In the ever-evolving battlefield of cybersecurity, specialists are continuously racing against time. They sift through oceans of information, searching for faint traces of cyber threats: anomalous network activity, suspicious code patterns, or hidden footprints of an attack that may have flown under the radar. The real challenge isn’t just detecting these threats; it’s turning this raw intelligence into actionable defence mechanisms, and managing the ever-growing arsenal of detection rules.

OpenTide is the European Commission’s answer to this cybersecurity puzzle: managing the overwhelming flood of threat intelligence. The software, available as open source, enables the Commission’s Security Operations Centre to not only deploy detection rules efficiently, but also to preserve critical knowledge on cyber threats and defence strategies.

Since its deployment by the Commission in 2022, OpenTide has been rippling through the expert community, seeing it can help to turn the tide on cyber threats. Now, with the European Council set to adopt OpenTide this summer, and with cybersecurity teams across the globe starting to embrace it, the software could become an anchor for digital defence strategies.

Understanding the threats

“OpenTide is a force multiplier”, says Claus Houmann, who was involved in the software’s inception. “It is the first solution that provides us with a knowledge base, a map of all the links between cyberthreats and defence measures. This speeds up our understanding of the threats.”

In 2019, Mr Houmann was one of the Commission’s security analysts wading through reams of data to detect cyberthreats. It was the beginning of the Commission’s move of IT services to cloud computing, providing new challenges to the security teams.

He spent hours to condense information on attacks and threats into spreadsheets, and pass those on to colleagues who could turn these lines into rules for the Commission’s cyberthreat detection systems. “They hated the spreadsheets," Mr Houmann says, "as the rows could not be linked to the rules they deployed in their systems.”

From Fragmentation to Automation

In addition, the manual copying of rules into various computer systems often caused errors. With the rules fragmented across systems, formats, and individuals, it became increasingly complex to validate the accuracy of the rules.

This is when Mr Houmann brought in Amine Besson, a specialist in detecting and responding to cyber threats. To Mr Besson, it was “very obvious what was missing: you want to view the threat history, identify detection opportunities, and design the deflection mechanism. And you want to automate all that as much as possible.”

In early 2022, Mr Besson had a first version of the software that could validate the input information as rules, in the form of computer code. He then added ways to automatically feed these rules into the systems used by the Commission to detect and defend against impending or ongoing attacks.

OpenTide became operational in September that year.

An essential tool

According to Rémi Seguy, who leads the ‘Threat Hunting and Detection Engineering’ team at the Commission, OpenTide has become a core tool. His team uses OpenTide to manage hundreds of threat vectors, each linked to detection objectives and deployed detection rules. “It streamlines the many steps needed to tackle new cybersecurity threats,” says Mr Seguy.

For him, having all rules automatically in place is a major relief. "Every rule is validated, greatly reducing the risk of errors," he explains. This gives his team confidence, ensuring that all known aspects of a threat are covered by detection rules.

"With OpenTide, we can address threats systematically," Mr. Seguy adds. "It helps scale our efforts, with a remarkably fast turnaround time for responding to new threats."

The future community

The software was released as open source in 2024, and is available on code.europa.eu, the open source code repository for European Union institutions.

Mr. Besson and his fellow cybersecurity software developers are now working to integrate Artificial Intelligence tools to analyse technical input data. So far, he finds that the draft rules - or more accurately, the ‘threat intelligence interpretations’ - generated by OpenTide’s AI agent are quite effective. "AI can handle certain parts well," he says. "But creating a complete file is still too complex."

Mr. Sequy believes that making OpenTide will enable a community of cybersecurity teams from across organisations to collaborate on detection rules and contribute to its future development.

This collaborative network will not only refine detection rules but also deepen the collective understanding of cyber threats and how best to defend against them. As the team puts it, "OpenTide’s success will rise alongside the expertise and shared efforts of the cybersecurity community."

More information:

OpenTide on code.europa.eu
Hack.lu 2023 video (youtube)
OpenTide white paper (pdf)
OpenTide presentation, ‘First’ conference 2024 (pdf)