by the Lightweight SecaaS gateway and/or Cloud SecaaS. First, we consider that healthcare relies on uninterrupted access to patient data and thus is particularly vulnerable to ransomware attacks (delivered by vectors like worms or phishing emails). In the case of a small practice, a ransomware attack can threaten business continuity to an extent that the victim can succumb to the financial demands of the attacker. Second, data exfiltration attacks targeting patient records are a significant threat and there are cases where the offending malware may operate for years undetected (e.g. Project Sauron was undetected for more than 5 years, infecting government and hospital sites in the UK). Such a breach can also incur huge fines for the business (under GDPR, HIPAA etc).

(#2) Uninterrupted Electronic Commerce with Cloud SecaaS

Small businesses with e-commerce operations are increasingly leveraging cloud services along with local infrastructure for expense savings, yet they do not always ensure that these services use strong online security measures. Once a company has violated a customer’s trust — either directly or indirectly — it is difficult to restore it. In 2017, Verizon’s Data Breach Investigations Report found that more than 75% of the data breach victims they studied were small businesses. The strong reliance to online customer services and the lack of security breach technology safeguards provides hackers the opportunity to easily access streams of sensitive corporate and personal data. Online businesses can shield themselves, while also realizing substantial benefit and increasing their potential incremental business revenue streams by using the PALANTIR risk analysis, by purchasing and deploying hosted SecaaS through the Catalogue and by attesting the integrity of their local and cloud infrastructure to secure their sensitive customer data from data breaches and authenticate their websites in order to build consumer trust.

PALANTIR will leverage the example of a typical retail and service-oriented Microenterprise maintaining an e-commerce platform that comprises of 3 offices located in different cities that manage real customer and corporate data on a daily basis. The MEs IT background is limited and focused on offering goods and services both online and offline. In addition to an e-commerce web site, the business also uses a local/cloud-based CRM solution which includes billing, payments, electronic cashiers, POS terminals, etc. all connected to the internet. For the purpose of day-today-operations, it involves several PCs, smartphones and tablets connected to the same network. The installation of the PALANTIR solution is expected to provide a holistic cybersecurity protection to the Microenterprise, protecting the link between internal company’s servers (internal network) and external network (routers protection, possibility to use remote desktop and applications, links between MEs three separate company locations/building's – VPN service). Moreover, it will provide a service supporting risk assessment framework, enabling the detection of data breach attempts by analyzing the collected network traffic, thus providing visibility on threats and levels of risk, or compliance towards certain established regulations (GDPR) for the customer. The pilot will include the execution of numerous attack vectors, including spyware/ransomware and Distributed Denial of Service (DDoS) attacks, targeting the corporate infrastructure and the e-commerce platform of the enterprise. PALANTIR will exploit its Trust and Attestation component to verify the integrity of the enterprise’s infrastructure, will detect the incoming threats using its Security Analytics Framework and will propose relevant countermeasures to mitigate these threats from the Secure Services Catalogue. The mitigated attack will be presented in the Dashboard along with useful contextual information and proposals for the other end users of the platform.

(#3) Live Threat Intelligence Sharing in a large-scale Edge scenario

PALANTIR provides an ideal foundation to leverage collective use of live threat intelligence by i) enabling the PALANTIR Provider to jointly analyse data from multiple clients (rather than from each client individually) and ii) allowing the provider to publish and retrieve anonymized cyber threat intelligence information to and from national and international knowledge sharing infrastructures (e.g. MISP instances). In this UC, the service provider would be able to i) jointly analyse information from multiple clients to detect incidents which would remain unnoticed if each client was treated individually and ii) exploit the live threat intelligence feedback regarding propagating security threats to insert appropriate security-oriented functionalities directly into the local network of the user, through its provided gateway or in the network infrastructure. Using centralized security analytics to contextualize large flows of network traffic will allow to determine which types of evolving threats are targeting certain industries, in order to deploy tailored cybersecurity measures. The efficiency of the PALANTIR knowledge sharing framework will be evaluated in realistic simulations of spreading attacks, where the acquired threat intelligence from one part of the network will be leveraged by the data analytics and threat intelligence components to i) visualise such information and recommend actions by means of a dashboard and ii) act on other parts of the network for acquiring supplementary information acquisition or for taking effective countermeasures that will protect other clients.

The use case will be experimentally demonstrated in the partners' 5G testbeds that can emulate traffic from multiple SecaaS clients on their edge network as well as parallel complex attacks, in large scale MEC scenarios. UC3 will incorporate the virtual network infrastructure as well as SDN/NFV infrastructure comprised of high-performance servers for the execution of NFV management software and deployment of SDN controllers. The different elements of the testbed can be flexibly interconnected using OpenFlow switches. The PALANTIR components will be deployed on various levels of the utilized virtual networks, and realistic simulated cyberattack scenarios of a propagating attacks (e.g. WannaCry) will be simultaneously directed to multiple the clients of the PALANTIR solution. In this context, we plan to leverage PALANTIR by i) detecting the common threat addressed to multiple clients, ii) publish the incident to a knowledge sharing platform (e.g. MISP), iii) retrieve relevant threat intel information in order to produce an appropriate mitigation plan, iv) relay high-level mitigation policies through the PALANTIR provider to the other SecaaS clients.