% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.

\begin{frame}
\titlepage
\end{frame}

\begin{frame}
  \frametitle{The aim of this presentation}
  \begin{itemize}
     \item Who are we (CIRCL)?
     \item Brief introduction to MISP
     \item What sort of communities are using MISP?
     \item How to get started
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{MISP and CIRCL}
  \begin{center}
    \includegraphics[scale=0.45]{pics/circl.png}
    \hspace{2.5em}
    \includegraphics[scale=0.35]{pics/misp.pdf}
  \end{center}
  \begin{itemize}
    \item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg {\bf National CERT for the private sector}. 
    \item CIRCL runs multiple large MISP communities performing {\bf active daily threat-intelligenge sharing}
    \item CIRCL leads the development of {\bf MISP and many other open source softwares}\footnote{AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo}.
  \end{itemize}
\end{frame}

\begin{frame}
\frametitle{What is MISP?}
\begin{itemize}
       \item MISP is a {\bf threat information sharing} platform that is free \& open source software
       \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
       \item Normalises, {\bf correlates}, {\bf enriches} the data
       \item Allows teams and communities to {\bf collaborate}
       \item {\bf Feeds} automated protective tools and analyst tools with the output
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{What are some key objectives of communities?}
\begin{itemize}
       \item To build "herd immunity" by sharing {\bf community relevant} threat information
       \item By allowing to share data both for {\bf automation} and to {\bf tell a story}
       \item {\bf Standardise} on how we {\bf express} and {\bf contextualise} threat information
       \item {\bf Monitor trends} about attacks against your community
       \item Rely on the shared data to {\bf bootstrap your investigations}
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{MISP Features Highlights}
    \begin{itemize}
        \item Functionalities to assist users in {\bf creating, collaborating and sharing}
        \begin{itemize}
            \item A wide range of imports
            \item Rest API
            \item Automatic correlation
            \item Proposals
            \item Granular distribution levels and sharing groups
            \item Advanced synchronisation mechanisms
        \end{itemize}
        \item A host of export formats
        \begin{itemize}
            \item {\bf IDSes / IPSes}: \texttt{Suricata, Bro/Zeek, Snort}
            \item {\bf SIEMs}: \texttt{CEF, STIX} 
            \item {\bf Host scanners}:  \texttt{OpenIOC, STIX, CSV, Yara}
            \item {\bf Analysis tools}: \texttt{Maltego}
            \item {\bf DNS policies}: \texttt{RPZ}
        \end{itemize}
    \end{itemize}
\end{frame}

\begin{frame}
\frametitle{What sort of MISP communities are there?}
\begin{itemize}
       \item {\bf Generalist} cyber securitity communities (CIRCL's Private sector community, FIRST, etc)
       \item {\bf Sectorial} communities (Financial, ISPs, GSMs, Law enforcement, Military, etc)
       \item {\bf Geographic communities} such as national, regional (Nordic, South American, etc)
       \item Communities centered around {\bf international organisations} (EU, NATO, etc)
       \item {\bf Topical} communities (disinformation, RATs, COVID-19, climate)
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{An example community in numbers: The CIRCL Private sector community}
\begin{itemize}
       \item {\bf Users}: 3.4k
       \item {\bf Organisations}: 1.6k
       \item {\bf Organisations having shared events}: 441
       \item {\bf Events}: ~77k
       \item {\bf Data points}: 12M
       \item {\bf Correlations}: 9M
       \item {\bf Proposals}: 78k
\end{itemize}
\end{frame}

\begin{frame}
\frametitle{Getting started}
\begin{itemize}
       \item Simplest: {\bf join an existing community} hosted by a trusted peer, use their instance
       \item {\bf Run your own} instance (simply install the OSS) and {\bf connect to} established communities
       \item {\bf Start your own} community with your own guidelines
       \item None of the above are exclusive
       \item {\bf Organic growth} from one to the other is expected
\end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Get in touch if you have any questions}
  \begin{itemize}
    \item Contact CIRCL
    \begin{itemize}
      \item info@circl.lu
      \item \url{https://twitter.com/circl_lu}
      \item \url{https://www.circl.lu/}
    \end{itemize}
    \item Contact MISPProject 
    \begin{itemize}
      \item \url{https://github.com/MISP}
      \item \url{https://gitter.im/MISP/MISP}
      \item \url{https://twitter.com/MISPProject}
    \end{itemize}
  \end{itemize}
\end{frame}