PROTECTIVE is a cyber threat intelligence sharing platform being developed by a consortium of ten partners from eight European countries, including: three European National Research Educational Networks (NRENs), three academic and four commercial partners. It is being funded by the European Commission's Horizon2020 programme. The platform is a suite of threat intelligence sharing tools that aim at providing security teams with a greater context, threat and situational awareness, and thus improve an organisation's ongoing awareness of risks posed to it by cyber attacks. Specifically, the platform is designed to provide solutions for public domain CSIRTs outside the mainstream of cyber security solution provision. Public CSIRTs needs arise in part because commercial tools do not address their unique requirements. This has created a shortfall, clearly articulated by ENISA of tools with the required analytical and visualization capabilities to enable public CSIRTs provide optimised services to their constituencies.

In the PROTECTIVE project we investigate the state of the art in threat intelligence generation and sharing, and are developing a solution to:

1) enhance security alert correlation and prioritisation,
2) link the relevance and criticality of an organisations assets to its business/mission,
3) investigate how computational trust can be used in threat intelligence sharing, and finally
4) establish a public CSIRT threat intelligence sharing community to leverage these solutions. In order to do so, we are studying the current technological and human factor challenges, and attempt to identify what has limited threat intelligence sharing tools from flourishing in the past.

In this talk, I will outline project activities to date, and present our lessons learnt from the first year. I will cover topics such as requirements gathering and specification, which has involved interviewing key members of staff at three NRENs to date about their current practices and procedures, and identified current challenges and limitations. I will also outline the key new capabilities of the platform, related to: threat intelligence aggregation, enrichment, sharing automation, community creation, trust computation (confidence in quality of the data, as opposed to trust in the transportation layer), and General Data Protection Regulation (GDPR) compliance. We are currently in the process of compiling various tools together to form the unified platform. We are also in the process of identifying how threat intelligence generated at large CSIRTs can be used to help Small-to-Medium size Enterprises (SMEs), who normally do not have the time or resources to assimilate threat intelligence and use it to combat threats and attacks.

Next year, two pilot studies will be conducted to evaluate and validate the PROTECTIVE outcomes with CSIRTs from 3 NRENs and with SMEs via a Managed Security Service Provider (MSSP). In the first pilot, intended participating actors are the NRENs, before evaluating and validating the platform for MSSPs in the second pilot. Towards the end of the project, we finally hope to open up the tool to other CSIRTs/CERTs that may be interested in using the platform.

The key take-away for the audience attending this talk are our findings related to:
- lessons learnt in the project overall
- NREN and SME requirements gathering
- presentation of new capabilities in the threat intelligence aggregation, enrichment, automation, and trust computation
- identification of GDPR challenges and how these can (at least partially) be resolved using compliance monitoring