Cybersecurity monitoring: A critical concern

Alysson Bessani, LaSIGE – Faculdade de Ciências at Universidade de Lisboa, details the importance and limitation of current cybersecurity systems

Cybersecurity has become a critical concern for most organisations due to the potential losses caused by successful attacks and the emergence of regulations such as GDPR. Organisations currently monitor and manage the security of their IT infrastructures by setting up security operation centres (SOC) to answer questions such as, “Is there an intrusion in the organisation?”, “which system is under attack?”, “what has been compromised?” and “where has an access breach occurred?”.

SOCs rely on security information and event management (SIEM) systems to have an integrated view of the monitored infrastructure. SIEMs collect logs and security-related events from multiple sources through the organisation, normalise and correlate them and produce alerts, summarised measurements, data trends and different types of visualisations for the SOC team. The complexity of SIEMs comes from their nature and the functionality they provide, which requires their integration with a large number of diverse devices that produce thousands of events per second that need to be promptly processed. Such complexity translates in high deployment and operational costs for SIEMs.

According to Gartner, the SIEM market is expected to reach $6 billion in 2021. There are many high-quality products from large IT vendors, such as IBM QRadar and Splunk. Despite their widespread use and the impressive market growth, current SIEM systems still have many limitations:

1. The threat intelligence capacity of SIEMs is still in its infancy. Consequently, existing SIEMs are unable to automatically recognise new threats that may affect (whole, or parts of) the monitored infrastructure, requiring considerable human intervention to react to changes in the threat landscape. This happens despite the availability of rich and up-to-date security-related information sources on the internet (e.g., social media, blogs, security newsfeeds), which current SIEMs don’t use.
2. Existing systems can show any “low-level” data related with the received events but have little “intelligence” to process this data and extract high-level information. These low-level data (e.g., number of failed logins in a server) are only meaningful to security experts and hard to translate to high-level metrics for C-level managers, who are responsible for making decisions on security expenditure but usually are not well versed in such technical details. This impacts the capacity of SOCs to justify the return of investment in security for its organisation.
3. Most data visualisation techniques in current SIEMs are rudimentary. This can severely impact the ability of the SOCs to react to incidents as and when they happen.
4. The event correlation capabilities of SIEMs are as good as the quality of the events fed to it. Imprecise and contradictory events generated by imperfect monitoring devices will be taken as correct by the SIEM and the uncertainties associated with these events are never communicated.
5. Due to storage and event processing constraints, SIEMs are incapable of retaining the collected events for a long duration. This limits their use in conducting cybersecurity-related forensic investigations in the long run.

The Diversity-enhanced SIEM (DiSIEM) H2020 project aims to address these limitations by enhancing SIEMs with a set of components for acquiring information from diverse data sources, feeding enhanced events to the SIEM and generating better reports and metrics to support SOCs.

Instead of proposing new SIEM architectures, the project addresses the above limitations by extending current systems in production, leveraging their built-in capacity for extension and customisation. The objective is to improve SIEMs with several diversity mechanisms, organised in five main contributions:

1. Integrate diverse OSINT (open source intelligence) data sources available on the web to SIEMs. Examples of such sources are NIST’s National Vulnerability Database, vulnerability and patch databases offered by vendors, threat intelligence data that organisations share with each other (e.g., internet addresses blacklists, URLs and files reputation databases, malware domains lists), security blogs and social networks (e.g., Twitter); collaborative platforms used in the Dark Web (e.g., Pastebin), standards-based Indicators of Compromise platforms (e.g., MISP and OpenIOC), among others. This data needs to be fetched and automatically processed (e.g., by using machine learning methods) to identify new relationships, trends, indicators and anomalies and hence to help to react to new vulnerabilities or even predict possible emerging threats against the monitored infrastructure.
2. Develop probabilistic security models and multi-level risk-based metrics to help security analysts to decide which infrastructure configurations offer better security guarantees. This will increase the capacity of SOCs to communicate the status of the organisation to C-level managers and to justify cybersecurity budgets.
3. Design visualisation methods to analyse the collected data, for better supporting the extraction of high-level security insight from the data by the security analysts working with the SIEM. In particular, the project is developing new User Behaviour Analysis (UBA) tools to better understand the human actions rendering the organisation vulnerable to malicious actors.
4. Integrate diverse, redundant and enhanced monitoring capabilities into the SIEM ecosystem. For instance, the project is building enhanced sensors composed by different intrusion detection systems to monitor the same asset. The objective is to have a much higher confidence sensor by voting on the alarms generated by such systems. Likewise, the project is devising new anomaly detectors to improve SIEM’s visibility of business-critical applications.
5. Add support for long-term secure archival of events in new cloud-of-clouds storage services being developed in the project, i.e., Vawlt. The events are encrypted and spread to multiple diverse clouds, ensuring any sensitive information is securely stored.

These contributions are being materialised through a set of components, that are currently being tested in three real SOCs, integrated into their SIEMs. More information about the project can be obtained from the website: http://disiem-project.eu

DiSIEM is supported by the European Commission through the H2020 programme under grant agreement 700692. The project consortium is composed by seven partners: FCiências.ID, City University of London, EDP, Amadeus, DigitalMR, Fraunhofer IAIS, ATOS.

Please note: this is a commercial profile

Alysson Bessani

Associate Professor and

Coordinator of DiSIEM

Faculdade de Ciências Universidade de Lisboa

Tel: +351 217500394

anbessani@ciencias.ulisboa.pt

www.di.fc.ul.pt/~bessani