In the Explore phase, the project teams of ABN AMRO, Achmea, ING, de Volksbank and TNO delve deeper into the topics and investigate where the possibilities and impossibilities lie to take the innovation idea a step further. An agile way of working ensures that teams work on their projects on a weekly basis and go through the Explore phase in a structured way. This phase starts at the beginning of December and will run until March 2021.
What ideas are being taken up in the Explore phase and what goals are being pursued here?
1. Data classification and labelling
There is a lot of data going around within large organisations, much of which is unstructured, such as emails, documents and multimedia. This data is often unclassified but may contain confidential information. Security policy always includes measures to protect data, but these measures are applied on the basis of the classification of the data. In order to protect unstructured data, it must therefore be classified and this classification is done by means of 'data labels' that indicate what kind of information the data contains. However, the 'labelling' of unstructured data is very complex and time-consuming, and is therefore often not done, with the result that all kinds of data are not properly secured.
This project aims to develop a methodology that uses 'semi-supervised learning' to automatically label unstructured data. The reliability of these labels is also verified by content analysis.
2. Joint practices for security in agile
Development, especially of software, is increasingly taking place in an agile way, in CI/CD (Continuous Innovation, Continuous Development) development lines. As a result, new updates are always quickly available, but this makes it difficult to guarantee the security level of the end result (security by design). In addition to the high release frequency, issues such as continuously changing requirements, rapid introduction of new technologies and insufficient security expertise in development teams also make it difficult to guarantee security by design. As a result, a better term for CI/CD could be 'Continuous Vulnerabilities (CV)'.
This project aims to develop joint security best practices for CI/CD chains. An example of this could be the development of patterns for Static and Dynamic Security Testing (SAST and DAST), which improves performance and reduces turnaround time. As a result, all releases can be thoroughly tested for security. The idea is to set up a sharing platform for the joint development of security best practices, starting with the PCSI partners and then expanding to a national or even international level.
3. Metrics2Trust Suppliers
Almost every organisation uses third parties (suppliers) that provide services and products, ranging from cleaning companies to providers of cloud-based IT services. Dependence on these suppliers has increased in recent years. The ultimate security level of an organisation and its services depends in part on the security level of the services a supplier provides to them and the security level of that supplier itself. That is why it is very important to have a good understanding of the security level of all suppliers. Security ratings are already used to classify suppliers, but there are different methods and no standardisation. The multiplicity of suppliers, with a lot of different services, makes this is a difficult process.
4. Collaborative fleet
This project has already completed a first Explore phase but needs more time to work out a further focus on deception and threat intel. This time, the possibilities of involving an external party will also be explicitly investigated.
Involvement of partners
Cyber security talent is scarce. Within the PCSI, each PCSI partner supplies resources to the various projects. The expertise from the partners is clustered in project groups that effectively get to work with an innovation idea.
Within the project groups there is an innovative working atmosphere in which all members use and share their knowledge and expertise to achieve a new innovation. They are challenged to work on unusual subjects and are motivated to make a valuable contribution to cyber security innovation.