Federated Agentless Detection of Endpoints Using Behavioral and Characteristic Modeling

During the past two decades computer networks and security have evolved that, even though we use the same TCP/IP stack, network traffic behaviors and security needs have significantly changed. To secure modern computer networks, complete and accurate data must be gathered in a structured manner pertaining to the network and endpoint behavior. Security operations teams struggle to keep up with the ever-increasing number of devices and network attacks daily. Often the security aspect of networks gets managed reactively instead of providing proactive protection. Data collected at the backbone are becoming inadequate during security incidents. Incident response teams require data that is reliably attributed to each individual endpoint over time. With the current state of dissociated data collected from networks using different tools it is challenging to correlate the necessary data to find origin and propagation of attacks within the network. Critical indicators of compromise may go undetected due to the drawbacks of current data collection systems leaving endpoints vulnerable to attacks. Proliferation of distributed organizations demand distributed federated security solutions. Without robust data collection systems that are capable of transcending architectural and computational challenges, it is becoming increasingly difficult to provide endpoint protection at scale. This research focuses on reliable agentless endpoint detection and traffic attribution in federated networks using behavioral and characteristic modeling for incident response

Towards non-intrusive software introspection and beyond

Continuous verification and security analysis of software systems are of paramount importance to many organizations. The state-of-the-art for such operations implements agent-based approaches to inspect the provisioned software stack for security and compliance issues. However, this approach, which runs agents on the systems being analyzed, is vulnerable to some attacks, can incur substantial performance impact, and can introduce significant complexity. In this paper, we present the design and prototype implementation of a general-purpose approach for Non-intrusive Software Introspection (NSI). By adhering to NSI, organizations hosting in the cloud can as well control the software introspection workflow with reduced trust in the provider. Experimental analysis of real-world applications demonstrates that NSI presents a lightweight and scalable approach, and has a negligible impact on the performance of applications running on the instance being introspected.Accepted manuscrip

Cyber onboarding is ‘broken'

Cyber security operations centre (CSOC) is a horizontal business function responsible primarily for managing cyber incidents, in addition to cyber-attack detection, security monitoring, security incident triage, analysis and coordination. To monitor systems, networks, applications and services the CSOC must first on-board the systems and services onto their security monitoring and incident management platforms. Cyber Onboarding (a.k.a. Onboarding) is a specialist technical process of setting up and configuring systems and services to produce appropriate events, logs and metrics which are monitored through the CSOC security monitoring and incident management platform. First, logging must be enabled on the systems and applications, second, they must produce the right set of computing and security logs, events, traps and messages which are analysed by the detection controls, security analytics systems and security event monitoring systems such as SIEM, and sensors etc.; and further, network-wide information e.g. flow data, heartbeats and network traffic information are collected and analysed, and finally, threat intelligence data are ingested in real-time to detect, or be informed of threats which are out in the wild. While setting up a CSOC could be straightforward, unfortunately, the ‘people’ and ‘process’ aspects that underpin the CSOC are often challenging, complicated and occasionally unworkable. In this paper, CSOC and Cyber Onboarding are thoroughly discussed, and the differences between SOC vs SIEM are explained. Key challenges to Cyber Onboarding are identified through the reframing matrix methodology, obtained from four notable perspectives – Cyber Onboarding Perspective, CSOC Perspective, Client Perspective and Senior Management Team Perspective. Each of the views and interests are discussed, and finally, recommendations are provided based on lessons learned implementing CSOCs for many organisations – e.g. government departments, financial institutions and private sectors

Recommendation of a security architecture for data loss prevention

Data and people are the most important assets of any organization. The amount of information that is generated increases exponentially due to the number of new devices that create information. On the other hand, more and more organizations are covered by some type of regulation, such as the General Data Protection Regulation. Organizations implement several security controls, however, they do not focus on protecting the information itself and information leakage is a reality and a growing concern. Based on this problem, there is a need to protect confidential information, such as clinical data, personal information, among others. In this regard, data loss prevention solutions (DLP – Data Loss Prevention) that have the ability to identify, monitor and act on data considered confidential, whether at the endpoint, data repositories or in the network, should be part of the information security strategy of organizations in order to mitigate these risks. This dissertation will study the topic of data loss prevention and evaluate several existing solutions in order to identify the key components of this type of solutions. The contribution of this work will be the recommendation of a security architecture that mitigates the risk of information leakage and that can be easily adaptable to any DLP solution to be implemented by organizations. In order to prove the efficiency of the architecture, it was implemented and tested to mitigate the risk of information leakage in specific proposed scenarios.A informação e as pessoas são os ativos mais importantes de qualquer organização. A quantidade de informação que é gerada aumenta exponencialmente devido à quantidade de novos dispositivos que produzem informação. Por outro lado, cada vez mais organizações são abrangidas por algum tipo de regulamento, como o Regulamento Geral de Proteção de Dados. As organizações implementam vários controlos de segurança, no entanto, não se focam na proteção da informação em si e a fuga da informação é uma realidade e uma preocupação crescente. Com base neste problema, existe a necessidade de proteger a informação confidencial, como dados clínicos, informação pessoal, entre outros. Neste sentido, as soluções de prevenção da fuga de informação (DLP – Data Loss Prevention) que têm a capacidade de identificar, monitorizar e atuar em dados considerados confidenciais, seja ao nível do endpoint, repositório de dados ou na rede, devem fazer parte da estratégia da segurança da informação das organizações por forma a mitigar estes riscos. Esta dissertação vai analisar a temática da prevenção da fuga de informação e avaliar várias soluções existentes com o propósito de identificar as componentes chave deste tipo de soluções. A principal contribuição deste trabalho será a recomendação de uma arquitetura de segurança que mitigue o risco da fuga da informação e que poderá ser facilmente adaptável a qualquer solução de DLP a ser implementada pelas organizações. Por forma a comprovar a eficiência da arquitetura, a mesma foi implementada e testada para mitigar o risco de fuga da informação em cenários específicos que foram definidos

Eliciting the End-to-End Behavior of SOA Applications in Clouds

Availability and performance are key issues in SOA cloud applications. Those applications can be represented as a graph spanning multiple Cloud and on-premises environments, forming a very complex computing system that supports increasing numbers and types of users, business transactions, and usage scenarios. In order to rapidly find, predict, and proactively prevent root causes of issues, such as performance degradations and runtime errors, we developed a monitoring solution which is able to elicit the end-to-end behavior of those applications. We insert lightweight components into SOA frameworks and clients thereby keeping the monitoring impact minimal. Monitoring data collected from call chains is used to assist in issues related to performance, errors and alerts, as well as business and IT transactions

Agentless approach for security information and event management in industrial IoT

The Internet of Things (IoT) provides ease of real-time communication in homes, industries, health care, and many other dependable and interconnected sectors. However, in recent years, smart infrastructure, including cyber-physical industries, has witnessed a severe disruption of operation due to privilege escalation, exploitation of misconfigurations, firmware hijacking, malicious node injection, botnets, and other malware infiltrations. The proposed agentless module for Wazuh security information and event management (SIEM) solution contributes to securing small- to large-scale IoT networks of industry 4.0. An agentless module is implemented by vigilantly examining the IoT device traffic without installing any agent or software on the endpoints. In the proposed research scheme, a module sniffs the network traffic of IoT devices captured from the gateway and passes it to a machine learning model for initial detection and prediction. The output of the ML model is embedded in the JSON log format and passed through the Wazuh agent to the Wazuh server where a decoder is added that decodes the network traffic logs. For event monitoring in Wazuh, industrial protocols are also thoroughly analyzed, and the feature set is determined. These features are used to write rules which are tested on the SWaT dataset, utilizing a common industrial protocol (CIP) for communication. Custom and dynamic rules are written at the Wazuh end to generate alerts to respond to any anomaly detected by the machine learning (ML) model or in the protocols used. Finally, in case of any event or an attack is detected, the alerts are fired on the Wazuh dashboard. This agentless SIEM solution has practical implications for the security of the industrial control systems of industry 4.0

Tactical ISR/C2 Integration with AI/ML Augmentation

NPS NRP Project PresentationNAVPLAN 2021 specifies Distributed Maritime Operations (DMO) with a tactical grid to connect distributed nodes with processing at the tactical edge to include Artificial Intelligence/Machine Learning (AI/ML) in support of Expeditionary Advanced Base Operations (EABO) and Littoral Operations in a Contested Environment (LOCE). Joint All-Domain Command and Control (JADC2) is the concept for sensor integration. However, Intelligence, Surveillance and Reconnaissance (ISR) and Command and Control (C2) hardware and software have yet to be fully defined, tools integrated, and configurations tested. This project evaluates options for ISR and C2 integration into a Common Operational Picture (COP) with AI/ML for decision support on tactical clouds in support of DMO, EABO, LOCE and JADC2 objectives.Commander, Naval Surface Forces (CNSF)U.S. Fleet Forces Command (USFF)This research is supported by funding from the Naval Postgraduate School, Naval Research Program (PE 0605853N/2098). https://nps.edu/nrpChief of Naval Operations (CNO)Approved for public release. Distribution is unlimited.