307 research outputs found
Cyber onboarding is âbroken'
Cyber security operations centre (CSOC) is a horizontal business function responsible primarily for managing cyber incidents, in addition to cyber-attack detection, security monitoring, security incident triage, analysis and coordination. To monitor systems, networks, applications and services the CSOC must first on-board the systems and services onto their security monitoring and incident management platforms. Cyber Onboarding (a.k.a. Onboarding) is a specialist technical process of setting up and configuring systems and services to produce appropriate events, logs and metrics which are monitored through the CSOC security monitoring and incident management platform. First, logging must be enabled on the systems and applications, second, they must produce the right set of computing and security logs, events, traps and messages which are analysed by the detection controls, security analytics systems and security event monitoring systems such as SIEM, and sensors etc.; and further, network-wide information e.g. flow data, heartbeats and network traffic information are collected and analysed, and finally, threat intelligence data are ingested in real-time to detect, or be informed of threats which are out in the wild. While setting up a CSOC could be straightforward, unfortunately, the âpeopleâ and âprocessâ aspects that underpin the CSOC are often challenging, complicated and occasionally unworkable. In this paper, CSOC and Cyber Onboarding are thoroughly discussed, and the differences between SOC vs SIEM are explained. Key challenges to Cyber Onboarding are identified through the reframing matrix methodology, obtained from four notable perspectives â Cyber Onboarding Perspective, CSOC Perspective, Client Perspective and Senior Management Team Perspective. Each of the views and interests are discussed, and finally, recommendations are provided based on lessons learned implementing CSOCs for many organisations â e.g. government departments, financial institutions and private sectors
Risk Assessment as a Tool for Mobile Plant Operators for Sustainable Development: Lessons from the Western Australian Mining Industry
Mobile plant is used extensively not only in the Western Australian (WA) Mining Industry but internationally as well. The use of mobile plant has inherently high risk and every year is associated with a significant number of workplace fatalities and injuries. Prior to this research being conducted there was no specific data published related to mobile plants incidents and fatalities for the Western Australian mining industries. The aim of this research was to improve the safety performance of mobile plant operators in the Western Australia (WA) mining industry by identifying the causes of mobile plant incidents reported to Resources Safety between 1/1/2007 and 31/3/2020
Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability
[ES] La presente tesis doctoral realiza un anĂĄlisis en detalle de los elementos de decisiĂłn necesarios para mejorar la comprensiĂłn de la situaciĂłn en ciberdefensa con especial ĂŠnfasis en la percepciĂłn y comprensiĂłn del analista de un centro de operaciones de ciberseguridad (SOC). Se proponen dos arquitecturas diferentes basadas en el anĂĄlisis forense de flujos de datos (NF3). La primera arquitectura emplea tĂŠcnicas de Ensemble Machine Learning mientras que la segunda es una variante de Machine Learning de mayor complejidad algorĂtmica (lambda-NF3) que ofrece un marco de defensa de mayor robustez frente a ataques adversarios. Ambas propuestas buscan automatizar de forma efectiva la detecciĂłn de malware y su posterior gestiĂłn de incidentes mostrando unos resultados satisfactorios en aproximar lo que se ha denominado un SOC de prĂłxima generaciĂłn y de computaciĂłn cognitiva (NGC2SOC). La supervisiĂłn y monitorizaciĂłn de eventos para la protecciĂłn de las redes informĂĄticas de una organizaciĂłn debe ir acompaĂąada de tĂŠcnicas de visualizaciĂłn. En este caso, la tesis aborda la generaciĂłn de representaciones tridimensionales basadas en mĂŠtricas orientadas a la misiĂłn y procedimientos que usan un sistema experto basado en lĂłgica difusa. Precisamente, el estado del arte muestra serias deficiencias a la hora de implementar soluciones de ciberdefensa que reflejen la relevancia de la misiĂłn, los recursos y cometidos de una organizaciĂłn para una decisiĂłn mejor informada. El trabajo de investigaciĂłn proporciona finalmente dos ĂĄreas claves para mejorar la toma de decisiones en ciberdefensa: un marco sĂłlido y completo de verificaciĂłn y validaciĂłn para evaluar parĂĄmetros de soluciones y la elaboraciĂłn de un conjunto de datos sintĂŠticos que referencian unĂvocamente las fases de un ciberataque con los estĂĄndares Cyber Kill Chain y MITRE ATT & CK.[CA] La present tesi doctoral realitza una anĂ lisi detalladament dels elements de decisiĂł necessaris per a millorar la comprensiĂł de la situaciĂł en ciberdefensa amb especial èmfasi en la percepciĂł i comprensiĂł de l'analista d'un centre d'operacions de ciberseguretat (SOC). Es proposen dues arquitectures diferents basades en l'anĂ lisi forense de fluxos de dades (NF3). La primera arquitectura empra tècniques de Ensemble Machine Learning mentre que la segona ĂŠs una variant de Machine Learning de major complexitat algorĂtmica (lambda-NF3) que ofereix un marc de defensa de major robustesa enfront d'atacs adversaris. Totes dues propostes busquen automatitzar de manera efectiva la detecciĂł de malware i la seua posterior gestiĂł d'incidents mostrant uns resultats satisfactoris a aproximar el que s'ha denominat un SOC de pròxima generaciĂł i de computaciĂł cognitiva (NGC2SOC). La supervisiĂł i monitoratge d'esdeveniments per a la protecciĂł de les xarxes informĂ tiques d'una organitzaciĂł ha d'anar acompanyada de tècniques de visualitzaciĂł. En aquest cas, la tesi aborda la generaciĂł de representacions tridimensionals basades en mètriques orientades a la missiĂł i procediments que usen un sistema expert basat en lògica difusa. Precisament, l'estat de l'art mostra serioses deficiències a l'hora d'implementar solucions de ciberdefensa que reflectisquen la rellevĂ ncia de la missiĂł, els recursos i comeses d'una organitzaciĂł per a una decisiĂł mĂŠs ben informada. El treball de recerca proporciona finalment dues Ă rees claus per a millorar la presa de decisions en ciberdefensa: un marc sòlid i complet de verificaciĂł i validaciĂł per a avaluar parĂ metres de solucions i l'elaboraciĂł d'un conjunt de dades sintètiques que referencien unĂvocament les fases d'un ciberatac amb els estĂ ndards Cyber Kill Chain i MITRE ATT & CK.[EN] This doctoral thesis performs a detailed analysis of the decision elements necessary to improve the cyber defence situation awareness with a special emphasis on the perception and understanding of the analyst of a cybersecurity operations center (SOC). Two different architectures based on the network flow forensics of data streams (NF3) are proposed. The first architecture uses Ensemble Machine Learning techniques while the second is a variant of Machine Learning with greater algorithmic complexity (lambda-NF3) that offers a more robust defense framework against adversarial attacks. Both proposals seek to effectively automate the detection of malware and its subsequent incident management, showing satisfactory results in approximating what has been called a next generation cognitive computing SOC (NGC2SOC). The supervision and monitoring of events for the protection of an organisation's computer networks must be accompanied by visualisation techniques. In this case, the thesis addresses the representation of three-dimensional pictures based on mission oriented metrics and procedures that use an expert system based on fuzzy logic. Precisely, the state-of-the-art evidences serious deficiencies when it comes to implementing cyber defence solutions that consider the relevance of the mission, resources and tasks of an organisation for a better-informed decision. The research work finally provides two key areas to improve decision-making in cyber defence: a solid and complete verification and validation framework to evaluate solution parameters and the development of a synthetic dataset that univocally references the phases of a cyber-attack with the Cyber Kill Chain and MITRE ATT & CK standards.Llopis SĂĄnchez, S. (2023). Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/19424
Applying design system in cybersecurity dashboard development
This thesis evaluates the applicability of a particular Design System in the development of a dashboard that addresses the needs of cybersecurity teams. This work is motivated by the reduced knowledge of the specific needs that a dashboard for cyber security products could encounter and by the narrow understanding of the limitations and challenges that the applicability of a design system on such a targeted system could encounter. The context of research, development and testing is the multinational Ericsson which offer the opportunity to gain access to not only to experts from Finland but worldwide.
The initial efforts were directed towards identifying and understanding the users, their needs and tasks, and the environment in which they operate. This qualitative data is obtained by performing a literature review on the state of the art and multiple interviews with experts from Security Operation Centres. After the requirements have been collected and by utilising the Design System, a design for the dashboard is presented and tested with experts.
The primary outcome of this thesis comes in the form of a user-centered methodology for the extraction of expert knowledge and its conversion into requirements. The proposed solution constitutes a baseline approach towards identifying the needs of professionals in an environment in which the access to users is limited
Measuring the performance of a Security Operations Centre (SOC) analyst: An industry-validated approach based on weighted SOC functions
Analysts who work in Security Operations Centres (SOCs) play a vital role in helping organisations protect their computer network systems against cyber attacks. It is the responsibility of an analyst to monitor, detect, investigate, and respond to cyber security incidents. It is essential, therefore, for analysts to maintain a high level of human performance because poor performance could negatively impact on the overall efficiency of a SOC.
To manage analysts effectively and efficiently, SOC managers use performance metrics to measure analystsâ performance. However, the existing literature indicates that current
metrics are inadequate because they overlook the key facets of analystsâ work. The literature also reveals a lack of a systematic approach for measuring analystsâ performance.
Despite these problems, there has been very little effort by cyber security researchers to improve performance measurement methods for analysts. This study proposes a widely applicable method (referred to as the Security Operations Centre Analyst Assessment Method (SOC-AAM)) for measuring the performance of an analyst using the Design Science Research Process (DSRP). The novelty of the proposed
method is that it captures the most common and significant analystsâ functions and has the potential to be adopted by SOCs worldwide. The proposed method simplifies
the process of measuring analyst performance by consolidating existing assessment methods and providing a new formal method. Additionally, it provides a novel guideline for assessing the quality of incident analysis and the quality of incident report.
The results of an empirical testing and evaluation of the SOC-AAM shows that the SOC-AAM offers a useful, easy-to-use and comprehensive approach to measuring an analystâs performance. The SOC-AAM will facilitate SOC managers in overcoming the limitations of current performance metrics by offering a systematic method for measuring an analystâs performance. It would also help analysts to demonstrate their performance across a variety of functions
Recommended from our members
Obstacles to the globalisation of corporate research and development in technologically underdeveloped countries
Over two decades, the globalisation of research and development (R&D) has become a subject of considerable academic interests. The majority of studies concerning it describe this phenomenon in developed countries. Little is known about it in technologically underdeveloped countries. No study has systematically identified the possible obstacles to the R&D globalisation process in these countries. This suggests that this research topic is a distinctive topic for study. This study takes Libya as an example of a technologically underdeveloped country and aims to investigate the obstacles to the R&D globalisation process in Libya. To achieve this aim and in fulfilling the research objectives, the thesis utilises both qualitative and quantitative approaches. They were conducted through case studies of two transnational corporations (TNCs) working in Libya and an interview-based survey with three R&D related managers located in their offices there. Additionally, a questionnaire-based survey was conducted on 30 R&D related managers at 10 Libyan organisations. These methods are complemented by an archival analysis of several sources, related to both TNCs selected and the Libyan business environment
GCCâEU Interregionalism: challenges, opportunities and future prospects
This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University London.This thesis addresses the gap in the literature of the Gulf Cooperation Council and its distinct relations with the European Union by identifying the obstacles preventing the development of GCCâEU interregionalism, in two case studies: energy security and economic cooperation in the Mediterranean. By bringing an empirical application of interregionalism to the study of GCCâEU relations, the thesis draws an original comparison that is based on a Hettne and SĂśderbaum typology of regionness (2000) to determine the GCCâs and the EUâs types, levels of actorness and the subsequent type of interregionalism resulting from the interaction between their kinds. The theoretical construct of the thesis underlines interregionalism as a tool for consolidating the organisationsâ identities and actorness and increasing their capacities at exerting influence within the changing dynamics in the regional and global theatres. In addition, this thesis sheds light on the obstacles that impede the development of interregional cooperation and the mechanism to overcome them. As such, the thesis considers the dynamics instigating the renewed interest in deepening GCCâEU interregional relations; outlines the tools available at the GCC and the EU, and highlights the implications of the Arab Spring and GCCâAsia ties on GCCâEU relations. By avoiding benchmarking the EU as a model, the thesis purports that cooperation in energy security is ongoing and is opening avenues for promising partnerships in renewables, energy sustainability and efficiency. On the other hand, the divergence in the organisationsâ levels of actorness, economic strategies and the unwillingness to assess policies are major hindrances against a successful partnership in the Mediterranean. Asymmetries in actorness, bilateralism, the American influence and the growing GCCâAsia ties do impact the development of the relations; albeit, they do not impede the multilateral framework from producing unintended outcomes in other areas of the relations.Saudi Arabian Ministry of Higher Educatio
Chinese foreign policy in the 'Going Out' era: confronting challenges and 'Adaptive Learning' in the case of China-Sudan and South Sudan Relations
This thesis seeks to understand change within China's foreign policy under a 'Going Out' strategy in Sudan and South Sudan between 1993 and 2013. China has traditionally viewed the Sudanese and African context more generally as having a wholly positive impact on its interests. However, in the Sudan case, the insertion of China's leading National Oil Company into the Sudanese political economy from the mid-1990s has meant that Sudan's internal situation has negatively affected Chinaâs interests and, in turn, impacted on its foreign policy.
Drawing from 'learning' theory within International Relations' sub-field of Foreign Policy Analysis, this thesis develops a concept of negative experiential 'adaptive learning' to explain change within this case study. It firstly argues that from 2005
China tactically adapted its foreign policy approach in response to challenges that emerged along the trajectory of engagement. Secondly, China's foreign policy implementing institutions collectively learnt the specific lesson that local conflict
dynamics in the Sudans could negatively affect Chinese interests, and also learntthe limitations within Chinaâs foreign policy approach.
This research finds that throughout the period of change between 2005 and 2011, China's diplomacy remained predominately reactive and defensive. However, since 2012 China began to develop a more assertive foreign policy approach vis-Ă -vis the long-term resolution of Sudanese conflicts. This has been underpinned by the gradual learning of broader lessons regarding China's traditional understanding of the nature of Sudanese conflicts and its peace and security role therein.
Overall, this thesis aims to provide an in-depth holistic analysis of the evolution of China's contemporary foreign policy towards Sudan and South Sudan. A specific contribution to the literature has been to develop the concept of 'adaptive learning', which can be utilised across other case studies to broaden our understanding of Chinese foreign policy towards Africa in the 'Going Out' era
- âŚ