Enisa warns CERTs are failing on data sharing and proactive threat detection

European member states' CERTs are still not proactively detecting and preventing enough threats and they must improve cross-border data sharing and co-operation to be more effective in future, according to the latest report from the EU's security agency Enisa.

The Proactive detection of network security incidents report highlighted several shortcomings of most CERTs in the region which it studied, including the under-reporting of DDoS and targeted attacks; a lack of automation, sandbox analysis and honeypot deployments; and data quality problems.

"The study has identified that CERTs are currently not fully utilising all possible external sources at their disposal – despite their wide availability and relative ease of use, and despite the fact that many CERTs declare their readiness to adopt new sources of information," the report found.

"Similarly, a large number of CERTs do not collect incident data about other constituencies. Even those that do, often do not share this data with other CERTs. This is an area of concern as exchange of such information is key to the effective combating of malware and malicious activities and is extremely important in a cross-border environment."

The report makes recommendations for each of the 16 shortcomings it highlighted in the process of incident detection, including improving data quality by screening for false positives and assigning validity indicators to information streams.

Alongside the technical issues discovered were legal and organisational.

Data such as IP addresses, URLs and timestamps, which are an important part of any incident report, are in some jurisdictions and contexts considered personally identifiable information and therefore subject to certain legal conditions, according to Enisa.

"This impacts not only the possibility of sharing data with others, but in some cases means that CERTs are unable to receive data feeds from third parties," the report said.

"In fact, during the expert group meeting some vendors reported that they have experienced cases where CERTs refused to receive incident data concerning their constituency because of legal considerations."

Enisa said it will be conducting another study on this specific area soon.