Skip to Main content Skip to Navigation
Theses

Optimization of cost-based threat response for Security Information and Event Management (SIEM) systems

Abstract : Current Security Information and Event Management systems (SIEMs) constitute the central platform of modern security operating centers. They gather events from various sensors (intrusion detection systems, anti-virus, firewalls, etc.), correlate these events, and deliver synthetic views for threat handling and security reporting. Research in SIEM technologies has traditionally focused on providing a comprehensive interpretation of threats, in particular to evaluate their importance and prioritize responses accordingly. However, in many cases, threat responses still require humans to carry out the analysis and decision tasks e.g., understanding the threats, defining the appropriate countermeasures and deploying them. This is a slow and costly process, requiring a high level of expertise, and remaining error-prone nonetheless. Thus, recent research in SIEM technology has focused on the ability to automate the process of selecting and deploying countermeasures. Several authors have proposed automatic response mechanisms, such as the adaptation of security policies, to overcome the limitations of static or manual response. Although these approaches improve the reaction process (making it faster and/or more efficient), they remain limited since these solutions do not analyze the impact of the countermeasures selected to mitigate the attacks. In this thesis, we propose a novel and systematic process to select the optimal countermeasure from a pool of candidates, by ranking them based on a trade-off between their efficiency in stopping the attack and their ability to preserve, at the same time, the best service to normal users. In addition, we propose a model to represent graphically attacks and countermeasures, so as to determine the volume of each element in a scenario of multiple attacks. The coordinates of each element are derived from a URI. This latter is mainly composed of three axes: user, channel, and resource. We use the CARVER methodology to give an appropriate weight to each element composing the axes in our coordinate system. This approach allows us to connect the volumes with the risks (i.e. big volumes are equivalent to high risk, whereas small volumes are equivalent to low risk). Two concepts are considered while comparing two or more risk volumes: Residual risk, which results when the risk volume is higher than the countermeasure volume; and Collateral damage, which results when the countermeasure volume is higher than the risk volume. As a result, we are able to evaluate countermeasures for single and multiple attack scenarios, making it possible to select the countermeasure or group of countermeasures that provides the highest benefit to the organization
Complete list of metadatas

Cited literature [130 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-00939091
Contributor : Abes Star :  Contact
Submitted on : Thursday, January 30, 2014 - 10:37:38 AM
Last modification on : Sunday, October 25, 2020 - 7:08:19 AM
Long-term archiving on: : Thursday, May 1, 2014 - 2:10:18 AM

File

GONZALEZ_Gustavo.pdf
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-00939091, version 1

Citation

Gustavo Daniel Gonzalez Granadillo. Optimization of cost-based threat response for Security Information and Event Management (SIEM) systems. Other [cs.OH]. Institut National des Télécommunications, 2013. English. ⟨NNT : 2013TELE0033⟩. ⟨tel-00939091⟩

Share

Metrics

Record views

1723

Files downloads

2740