FINSTIX: the FINSEC-STIX data model
The FINSEC project aims to develop, demonstrate and bring to market an integrated, intelligent, collaborative and predictive approach to the security of critical infrastructures in the financial sector.
The project consortium identified the main components needed to facilitate a combined cyber/physical approach to security. To this end, a proper data model is crucial to provide an integrated representation of physical and cyber assets and their relationships, to operate on data and to define the scope of the prediction algorithms.
In the design of a data model, two different approaches can be adopted: the first one comprises the definition of the model from scratch, covering all the business requirements of the considered use cases; the second one comprises the expansion (i.e., particularisation, detailing) of an existing standard with the objects individualized by the use cases and missing in the standard. The FINSEC project pursued the second solution, resulting in the FINSEC-FINSTIX data model. FINSTIX extends the Structured Threat Information eXpression (STIX) 2 [https://oasis-open.github.io/cti-documentation/] standard combining information coming from both physical and logical worlds (thus supporting defences against both cyber and physical threats).
STIX 2 is an open source language and serialization format that lets data model users exchange cyber threat intelligence (CTI) in a consistent and machine-readable manner, thus allowing automated threat exchange, automated detection and response, and more. Using STIX, the security communities can better understand what computer-based attacks are most likely to be seen and to anticipate and/or respond to those attacks faster and more effectively.
The Consortium choose STIX because it already defines concepts important for the CTI (such as Observed Data, Vulnerability, Attack Pattern, Malware, Course Of Action), while enabling an easy extension through the addition of custom parameters to already existing STIX objects and/or the creation of brand-new custom objects. In addition, STIX allows easy references to other external sources of intelligence (such as CAPEC).
The FINSEC extension to STIX2 has been driven by the FINSEC Project use cases, which led to the inclusion of information relevant to the financial sector, enabling the correlation of physical and logical data.
The whole FINSEC Platform can be conceived as an "intelligent engine" capable of transforming events and observed data from the physical and digital world (physical-cyber infrastructure) into Threat Intelligence. The information produced will be referred to Cyber and Physical Threat Intelligence (CPTI). In the same way that Cyber Threat Intelligence (CTI) is valuable information exchanged in the Cyber Security Domain, the CPTI produced in the FinTech sector is the added-value information produced by the platform which could be exchanged (in-out) between Financial Organizations and Security Organizations (CERT/CSIRT-like).
By Giorgia Gazzarata, CINI