VSOC - A Virtual Security Operating Center

Security in virtualised environments is becoming increasingly important for institutions, not only for a firm’s own on-site servers and network but also for data and sites that are hosted in the cloud. Today, security is either handled globally by the cloud provider, or each customer needs to invest in its own security infrastructure. This paper proposes a Virtual Security Operation Center (VSOC) that allows to collect, analyse and visualize security related data from multiple sources. For instance, a user can forward log data from its firewalls, applications and routers in order to check for anomalies and other suspicious activities. The security analytics provided by the VSOC are comparable to those of commercial security incident and event management (SIEM) solutions, but are deployed as a cloud-based solution with the additional benefit of using big data processing tools to handle large volumes of data. This allows us to detect more complex attacks that cannot be detected with todays signature-based (i.e. rules) SIEM solutions

Harnessing Human Potential for Security Analytics

Humans are often considered the weakest link in cybersecurity. As a result, their potential has been continuously neglected. However, in recent years there is a contrasting development recognizing that humans can benefit the area of security analytics, especially in the case of security incidents that leave no technical traces. Therefore, the demand becomes apparent to see humans not only as a problem but also as part of the solution. In line with this shift in the perception of humans, the present dissertation pursues the research vision to evolve from a human-as-a-problem to a human-as-a-solution view in cybersecurity. A step in this direction is taken by exploring the research question of how humans can be integrated into security analytics to contribute to the improvement of the overall security posture. In addition to laying foundations in the field of security analytics, this question is approached from two directions. On the one hand, an approach in the context of the human-as-a-security-sensor paradigm is developed which harnesses the potential of security novices to detect security incidents while maintaining high data quality of human-provided information. On the other hand, contributions are made to better leverage the potential of security experts within a SOC. Besides elaborating the current state in research, a tool for determining the target state of a SOC in the form of a maturity model is developed. Based on this, the integration of security experts was improved by the innovative application of digital twins within SOCs. Accordingly, a framework is created that improves manual security analyses by simulating attacks within a digital twin. Furthermore, a cyber range was created, which offers a realistic training environment for security experts based on this digital twin