Towards optimising the detection of sophisticated attacks in Security Operation Centres (SOCs)

The ever-increasing rate of sophisticated cyber-attacks and its subsequent impact on networks has remained a menace to the security community. Existing network security solutions, including those depending on machine learning algorithms, have proven inadequate in detecting sophisticated, multi-stage attacks. These solutions have often centred their detection on the identification of threats in individual network events, which sometimes look benign. Similarly, SOC analysts whose role involves detecting advanced threats on a daily basis are faced with a significant amount of false-positive alerts in their search for malicious threats using existing tools. In the course of our literature review, we identified two primary gaps with malware detection research. Many of the reviewed studies lacked expert input from SOC analysts and utilised features that are closely linked to the structure of the malware targeted as part of the detection model. We argue that this limits the ability to detect novel attacks, which occasionally are new variants of old malware. Our approach to malware detection is based on behavioural analytics of malicious network traffic and to achieve this, we carried out interviews with SOC analysts to identify common malware trends, malware behaviours, and SOC specification for a malware detection tool. Our thematic analysis of the interview dataset provided significant insights into SOC operations and generated three broad themes, namely people, process and technology. The malware patterns identified during the interview were analysed and converted to machine learning features, which in combination with other applicable features identified through reflection on literature reviews provides a rich feature set. A total of 34 features divided into instance-based and flow-based were identified during this study. In this report, we present Detection-Response (DeTReS), a framework for detecting sophisticated attacks in SOC environments. DeTReS is made up of three main components namely, the Logging Module, the ML Clustering Engine, and the Malware Ensemble Engine and its goal is to detect malware based on accurate correlation of network and application events (web proxy, DNS, firewall) while leveraging the intelligence of external reputation systems

Cyber supply chain risks in cloud computing - the effect of transparency on the risk assessment of SaaS applications

While the cloud model has many economic and functional advantages, the increased external interactions of cloud applications have expanded the complexity of its architectures and reshaped its supply chain. Due to the variety of parties involved in cloud service delivery and the high degree of supplier autonomy, assessing cloud risks has become a challenge. Also, the widespread application of traditional frameworks to cloud risk assessment has several shortcomings, including the subjectivity of risk evaluation and inability to measure cyber risk in complex systems. Recognising that recent work on cloud risk assessment has focussed on cloud consumer risks, we sought to address the cloud service provider (CSP) risk assessment challenge. This research began with an in-depth assessment of the literature in cloud risk assessment and supply chain transparency. We conducted surveys and semi-structured interviews to validate the transparency gap and establish its link with qualitative risk assessment methods. The results of the studies substantiated the need for more rigour in cloud risk assessments and provided evidence on how this can be improved with supply chain transparency. To address this gap, we proposed the Cyber Supply Chain Cloud Risk Assessment (CSCCRA) model; a quantitative and supply chain-inclusive model targeted at Software-as-a-Service (SaaS) CSPs. The model is made up of three main components, two of which are novel inclusions to cloud risk assessment, i.e. supply chain mapping and supplier security assessment. The CSCCRA model reflects the systems thinking approach, enabling CSPs to visualise information flow through the supply chain, assess supplier security posture, document assumptions regarding the risk factors, and appraise security controls. In evaluating the CSCCRA model, a three-step approach was adopted. First, the developed model was evaluated by the author and members of the academic community to ensure that it met our initial criteria. Second, the model was face-validated by cloud and risk experts within the industry. Third, we conducted three real-world case studies, using the model to assess the risks of SaaS providers. The result of these evaluations confirmed the usefulness and applicability of the model for assessing cloud provider risks. Also, the case study results and subsequent development of the CSCCRA web application showed that a structured and systematic application of the proposed model within a SaaS organisation was capable of yielding objective and defensible results. The model demonstrated its utility by assisting stakeholders to quantify cloud risks, while also promoting cost-effective risk mitigation and optimal risk prioritisation. Overall, these results advance knowledge both for research and in practice, taking us one step further into improving cloud risk assessment.</p

Can improved transparency reduce supply chain risks in cloud computing?

As organisations move sensitive data to the cloud, their risk profile increases, due to the integrated supply chain utilised in cloud computing. The risk is made visible in situations where a cloud offering is federated, with customer data located in multiple datacenters, under the control of multiple providers and sub-providers in different jurisdictions. This problem is further exacerbated by the disposition of cloud providers to keep details of suppliers, data location, architecture and security of infrastructure confidential from the cloud customers. As such, the shallowness of transparency amongst cloud providers makes it difficult for customers to assess the risk of cloud adoption. In this study, we report on our research into finding out how much customers know about their supply chain. We evaluate the transparency of cloud providers based on their published information and determine the resultant risk of limited visibility of the supply chain. In the course of the research, we identified eight transparency features, which, at a minimum, cloud providers should make available to their current or prospective customers, which we argue had no adverse impact on the competitiveness or profitability of the provider. The study concludes that ultimately, cloud supply chain transparency remains a customer-driven process

Towards optimising the detection of sophisticated attacks in Security Operation Centres (SOCs)

The ever-increasing rate of sophisticated cyber-attacks and its subsequent impact on networks has remained a menace to the security community. Existing network security solutions, including those depending on machine learning algorithms, have proven inadequate in detecting sophisticated, multi-stage attacks. These solutions have often centred their detection on the identification of threats in individual network events, which sometimes look benign. Similarly, SOC analysts whose role involves detecting advanced threats on a daily basis are faced with a significant amount of false-positive alerts in their search for malicious threats using existing tools. In the course of our literature review, we identified two primary gaps with malware detection research. Many of the reviewed studies lacked expert input from SOC analysts and utilised features that are closely linked to the structure of the malware targeted as part of the detection model. We argue that this limits the ability to detect novel attacks, which occasionally are new variants of old malware. Our approach to malware detection is based on behavioural analytics of malicious network traffic and to achieve this, we carried out interviews with SOC analysts to identify common malware trends, malware behaviours, and SOC specification for a malware detection tool. Our thematic analysis of the interview dataset provided significant insights into SOC operations and generated three broad themes, namely people, process and technology. The malware patterns identified during the interview were analysed and converted to machine learning features, which in combination with other applicable features identified through reflection on literature reviews provides a rich feature set. A total of 34 features divided into instance-based and flow-based were identified during this study. In this report, we present Detection-Response (DeTReS), a framework for detecting sophisticated attacks in SOC environments. DeTReS is made up of three main components namely, the Logging Module, the ML Clustering Engine, and the Malware Ensemble Engine and its goal is to detect malware based on accurate correlation of network and application events (web proxy, DNS, firewall) while leveraging the intelligence of external reputation systems

Can improved transparency reduce supply chain risks in cloud computing?

As organisations move sensitive data to the cloud, their risk profile increases due to the integrated supply chain utilised in cloud computing. The risk is made visible in situations where a cloud offering is federated, with customer data located in multiple datacenters, under the control of multiple providers and sub-providers in different jurisdictions. This problem is further exacerbated by the disposition of cloud providers to keep details of suppliers, data location, architecture, and security of infrastructure confidential from the cloud customers. As such, the shallowness of transparency amongst cloud providers makes it difficult for customers to assess the risk of cloud adoption. In this study, we report on our research into finding out how much customers know about their supply chain. We evaluate the transparency of cloud providers based on their published information and determine the resultant risk of limited visibility of the supply chain. In the course of the research, we identified eight transparency features, which, at a minimum, cloud providers should make available to their current or prospective customers, which we argue had no adverse impact on the competitiveness or profitability of the provider. The study concludes that ultimately, cloud supply chain transparency remains a customer-driven process

Can improved transparency reduce supply chain risks in cloud computing?

As organisations move sensitive data to the cloud, their risk profile increases due to the integrated supply chain utilised in cloud computing. The risk is made visible in situations where a cloud offering is federated, with customer data located in multiple datacenters, under the control of multiple providers and sub-providers in different jurisdictions. This problem is further exacerbated by the disposition of cloud providers to keep details of suppliers, data location, architecture, and security of infrastructure confidential from the cloud customers. As such, the shallowness of transparency amongst cloud providers makes it difficult for customers to assess the risk of cloud adoption. In this study, we report on our research into finding out how much customers know about their supply chain. We evaluate the transparency of cloud providers based on their published information and determine the resultant risk of limited visibility of the supply chain. In the course of the research, we identified eight transparency features, which, at a minimum, cloud providers should make available to their current or prospective customers, which we argue had no adverse impact on the competitiveness or profitability of the provider. The study concludes that ultimately, cloud supply chain transparency remains a customer-driven process

Cyber supply chain risks in cloud computing – bridging the risk assessment gap

Cloud computing represents a significant paradigm shift in the delivery of information technology (IT) services. The rapid growth of the cloud and the increasing security concerns associated with the delivery of cloud services has led many researchers to study cloud risks and risk assessments. Some of these studies highlight the inability of current risk assessments to cope with the dynamic nature of the cloud, a gap we believe is as a result of the lack of consideration for the inherent risk of the supply chain. This paper, therefore, describes the cloud supply chain and investigates the effect of supply chain transparency in conducting a comprehensive risk assessment. We conducted an industry survey to gauge stakeholder awareness of supply chain risks, seeking to find out the risk assessment methods commonly used, factors that hindered a comprehensive evaluation and how the current state-of-the-art can be improved. The analysis of the survey dataset showed the lack of flexibility of the popular qualitative assessment methods in coping with the risks associated with the dynamic supply chain of cloud services, typically made up of an average of eight suppliers. To address these gaps, we propose a Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model, a quantitative risk assessment model which is supported by decision support analysis and supply chain mapping in the identification, analysis and evaluation of cloud risks

Cyber supply chain risks in cloud computing – bridging the risk assessment gap

Cloud computing represents a significant paradigm shift in the delivery of information technology (IT) services. The rapid growth of the cloud and the increasing security concerns associated with the delivery of cloud services has led many researchers to study cloud risks and risk assessments. Some of these studies highlight the inability of current risk assessments to cope with the dynamic nature of the cloud, a gap we believe is as a result of the lack of consideration for the inherent risk of the supply chain. This paper, therefore, describes the cloud supply chain and investigates the effect of supply chain transparency in conducting a comprehensive risk assessment. We conducted an industry survey to gauge stakeholder awareness of supply chain risks, seeking to find out the risk assessment methods commonly used, factors that hindered a comprehensive evaluation and how the current state-of-the-art can be improved. The analysis of the survey dataset showed the lack of flexibility of the popular qualitative assessment methods in coping with the risks associated with the dynamic supply chain of cloud services, typically made up of an average of eight suppliers. To address these gaps, we propose a Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model, a quantitative risk assessment model which is supported by decision support analysis and supply chain mapping in the identification, analysis and evaluation of cloud risks

Current state of cloud computing risk assessment in Malaysian private sector

The potential benefits of cloud computing, such as flexibility and cost-effective, have attracted many companies to use it. Nevertheless, security issues are still prominent in cloud computing. Measuring the security of cloud computing can be effectively implemented by performing cloud computing risk assessments. Since the traditional risk assessment method is no longer applicable to cloud computing, the effective method in assessing cloud computing becomes the debated issues among scholars. This study reveals the current state of cloud computing risk assessment conducted in the private sector in Malaysia. We performed a semi-structured interview session with five private companies and highlighted the issues debated by the scholar