Posted by Admin: System Admin
Nowadays, it is hard to see an organization without a digital presence, while our modern society relies on a wide range of activities like banking, government services, commerce, or education that are offered online. Even more, the recent years have pushed the limits of digital transformation for multiple organizations, companies, and educational institutions. This transition occurred without any prior planning or preparation and at an unprecedented scale [1]. As the globe is converging towards a technology driven society, cyber attacks and cyber crime campaigns are blooming. Recent reports show that cyber crime is growing in severity and frequency, competing with the traditional crime in both the number of incidents and revenue. Machine learning is an important component of the growing field of data science. Through the use of statistical methods, different type of algorithms is trained to make classifications or predictions, and to uncover key insights in this project. These insights subsequently drive decision making within applications and businesses, ideally impacting key growth metrics. Machine learning algorithms build a model based on this project data, known as training data, in order to make predictions or decisions without being explicitly programmed to do so. Machine learning algorithms are used in a wide variety of datasets, where it is difficult or unfeasible to develop conventional algorithms to perform the needed tasks.
According to Vielberth et al. [6], the number of the documented breaches for companies has been increased over the last five years by 65%. The average time to detect an incident was 196 days in 2018 plus another 69 days to contain it, meaning that many attacks stayed under the radar for a long period. Vielbeth et al. [6] acknowledge that possible reasons for this belated discovery include: the failure of overview for devices, systems, applications and networks; uncertainty on which assets to monitor and protect; and lack of knowledge in regards to appropriate tools and how to integrate them. Finally, they suggest that organizations can be overpowered by the technological speed adapted by the cyber criminals and the rapidly growing threat landscape. Creating visibility across network assets can improve the overall company security posture, by reducing the severity and eventually the financial loss of a cyber attack. Decreasing the detection time of an incident, directly implies that attackers have less time to wander around the company’s infrastructure for snooping into sensitive data or critical resources. Nonetheless, detection is not sufficient by itself and it should be combined with the rest of the key items referred to in the NIST Cyber Security Framework. Although SOCs offer multiple benefits there are also some challenges when it comes to their implementation. The survey by Vielberth et al. [6] systematically groups difficulties into Processes, People, Governance and Compliance, and Technology. For instance, processes need to be integrated across the whole organization. Additionally a lack of skilled personnel represents a challenge in recruiting and retaining staff, which can be addressed only by raising an awareness culture. Nonetheless, governance and compliance can be difficult to form without unified standards, which results in impediments to security audits and overall assessments. Lastly, even the fact that technology is vast can create issues in choosing the best solution for a particular use case. An SOC can accomplish the monitoring of the infrastructure’s assets at different layers; network-based monitoring refers to the detection mechanisms placed at the network layer, while endpoint-based monitoring is the collection of the mechanisms at the host layer. The latter type offers a more fine grained visibility of the infrastructure’s state. According to Fuentes-Garcia et al. [4], a network security monitoring system should provide traceability of the processes of the network and systems under monitoring. However, to achieve this view, the setup should incorporate multiple components, such as those described subsequently. Disadvantages ? The system is not implemented for Network-based Monitoring and ELK-Stack and Dependencies. ? The system is not implemented Endpoint detection and response (EDR) which never expands the surveillance capabilities by providing real-time collection of information from the host level. The EDR’s role is to manage the feeding of logs and to detect potential security incidents.
This paper presents the monitoring capabilities in the context of an SOC enviroment, focusing on two vantage points, namely, network and host based measurments. These measurements can help the cyber security team of the organization or the researchers both to determine the TTPs and identify ongoing or completed malicious activity. Furthermore, we aim to highlight the importance of accurate measurements for the objectives of an SOC by exemplifying the logging approaches and pinpointing the locations where activity should be monitored. Moreover, this work provides examples of tools that can support the operational requirements of an SOC, with a focus on Elasticsearch, Logstash and Kibana (ELK-Stack). In our research, the ELK-Stack is used for the collection, processing, and correlation of different log sources which are essential for the identification of security incidents. Since it is based on the log analysis, the SOC aims to infer whether an incident took place or is in progress within the monitored infrastructure. Finally, we offer directions of how these data can be further utilized for the purposes of cyber security. We provide an overview of the current techniques and methods for infrastructure monitoring in the context of cyber security, by giving focus on security information event management (SIEM) systems. SIEMs are a set of technologies collaborating to provide a comprehensive view of the infrastructure. The SIEM provides the technical foundation for an SOC to function, engaging many necessary processes for early response to security incidents. By building on the ELK-Stack and its dependent applications, one is able to aggregate network traffic, system events, security-related events, and other metrics. Advantages ? Network-based: network traffic, addresses and protocols ? Event-based: Authentications successful and failed, Process ID, Date and Ownership, Policy change, Privileged use, System Events ? Security tool-based: IDS, IPS, Firewalls, Routers logs Further simulations, analysis, and practical experiments are conducted to evaluate the proposed scheme and compare it with the Footprint [4], the results indicate that the proposed scheme can successfully detect and defend against Sybil attacks in VANETs and more efficiently compared to the Footprint.