摘要 :
Purpose - The purpose of this paper is to propose a framework for security controls automation, in order to achieve greater efficiency and reduce the complexity of information security management. Design/methodology/approach - Thi...
展开
Purpose - The purpose of this paper is to propose a framework for security controls automation, in order to achieve greater efficiency and reduce the complexity of information security management. Design/methodology/approach - This research reviewed the controls recommended by well known standards such as ISO/EC 27001 and NIST SP 800-53; and identified security controls that can be automated by existing hard-and software tools. The research also analyzed the Security Information and Event Management (SIEM) technology and proposed a SIEM-based framework for security controls automation, taking into account the automation potential of SIEM systems and their integration possibilities with several security tools. Findings - About 30 per cent of information security controls can be automated and they were grouped in a list of ten automatable security controls. A SIEM-based framework can be used for centralized and integrated management of the ten automatable security controls. Practical implications - By implementing the proposed framework and therefore automating as many security controls as possible, organizations will achieve more efficiency in information security management, reducing also the complexity of this process. This research may also be useful for SIEM vendors, in order to include more functionality to their products and provide a maximum of security controls automation within SIEM platforms. Originality/value - This paper delimits the boundaries of information security automation and defines what automation means for each security control. A novel framework for security controls automation is proposed. This research provides an automation concept that goes beyond what it is normally described in previous works and SIEM solutions.
收起
摘要 :
Business Intelligence (BI) has often been described as the tools and systems that play an essential role in the strategic planning process of a corporation. The application of BI is most commonly associated with the analysis of sa...
展开
Business Intelligence (BI) has often been described as the tools and systems that play an essential role in the strategic planning process of a corporation. The application of BI is most commonly associated with the analysis of sales and stock trends, pricing and customer behavior to inform business decision-making. There is a growing trend in utilizing the tools and processes used in the analysis of data and applying them to security event management. Security Information and Event Management (SIEM) has emerged within the last 10 years providing a centralized source to enable both real-time and deep level analysis of historical event data to drive security standards and align IT resources in a more efficient manner.
收起
摘要 :
Purpose - Nowadays, to operate securely and legally and to achieve business objectives, secure valuable assets and support uninterrupted business processes, all organizations need to match a lot of internal and external compliance...
展开
Purpose - Nowadays, to operate securely and legally and to achieve business objectives, secure valuable assets and support uninterrupted business processes, all organizations need to match a lot of internal and external compliance regulations such as laws, standards, guidelines, policies, specifications and procedures. An integrated system able to manage information security (IS) for their intranets in the new cyberspace while processing tremendous amounts of IS-related data coming in various formats is required as never before. These data, after being collected and analyzed, should be evaluated in real-time from an IS incident viewpoint, to identify an incident's source, consider its type, weigh its consequences, visualize its vector, associate all target systems, prioritize countermeasures and offer mitigation solutions with weighted impact relevance. Different security information and event management (SIEM) systems cope with this routine and usually complicated work by rapid detection of IS incidents and further appropriate response. Modern challenges dictate the need to build these systems using advanced technologies such as the blockchain (BC) technologies (BCTs). The purpose of this study is to design a new BC-based SIEM 3.0 system and propose a methodology for its evaluation. Design/methodology/approach - Modern challenges dictate the need to build these systems using advanced technologies such as the BC technologies. Many internet resources argue that the BCT suits the intrusion detection objectives very well, but they do not mention how to implement it. Findings - After a brief analysis of the BC concept and the evolution of SIEM systems, this paper presents the main ideas on designing the next-generation BC-based SIEM 3.0 systems, for the first time in open access publications, including a convolution method for solving the scalability issue for evergrowing BC size. This new approach makes it possible not to simply modify SIEM systems in an evolutionary manner, but to bring their next generation to a qualitatively new and higher level of IS event management in the future. Research limitations/implications - The most important area of the future work is to bring this proposed system to life. The implementation, deployment and testing onto a real-world network would also allow people to see its viability or show that a more sophisticated model should be worked out. After developing the design basics, we are ready to determine the directions of the most promising studies. What are the main criteria and principles, according to which the organization will select events from PEL for creating one BC block? What is the optima) number of nodes in the organization's BC, depending on its network assets, services provided and the number of events that occur in its network? How to build and host the SIEM 3.0 BC infrastructure? How to arrange streaming analytics of block's content containing events taking place in the network? How to design the BC middleware as software that enables staff to interact with BC blocks to provide services like IS events correlation? How to visualize the results obtained to find insights and patterns in historical BC data for better IS management? How to predict the emergence of IS events in the future? This list of questions can be continued indefinitely for a full-fledged design of SIEM 3.0. Practical implications - This paper shows the full applicability of the BC concept to the creation of the next-generation SIEM 3.0 systems that are designed to detect IS incidents in a modern, fully interconnected organization's network environment. The authors' attempt to begin with a detailed description of the basics for a BC-based SIEM 3.0 system design is presented, as well as the evaluation methodology for the resulting product. Originality/value - The authors believe that their new revolutionary approach makes it possible not to simply modify SIEM systems in an evolutionary manner, but to bring their next generation to a qualitatively new and higher level of IS event management in the future. They hope that this paper will evoke a lively response in this segment of the security controls market from both theorists and direct developers of living systems that will implement the above approach.
收起
摘要 :
The Internet unfolded enormous opportunities to the modern computing world where not only humans but also computers and machines, as well as any tiny sensing devices, can communicate and collaborate. The Internet of Things (IoT) i...
展开
The Internet unfolded enormous opportunities to the modern computing world where not only humans but also computers and machines, as well as any tiny sensing devices, can communicate and collaborate. The Internet of Things (IoT) is still a new concept in its early stages after 20 years of successful usage in various application domains. Nowadays, the "Internet of Things Ecosystem" term is being used more often that emphasizes its complex internal structure and functionality. Based on the available standards on the IoT's generalized architecture and reference model, the IoT ecosystem is presented as a security object to be protected. Numerous security controls, collecting raw data for complex and multi-stage processing and further detection of events related to information security (IS), are located on its layers. The IS incident management process with different routine actions for the IoT ecosystems needs automation, for which Security Information and Event Management (SIEM) systems are the best applicable solutions. But modern challenges require modifying two previously known generations of these systems, especially for the IoT ecosystems. A new blockchain-based system called the IoTBlockSIEM is proposed to solve this problem. An example of constructing transactions in the IoTBlockSIEM for the case of its use in managing IS incidents in the IoT ecosystem is provided. Further research concludes the article.
收起
摘要 :
Additions were proposed to the method of organizing the information security (IS) event management process of companies. Unlike existing solutions, the algorithm of the "Event handling" subprocess was detailed. This detailing is a...
展开
Additions were proposed to the method of organizing the information security (IS) event management process of companies. Unlike existing solutions, the algorithm of the "Event handling" subprocess was detailed. This detailing is a complex, which includes the IS event processing substage. In addition, the proposed detailing of the "Event Handling" subprocess allows for covering the entire life cycle of an IS event. The performed research allows in practice to fill in potential gaps in information when creating a company's ISMS. An additional advantage of the proposed solution is the possibility of using this sub-process as an independent one. The proposed approach makes it possible to simplify the procedure for managing the information security of a company as a whole, as well as potentially reduce the costs of its construction for small companies and enterprises. Also, this sub-process can be considered as an independent information security management process, for example, for a company's CIS. The proposed solutions and additions, in contrast to similar studies, are characterized by invariance with respect to the methods of implementing the company's IS infrastructure solutions, and in particular its CIS. This ultimately allows, without changing the methodological tools, to scale this approach and adapt it to the ISMS of various companies.
收起
摘要 :
Nowadays, the Security Information and Event Management (SIEM) systems take on great relevance in handling security issues for critical infrastructures as Internet Service Providers. Basically, a SIEM has two main functions: ((i) ...
展开
Nowadays, the Security Information and Event Management (SIEM) systems take on great relevance in handling security issues for critical infrastructures as Internet Service Providers. Basically, a SIEM has two main functions: ((i) the collection and the aggregation of log data and security information from disparate network devices (routers, firewalls, intrusion detection systems, ad hoc probes and others) and ((ii) the analysis of the gathered data by implementing a set of correlation rules aimed at detecting potential suspicious events as the presence of encrypted real-time traffic. In the present work, the authors propose an enhanced implementation of a SIEM where a particular focus is given to the detection of encrypted Skype traffic by using an ad-hoc developed enhanced probe (ESkyPRO) conveniently governed by the SIEM itself. Such enhanced probe, able to interact with an agent counterpart deployed into the SIEM platform, is designed by exploiting some machine learning concepts. The main purpose of the proposed ad-hoc SIEM is to correlate the information received byESkyPROand other types of data obtained by an Intrusion Detection System (IDS) probe in order to make the encrypted Skype traffic detection as accurate as possible.
收起
摘要 :
The management of security events, from the risk analysis to the selection of appropriate countermeasures, has become a major concern for security analysts and IT administrators. Furthermore, the fact that network and system devic...
展开
The management of security events, from the risk analysis to the selection of appropriate countermeasures, has become a major concern for security analysts and IT administrators. Furthermore, the fact that network and system devices are heterogeneous, increases the difficulty of these administrative tasks. This paper introduces an ontology-driven approach to address the aforementioned problems. The proposed model takes into account two aspects: the information and the operations that are manipulated by SIEM environments in order to reach the desired goals. The model uses ontologies to provide simplicity on the description of concepts, relationships and instances of the security domain. The semantics web rule languages are used to describe the logic rules needed to infer relationships among individuals and classes. A case study on Botnets is presented at the end of this paper to illustrate a concrete utilisation of our model.
收起
摘要 :
Security Information and Event Management (SIEM) solutions collect events from the IT infrastructure and concentrate information from the various components in a single place, allowing the detection of anomalous situations and att...
展开
Security Information and Event Management (SIEM) solutions collect events from the IT infrastructure and concentrate information from the various components in a single place, allowing the detection of anomalous situations and attacks, and helping to protect confidential data. But real-world network environments may be complex and heterogeneous (e.g., in terms of devices, applications, and operating systems), and the attack surface can be vast, which makes increases the amount that a SIEM solution must collect and analyze. The General Data Protection Regulation (GDPR) has increased the level of complexity in such context, as organizations must ensure the monitoring of access to personal data and various levels of security in their infrastructure.In this work, we deal with the implementation of an open-source SIEM solution that incorporates technical measures for the protection and control of personal data, ensuring compliance with the GDPR. We identify the main functionalities and describe a solution based on the Elastic Stack and additional open-source external tools.To validate our proposals, we implemented a prototype of our solution in a real-world environment. We simulated internal and external attacks that show the solution capacity to deal in real-time with the detection of threats and incidents. We also evaluated the performance and resource consumption of personal data pseudonymization processes. Obtained results show our solution presents good performance and scalability.
收起
摘要 :
The introduction of the General Data Protection Regulation (GDPR) in Europe raises a whole series of issues and implications on the handling of corporate data. We consider the case of security-relevant data analyses in companies, ...
展开
The introduction of the General Data Protection Regulation (GDPR) in Europe raises a whole series of issues and implications on the handling of corporate data. We consider the case of security-relevant data analyses in companies, such as those carried out by Security Information and Event Management (SIEM) systems. It is often argued that the processing of personal data is necessary to achieve service quality. However, at present existing systems arguably are in conflict with the GDPR since they often process personal data without taking data protection principles into account. In this work, we first examine the GDPR regarding the resulting requirements for SIEM systems. On this basis, we propose a SIEM architecture that meets the privacy requirements of the GDPR and show the effects of pseudonymization on the detectability of incidents.
收起
摘要 :
Security monitoring is invariably enabled by Security Information and Event Management (SIEM) technology. A major problem with SIEM is that in house deployment and operation are costly in terms of purchase, human resources, and IT...
展开
Security monitoring is invariably enabled by Security Information and Event Management (SIEM) technology. A major problem with SIEM is that in house deployment and operation are costly in terms of purchase, human resources, and IT infrastructure. Managed Security Services (MSS) offerings can provide high quality security monitoring solutions at a fraction of the cost. However, outsourcing security monitoring might entail data confidentiality and integrity risks and current MSS solutions are unable to meet the stringent privacy requirements posed by a wide range of applications. We present PriSIEM, an efficient distributed computing model which enables privacy-preserving MSS, by leveraging two of the most promising techniques for confidential computing, namely hardware-assisted Trusted Execution (TE) and Homomorphic Encryption (HE). TE is used to create a shielded computing environment in the provider's domain, which can be trusted by the data owner. In this trusted environment, potentially sensitive data is encrypted using HE, before it is moved and processed in the rest of the provider's domain (i.e. externally to the TE environment), which cannot be trusted by the data owner. An experimental campaign has been conducted on a proof-of-concept implementation to validate the effectiveness of the hardening mechanisms and to evaluate the performance of the PriSIEM distributed environment.
收起