Cengiz Acartürk,Murat Ulubay,Efe Erdur

DOI: https://doi.org/10.1049/ise2.12005

2020-12-23

IET Information Security

Abstract:This study addresses maturity and capability assessment of Security Operation Centres (SOC). It aims to contribute to continuous improvement for SOCs by proposing a complementary methodology that provides SOCs a self‐assessment capability. The method basically involves an assessment of the gaps between the current and the desired states of the organization and facilitates determining critical aspects that have priority. The proposed methodology is based on the define, measure, analyze, improve, and control methodology of the Six Sigma approach and offers a service‐oriented improvement process for SOCs. The applicability of the methodology is demonstrated by a case study. We evaluated subject matter experts’ reviews using simplified conversation analysis as a qualitative, content‐analysis approach.

computer science, information systems, theory & methods

Cyril Onwubiko,Karim Ouazzane

DOI: https://doi.org/10.22619/IJCSA.2019.100124

2022-02-08

Abstract:The increasing dependency of modern society on IT systems and infrastructures for essential services (e.g. internet banking, vehicular network, health-IT, etc.) coupled with the growing number of cyber incidents and security vulnerabilities have made Cyber Security Operations Centre (CSOC) undoubtedly vital. As such security operations monitoring is now an integral part of most business operations. SOCs (used interchangeably as CSOCs) are responsible for continuously and protectively monitoring business services, IT systems and infrastructures to identify vulnerabilities, detect cyber-attacks, security breaches, policy violations, and to respond to cyber incidents swiftly. They must also ensure that security events and alerts are triaged and analysed, while coordinating and managing cyber incidents to resolution. Because SOCs are vital, it is also necessary that SOCs are effective. But unfortunately, the effectiveness of SOCs are a widespread concern and a focus of boundless debate. In this paper, we identify and discuss some of the pertinent challenges to building an effective SOC. We investigate some of the factors contributing to the inefficiencies in SOCs and explain some of the challenges they face. Further, we provide and prioritise recommendations to addressing the identified issues.

Cryptography and Security,Social and Information Networks

Ahmed S. Shatnawi,Basheer Al-Duwairi,Mahmoud M. Almazari,Mohammad S. Alshakhatreh,Ahmad N. Khader,Abdullah A. Abdullah

DOI: https://doi.org/10.48550/arXiv.2204.04576

2022-04-10

Abstract:The number of cyber-attacks have substantially increased over the past decade resulting in huge organizational financial losses. Indeed, it is no longer a matter of "if" but "when" a security incident will take place. A Security Operations Center(SOC) adoption will help in the detection, identification, prevention, and resolution of issues before they end up causing extensive cyber-related damage. In this paper, our proposed framework is brought about to address the problem that current open-source SOC implementations are plagued with. These include lack of ability to be strengthened on the fly, slow development processes, and their ineptness for continuous timely updates. We, herein, propose a framework that would offer a fully automated open-source SOC deployment; otherwise dubbed, a "plug-and-play framework"; full horizontal scalability incorporating a modular architecture. These underpinning features are meant to mitigate underlying SOC challenges, which often emerge as a result of many pre-determined and repeated processes, bolstering their ability for expansion with new tools. This is on top of enhancing their ability to handle more servers in the clusters as a single logical unit. We also introduce a new system of its kind called a Programmable Plugin-based Intrusion Detection and Prevention System (PPIDPS). This system will extend a SOC's ability to add any tool to the monitored devices while collecting logs that can trigger alerts whenever a suspicious behavior is detected.

Cryptography and Security

Jack Tilbury,Stephen Flowerday

DOI: https://doi.org/10.3390/jcp4030020

2024-07-01

Journal of Cybersecurity and Privacy

Abstract:The continuous integration of automated tools into security operation centers (SOCs) increases the volume of alerts for security analysts. This amplifies the risk of automation bias and complacency to the point that security analysts have reported missing, ignoring, and not acting upon critical alerts. Enhancing the SOC environment has predominantly been researched from a technical standpoint, failing to consider the socio-technical elements adequately. However, our research fills this gap and provides practical insights for optimizing processes in SOCs. The synergy between security analysts and automation can potentially augment threat detection and response capabilities, ensuring a more robust defense if effective human-automation collaboration is established. A scoping review of 599 articles from four databases led to a final selection of 49 articles. Thematic analysis resulted in 609 coding references generated across four main themes: SOC automation challenges, automation application areas, implications on analysts, and human factor sentiment. Our findings emphasize the extent to which automation can be implemented across the incident response lifecycle. The SOC Automation Matrix represents our primary contribution to achieving a mutually beneficial relationship between analyst and machine. This matrix describes the properties of four distinct human-automation combinations. This is of practical value to SOCs striving to optimize their processes, as our matrix mentions socio-technical system characteristics for automated tools.

computer science, information systems, interdisciplinary applications, software engineering

Gliner Dias Alencar,Hermano Perrelli de Moura,Ivaldir Honório de Farias Júnior,José Gilson de Almeida Teixeira Filho

DOI: https://doi.org/10.48550/arXiv.1807.06184

2018-07-17

Cryptography and Security

Abstract:The lack of security in information systems has caused numerous financial and moral losses to several organizations. The organizations have a series of information security measures recommended by literature and international standards. However, the implementation of policies, actions, and adjustment to such standards is not simple and must be addressed by specific needs identified by the Information Security Governance in each organization. There are many challenges in effectively establishing, maintaining, and measuring information security in a way that adds value. Those challenges demonstrate a need for further investigations which address the problem. This paper presents a strategy to measure the maturity in information security aiming, also, to assist in the application and prioritization of information security actions in the corporate environment. For this, a survey was used as the main methodological instrument, reaching 157 distinct companies. As a result, it was possible to classify the ISO/IEC 27001 and 27002 controls in four stages according to the importance given by the companies. The COBIT maturity levels and a risk analysis matrix were also used. Finally, the adaptable strategy was successfully tested in a company

Masoud Hayeri Khyavi

DOI: https://doi.org/10.1504/IJFEM.2023.10052987

2023-01-25

Abstract:Organizations concerned about digital or computer forensics capability which establishes procedures and records to support a prosecution for computer crimes could benefit from implementing an ISO 27001: 2013-compliant (ISMS Information Security Management System). A certified ISMS adds credibility to information gathered in a digital forensics investigation; certification shows that the organization has an outsider which verifies that the correct procedures are in place and being followed. A certified ISMS is a valuable tool either when prosecuting an intruder or when a customer or other stakeholder seeks damages against the organization. SOC (Security Operation Center) as an organization or a security unit which handles a large volume of information requires a management complement, where ISMS would be a good choice. This idea will help finding solutions for problems related to digital forensics for non-cloud and cloud digital forensics, including Problems associated with the absence of standardization amongst different CSPs (Cloud service providers).

Cryptography and Security,Networking and Internet Architecture,Systems and Control

Souradeep Bhattacharya,Burhan Hyder,Manimaran Govindarasu

DOI: https://doi.org/10.48550/arXiv.2211.15842

2022-11-29

Abstract:Industrial Control System (ICS) testbeds serve as a platform for evaluating and validating control system performances, cybersecurity tools and technologies. In order to build or enhance an ICS testbed, it is vital to have a deeper understanding of its design specifications and characteristic attributes. Satisfying this prerequisite involves examination and assessment of these attributes for existing testbeds. To further increase confidence in a testbed's functionality, it is important to perform a comparative analysis of its specifications with other ICS testbeds. However, at present, there is no standardized methodology available to provide a comparative assessment of different testbeds. In this paper, we propose a methodology for analyzing ICS testbeds, inspired by the Cybersecurity Capability Maturity Model (C2M2). In particular, we then define a ICS Cybersecurity Testbed Maturity Model, its domains, and the associated maturity indicator levels. To demonstrate the benefit of the model, we have conducted a case study analysis for several ICS testbeds, representing different industrial sectors. Our analysis provides deeper insights into the relative strengths and limitations of these testbeds, together with scope for future enhancements, with respect to the domains defined by the model.

Systems and Control

Zhang Baowen,Chang Xiao,Li Jianhua

DOI: https://doi.org/10.1049/cje.2020.02.017

IF: 1.019

2020-01-01

Chinese Journal of Electronics

Abstract:As a new security defense theory, Cyberspace mimic defense（CMD） provides an architecture named Dynamic heterogeneous redundancy（DHR） to enhance the defense level of system security. Due to the new dynamic defense mechanism DHR introduced in CMD systems, traditional security modelling and analysis methods can hardly be used for them. In this paper, we propose a Security ontology-based modelling method for CMD systems（SOCMD）, which uses ontology to represent DHR components and to define their inner relationships. SOCMD also connects information components including DHRs with security vulnerabilities,threats and attackers in cyberspace. Next, attacking rules,multi-mode arbitration mechanism and combination rules are designed with SOCMD for CMD systems and a new logical-checking method is proposed to make judgement about the security state of SOCMD. Finally, different use cases and performance tests are developed to demonstrate the application process for the model and to verify the validity of our method.

Khairunnisak Nur Isnaini,Siti Alvi Solikhatin

DOI: https://doi.org/10.26555/jifo.v14i2.a14434

2020-05-09

Jurnal Informatika

Abstract:The threat of physical security can be from human factors, natural disasters, and information technology itself. Therefore, to prevent threats, we need the right tools to control current activities, evaluate potential impacts, and make appropriate plans so that business processes at X University will not be affected. This research starts by analyzing the problems that arise, followed by collecting the data needed, discussing the results, and making conclusions and recommendations that can be given. The method uses quantitative descriptive research. The research instrument uses interviews and questionnaire techniques. COBIT 5 is used as a framework for measuring the performance that is being implemented and will be achieved. Maturity models are used to measure current and future activities. The goal to be achieved is that the organization can create a physical security environment by the CIA principle (confidentiality, integrity, & availability). Positioning results are at level 3, meaning that the process is currently running in two main standard operating procedures. However, this evaluation specifically on the DSS5.5.5 subdomain (Providing Service Support-Managing physical security for IT Assets) in COBIT 5, and the results are still below the level 3 standard (Established Process), at 2.9 points. So, the right suggestion is to keep activities safe, one of which is to improve facilities and infrastructure, one of which is the use of biometric control in data center management rooms or other rooms with limited access.

Omar Shareef

DOI: https://doi.org/10.47760/ijcsmc.2024.v13i02.006

2024-02-28

International Journal of Computer Science and Mobile Computing

Abstract:The security and resilience of organizational IT systems are of paramount importance in today's fast-paced digital environment. With the proliferation of “cyber threats”, organizations must adopt proactive measures to protect their assets and maintain operational continuity. The purpose of this article is to provide insight into the nuances of the implementation of a robust framework for “IT controls”, so that organizations seeking to strengthen their defenses can better understand the importance of each component. The article begins by emphasizing the foundational role of governance and oversight in establishing clear policies, procedures, and accountability structures. Strong governance sets the stage for cultivating a culture of compliance and accountability throughout the organization. Next, the article delves into the critical aspect of “risk management”, highlighting the importance of identifying and mitigating IT-related risks to safeguard organizational security and resilience. Through comprehensive “risk assessments”, organizations can prioritize mitigation efforts and allocate resources effectively. In order to prevent unauthorized access to critical IT systems and resources, access controls are discussed, emphasizing the importance of robust authentication mechanisms and role-based access controls. Change management processes are explored as essential components in managing IT changes effectively, minimizing the risk of disruptions and vulnerabilities associated with system changes. “Data security” emerges as a key focus area, with an emphasis on protecting the confidentiality, integrity, and availability of organizational data assets through robust encryption, access controls, and data loss prevention technologies. Incident management processes are highlighted as crucial for responding swiftly and effectively to security incidents, minimizing their impact and restoring normal operations promptly. Compliance and audit processes are discussed in the context of ensuring adherence to regulatory requirements and industry standards, mitigating the risk of non-compliance penalties and reputational damage. The importance of security awareness training in cultivating a culture of security among employees is emphasized, along with the need for continuous monitoring and improvement to adapt to evolving “threats” effectively. Overall, the article underscores the importance of implementing a comprehensive framework for IT controls to enhance “organizational security”, “compliance” and resilience in today's digital landscape. Through collaborative efforts across all levels of the organization, organizations can effectively “mitigate risks”, safeguard their assets and achieve their business objectives amidst evolving “cyber threats”.

Abdulaziz Gulay,Leandros Maglaras

2024-10-03

Abstract:The increasing frequency and sophistication of cybersecurity incidents pose significant challenges to organisations, highlighting the critical need for robust incident response capabilities. This paper explores a possible utilisation of IR CMMs assessments to systematically prioritise incidents based on their impact, severity, and the incident response capabilities of an organisation in specific areas associated with human and organisational factors. The findings reveal common weaknesses in incident response, such as inadequate training and poor communication, and highlight best practices, including regular training programs, clear communication protocols, and well-documented response procedures. The analysis also emphasises the importance of organisational culture in enhancing incident response capabilities. By addressing the gap in understanding how the output of IRM assessments can be immediately utilised to prioritise high-risk incidents, this paper contributes valuable insights to academia and practice, offering a structured approach to enhancing organisational resilience against cybersecurity threats.

Cryptography and Security

Mohan Baruwal Chhetri,Shahroz Tariq,Ronal Singh,Fatemeh Jalalvand,Cecile Paris,Surya Nepal

DOI: https://doi.org/10.1145/3670009

IF: 5.3

2024-07-15

ACM Transactions on Internet Technology

Abstract:Security Operations Centres (SOCs) play a pivotal role in defending organisations against evolving cyber threats. They function as central hubs for detecting, analysing, and responding promptly to cyber incidents with the primary objective of ensuring the confidentiality, integrity, and availability of digital assets. However, they struggle against the growing problem of alert fatigue, where the sheer volume of alerts overwhelms SOC analysts and raises the risk of overlooking critical threats. In recent times, there has been a growing call for human-AI teaming, wherein humans and AI collaborate with each other, leveraging their complementary strengths and compensating for their weaknesses. The rapid advances in AI and the growing integration of AI-enabled tools and technologies within SOCs give rise to a compelling argument for the implementation of human-AI teaming within the SOC environment. Therefore, in this article, we present our vision for human-AI teaming to address the problem of alert fatigue in the SOC. We propose the A 2 C Framework, which enables flexible and dynamic decision making by allowing seamless transitions between automated, augmented, and collaborative modes of operation. Our framework allows AI-powered automation for routine alerts, AI-driven augmentation for expedited expert decision making, and collaborative exploration for tackling complex, novel threats. By implementing and operationalising A 2 C, SOCs can significantly reduce alert fatigue while empowering analysts to efficiently and effectively respond to security incidents.

computer science, information systems, software engineering

Mohemed Almorsy,John Grundy,Amani S. Ibrahim

DOI: https://doi.org/10.1109/cloud.2011.9

2011-07-01

Abstract:Although the cloud computing model is considered to be a very promising internet-based computing platform, it results in a loss of security control over the cloud-hosted assets. This is due to the outsourcing of enterprise IT assets hosted on third-party cloud computing platforms. Moreover, the lack of security constraints in the Service Level Agreements between the cloud providers and consumers results in a loss of trust as well. Obtaining a security certificate such as ISO 27000 or NIST-FISMA would help cloud providers improve consumers trust in their cloud platforms' security. However, such standards are still far from covering the full complexity of the cloud computing model. We introduce a new cloud security management framework based on aligning the FISMA standard to fit with the cloud computing model, enabling cloud providers and consumers to be security certified. Our framework is based on improving collaboration between cloud providers, service providers and service consumers in managing the security of the cloud platform and the hosted services. It is built on top of a number of security standards that assist in automating the security management process. We have developed a proof of concept of our framework using. NET and deployed it on a testbed cloud platform. We evaluated the framework by managing the security of a multi-tenant SaaS application exemplar.

Håvard Jakobsen Ofte

DOI: https://doi.org/10.1007/s10207-024-00872-6

2024-07-19

International Journal of Information Security

Abstract:Abstract Security operation centers (SOCs) are increasingly established to meet the growing threat against cyber security. The operators of SOCs respond to complex incidents under time constraints. Within critical infrastructure, the consequences of human error or low performance in SOCs may be detrimental. In other domains, situation awareness (SA) has proven useful to understand and measure how operators use information and decide the correct actions. Until now, SA research in SOCs has been restricted by a lack of in-depth studies of SA mechanisms. Therefore, this study is the first to conduct a goal-directed task analysis in a SOC for critical infrastructure. The study was conducted through a targeted series of unstructured and semi-structured interviews with SOC operators and their leaders complemented by a review of documents, incident reports, and in situ observation of work within the SOC and real incidents. Among the presented findings is a goal hierarchy alongside a complete overview of the decisions the operators make during escalated incidents. How the operators gain and use SA in these decisions is presented as a complete set of SA requirements. The findings are accompanied by an analysis of contextual differences in how the operators prioritize goals and use information in network incidents and security incidents. This enables a discussion of what SA processes might be automated and which would benefit from different SA models. The study provides a unique insight into the SA of SOC operators and is thus a steppingstone for bridging the knowledge gap of Cyber SA.

computer science, information systems, theory & methods, software engineering

Ahmed E. Youssef

DOI: https://doi.org/10.48550/arXiv.2001.08993

2020-01-13

Cryptography and Security

Abstract:Security is considered one of the top ranked risks of Cloud Computing (CC) due to the outsourcing of sensitive data onto a third party. In addition, the complexity of the cloud model results in a large number of heterogeneous security controls that must be consistently managed. Hence, no matter how strongly the cloud model is secured, organizations continue suffering from lack of trust on CC and remain uncertain about its security risk consequences. Traditional risk management frameworks do not consider the impact of CC security risks on the business objectives of the organizations. In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting CC identify, analyze, evaluate, and mitigate security risks in their Cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives. In essence, it is designed to address impacts of cloud-specific security risks into business objectives in a given organization. Consequently, organizations are able to conduct a cost-value analysis regarding the adoption of CC technology and gain an adequate level of confidence in Cloud technology. On the other hand, Cloud Service Providers (CSP) are able to improve productivity and profitability by managing cloud-related risks. The proposed framework has been validated and evaluated through a use-case scenario.

Cataldo Basile,Gabriele Gatti,Francesco Settanni

2024-05-06

Abstract:Enforcing security requirements in networked information systems relies on security controls to mitigate the risks from increasingly dangerous threats. Configuring security controls is challenging; even nowadays, administrators must perform it without adequate tool support. Hence, this process is plagued by errors that translate to insecure postures, security incidents, and a lack of promptness in answering threats. This paper presents the Security Capability Model (SCM), a formal model that abstracts the features that security controls offer for enforcing security policies, which includes an Information Model that depicts the basic concepts related to rules (i.e., conditions, actions, events) and policies (i.e., conditions' evaluation, resolution strategies, default actions), and a Data Model that covers the capabilities needed to describe different types of filtering and channel protection controls. Following state-of-the-art design patterns, the model allows for generating abstract versions of the security controls' languages and a model-driven approach for translating abstract policies into device-specific configuration settings. By validating its effectiveness in real-world scenarios, we show that SCM enables the automation of different and complex security tasks, i.e., accurate and granular security control comparison, policy refinement, and incident response. Lastly, we present opportunities for extensions and integration with other frameworks and models.

Cryptography and Security

Mohammed El-Hajj,Zuhayr Aamir Mirza

DOI: https://doi.org/10.3390/electronics13193910

IF: 2.9

2024-10-03

Electronics

Abstract:As the number of Small and Medium Enterprises (SMEs) rises in the world, the amount of sensitive data used also increases, making them targets for cyberattacks. SMEs face a host of issues such as a lack of resources and poor cybersecurity talent, resulting in multiple vulnerabilities that increase overall risk. Cybersecurity risk assessment frameworks have been developed by multiple organizations such as the National Institute of Science and Technology (NIST) and the International Organization for Standardization (ISO), but they are complicated to understand and challenging to implement. This research aimed to create an effective cybersecurity risk assessment framework specifically for SMEs while considering their limitations. This was achieved by first identifying common threats and vulnerabilities and categorizing them according to their importance and risk. Secondly, popular frameworks like the NIST CSF and ISO 27001/2 were analyzed for their proficiencies and deficiencies while identifying relevant areas for SMEs. Finally, novel techniques catered to SMEs were explored and incorporated to create an effective framework for SMEs. This framework was also developed in the form of a tool, providing an interactive and dynamic environment. The tool was effective, and the framework is a promising start but requires more quantitative analysis.

engineering, electrical & electronic,computer science, information systems,physics, applied

Allan Nganga,Joel Scanlan,Margareta Lützhöft,Steven Mallam

DOI: https://doi.org/10.1016/j.apergo.2024.104312

Abstract:The increased adoption of digital systems in the maritime domain has led to concerns about cyber resilience, especially in the wake of increasingly disruptive cyber-attacks. This has seen vessel operators increasingly adopt Maritime Security Operation Centers (M-SOCs), an action in line with one of the cyber resilience engineering techniques known as adaptive response, whose purpose is to optimize the ability to respond promptly to attacks. This research sought to investigate the domain-specific human factors that influence the adaptive response capabilities of M-SOC analysts to vessel cyber threats. Through collecting interview data and subsequent thematic analysis informed by grounded theory, cyber awareness of both crew onboard and vessel operators emerged as a pressing domain-specific challenge impacting M-SOC analysts' adaptive response. The key takeaway from this study is that vessel operators remain pivotal in supporting the M-SOC analysts' adaptive response processes through resource allocation towards operational technology (OT) monitoring and cyber personnel staffing onboard the vessels.

Robert Gutzwiller,Josiah Dykstra,Bryan Payne

DOI: https://doi.org/10.1145/3384471

2020-09-30

Digital Threats: Research and Practice

Abstract:Demand is present among security practitioners for improving cyber situational awareness (SA), but capability and assessment have not risen to match. SA is an integral component of cybersecurity for everyone from individuals to business to response teams and threat exchanges. In this Field Note, we highlight existing research and our field observations, a recent review of cyber SA research literature, and call upon the research community to help address three research problems in situational awareness for cybersecurity. The gaps suggest the need to (1) understand what cyber SA is from the human operators’ perspectives, then (2) measure it so that (3) the community can learn whether SA makes a difference in meaningful ways to cybersecurity, and whether methods, technology, or other solutions would improve SA and thus, improve those outcomes.

Manuel Kern,Max Landauer,Florian Skopik,Edgar Weippl

DOI: https://doi.org/10.1016/j.cose.2024.103844

IF: 5.105

2024-04-11

Computers & Security

Abstract:Many modern cyber attack techniques cannot be prevented. Logging and monitoring, however, offer a means to at least detect these techniques early, and therefore become increasingly important for defense. Many companies are unfortunately reluctant to invest more in cyber security logging and monitoring or hire additional security staff to operate detective solutions. There is a need for a methodology to pick appropriate cyber security solutions from the vast pool of available products. Our model takes requirements mandated by common standards from ISO, NIST, BSI and the like into account. While standards and guidelines remain at a high abstraction level and are applicable to different organizations over a long period of time, guidance on implementation becomes outdated comparatively quickly. We propose a novel logging maturity and decision model for the selection of the best fitting cyber security solutions for an organization. The novelty is that this model accounts for constraints in the selection process, such as cost, complexity, compliance, and relevance to the organization's assets. We validate the model with MITRE ATT&CK framework data and apply it to illustrative use cases based on our survey.

computer science, information systems