Harnessing Human Potential for Security Analytics

Humans are often considered the weakest link in cybersecurity. As a result, their potential has been continuously neglected. However, in recent years there is a contrasting development recognizing that humans can benefit the area of security analytics, especially in the case of security incidents that leave no technical traces. Therefore, the demand becomes apparent to see humans not only as a problem but also as part of the solution. In line with this shift in the perception of humans, the present dissertation pursues the research vision to evolve from a human-as-a-problem to a human-as-a-solution view in cybersecurity. A step in this direction is taken by exploring the research question of how humans can be integrated into security analytics to contribute to the improvement of the overall security posture. In addition to laying foundations in the field of security analytics, this question is approached from two directions. On the one hand, an approach in the context of the human-as-a-security-sensor paradigm is developed which harnesses the potential of security novices to detect security incidents while maintaining high data quality of human-provided information. On the other hand, contributions are made to better leverage the potential of security experts within a SOC. Besides elaborating the current state in research, a tool for determining the target state of a SOC in the form of a maturity model is developed. Based on this, the integration of security experts was improved by the innovative application of digital twins within SOCs. Accordingly, a framework is created that improves manual security analyses by simulating attacks within a digital twin. Furthermore, a cyber range was created, which offers a realistic training environment for security experts based on this digital twin

A Security Information and Event Management Pattern

In order to achieve a high level of cyber security awareness most mid to large sized companies use Security Information and Event Management (SIEM) embedded into a Security Operations Center. These systems enable the centralized collection and analysis of security relevant information generated by a variety of different systems, to detect advanced threats and to improve reaction time in case of an incident. In this paper, we derive a generic SIEM pattern by analyzing already existing tools on the market, among additional information. Thereby, we adhere to a bottom-up process for pattern identification and authoring. This article can serve as a foundation to understand SIEM in general and support developers of existing or new SIEM systems to increase reusability by defining and identifying general software modules inherent in SIEM

BISCUIT - Blockchain Security Incident Reporting based on Human Observations

Security incidents in blockchain-based systems are frequent nowadays, which calls for more structured efforts in incident reporting and response. To improve the current status quo of reporting incidents on blogs and social media, we propose a decentralized incident reporting and discussion system. Our approach guides users (security novices) towards a classification of their observations using a tiered taxonomy of blockchain incidents. Questions based on previous incidents interactively support the classification. Post submission a security incident response committee then discusses these observations on our decentralized platform to decide on an appropriate response. For evaluation, we implement our model as a decentralized application and demonstrate its practical suitability in a preliminary user study

Train as you Fight: Evaluating Authentic Cybersecurity Training in Cyber Ranges

Humans can play a decisive role in detecting and mitigating cyber attacks if they possess sufficient cybersecurity skills and knowledge. Realizing this potential requires effective cybersecurity training. Cyber range exercises (CRXs) represent a novel form of cybersecurity training in which trainees can experience realistic cyber attacks in authentic environments. Although evaluation is undeniably essential for any learning environment, it has been widely neglected in CRX research. Addressing this issue, we propose a taxonomy-based framework to facilitate a comprehensive and structured evaluation of CRXs. To demonstrate the applicability and potential of the framework, we instantiate it to evaluate Iceberg CRX, a training we recently developed to improve cybersecurity education at our university. For this matter, we conducted a user study with 50 students to identify both strengths and weaknesses of the CRX

Formalizing and Integrating User Knowledge into Security Analytics

The Internet-of-Things and ubiquitous cyber-physical systems increase the attack surface for cyber-physical attacks. They exploit technical vulnerabilities and human weaknesses to wreak havoc on organizations’ information systems, physical machines, or even humans. Taking a stand against these multi-dimensional attacks requires automated measures to be com- bined with people as their knowledge has proven critical for security analytics. However, there is no uniform understanding of information security knowledge and its integration into security analytics activities. With this work, we structure and formalize the crucial notions of knowledge that we deem essential for holistic security analytics. A corresponding knowledge model is established based on the Incident Detection Lifecycle, which summarizes the security analytics activities. This idea of knowledge-based security analytics highlights a dichotomy in security analytics. Security experts can operate security mechanisms and thus contribute their knowledge. However, security novices often cannot operate security mechanisms and, therefore, cannot make their highly-specialized domain knowledge available for security analytics. This results in several severe knowledge gaps. We present a research prototype that shows how several of these knowledge gaps can be overcome by simplifying the interaction with automated security analytics techniques

Improving Cybersecurity Skill Development through Visual Programming

Purpose: Cybersecurity training plays a decisive role in overcoming the global shortage of cybersecurity experts and the risks this shortage poses to organizations' assets. Seeking to make the training of those experts as efficacious and efficient as possible, this study investigates the potential of visual programming languages (VPLs) for training in cyber ranges. For this matter, the VPL Blockly was integrated into an existing cyber range training to facilitate learning a code-based cybersecurity task, namely, creating code-based correlation rules for a security information and event management (SIEM) system. Design/methodology/approach: To evaluate the VPL’s effect on the cyber range training, the authors conducted a user study as a randomized controlled trial with 30 participants. In this study, the authors compared skill development of participants creating SIEM rules using Blockly (experimental group) with participants using a textual programming approach (control group) to create the rules. Findings: This study indicates that using a VPL in a cybersecurity training can improve the participants' perceived learning experience compared to the control group while providing equally good learning outcomes. Originality/value: The originality of this work lies in studying the effect of using a VPL to learn a code-based cybersecurity task. Investigating this effect in comparison with the conventional textual syntax through a randomized controlled trial has not been investigated yet

Introducing DINGfest: An architecture for next generation SIEM systems

Isolated and easily protectable IT systems have developed into fragile and complex structures over the past years. These systems host manifold, flexible and highly connected applications, mainly in virtual environments. To ensure protection of those infrastructures, Security Incident and Event Management (SIEM) systems have been deployed. Such systems, however, suffer from many shortcomings such as lack of mechanisms for forensic readiness. In this extended abstract, we identify these shortcomings and propose an architecture which addresses them. It is developed within the DINGfest project, on which we report and for which we seek initial feedback from the community

Security Operations Center (SOC)

The Security Operations Center represents an organizational aspect of a security strategy in an enterprise by joining processes, technologies, and people (Madani et al. 2011; Schinagl et al. 2015). It is usually not seen as a single entity or system but rather as a complex structure to manage and enhance an organization’s overall security posture. Therefore, it creates situational awareness, mitigates the exposed risks, and helps to fulfill regulatory requirements (Kelley and Moritz 2006). It integrates, monitors, and analyzes all security-relevant systems and events in an organizational unit. Additionally, it provides governance and compliance as a framework in which people operate and to which processes and technologies are tailored. To realize the technical side of security operations, SOCs commonly employ, among others, SIEM systems as central tools

Security Information and Event Management (SIEM)

Security Information and Event Management is responsible for collecting security-relevant data in a centralized manner to detect threats or incidents. Thereby, it provided security analytics capabilities in real time or historically on past events by correlating multiple log events. Further functionalities are enrichment with context data, normalization of heterogeneous data sources, reporting, alerting, and automatic incident response capabilities. To enable the exchange of threat information, it provides a connection to cyber threat intelligence exchange platforms, and human security analysts are involved by offering visual security analytics capabilities. Additionally, SIEM provides log management capabilities by long-term storage of event data

CTI-SOC2M2 – The quest for mature, intelligence-driven security operations and incident response capabilities

Threats, cyber attacks, and security incidents pertain to organizations of all types. Everyday information security is essentially defined by the maturity of security operations and incident response capabilities. However, focusing on internal information only has proven insufficient in an ever-changing threat landscape. Cyber threat intelligence (CTI) and its sharing are deemed necessary to cope with advanced threats and strongly influence security capabilities. Therefore, in this work, we develop CTI-SOC2M2, a capability maturity model that uses the degree of CTI integration as a proxy for SOC service maturity. In the course, we examine existing maturity models in the domains of Security Operations Centers (SOCs), incident response, and CTI. In search of adequate maturity assessment, we show threat intelligence dependencies through applicable data formats. As the systematic development of maturity models demands, our mixed methodology approach contributes a new in-depth analysis of intelligence-driven security operations. The resulting CTI-SOC2M2 model contains CTI formats, SOC services and is complemented with an evaluation through expert interviews. A prototypical, tool-based implementation is aimed to document steps towards the model’s practical application