Security Information and Event Management (SIEM) systems are a fundamental component of the ubiquitous ICT infrastructures that form the backbone of our digital society. These systems are used to monitor large-scale complex environments by collecting, normalising, correlating...
Security Information and Event Management (SIEM) systems are a fundamental component of the ubiquitous ICT infrastructures that form the backbone of our digital society. These systems are used to monitor large-scale complex environments by collecting, normalising, correlating, and reporting events generated by security-related sensors (e.g., intrusion detection systems), protection devices (e.g., firewalls), and applications deployed in such environments. It is only through these systems that large organizations can hope to have a global understanding of the pervasive cybersecurity threats and related incidents affecting them.
The DiSIEM project aims to enhance existing SIEM systems with diversity-related technology, addressing many limitations that the solutions available in the market have. More specifically, the project wants to (1) enhance the quality of collected events by using a diverse set of sensors and novel application-based anomaly detectors, (2) collect and process relevant cybersecurity-related information from open-source intelligence data available on diverse sources from the internet (e.g., social networks, security feeds, forums, blogs, dark web) to increase the capacity of SIEMs to correlate internal events with external threat information, (3) create new ways for visualising the information collected in the SIEM and provide high-level security metrics and models for improving security-related decision processes, and (4) allow the use of multiple storage clouds for secure GDPR-compliant long-term archival of the events collected by the SIEM.
Given the high costs involved in the deployment of SIEM infrastructures, all these enhancements will be developed in a SIEM-independent way, as extensions to currently available systems, and will be validated through pilot deployments in three large-scale test and production environments provided by members of the consortium.
DiSIEM is a three-year project in which the first two years are dedicated to research and development of SIEM-enhancing components, and the last year is dedicated to the validation and continuous improvement of such components. During this first reporting period (M1-M18), the DiSIEM consortium focused on three fundamental tasks:
(1) An in-depth analysis of the state-of-the-art in SIEM technology and on the topics related with the project (e.g., machine learning and OSINT processing for security, diversity and security metrics, visual analytics for multi-dimensional data). This analysis lead to the selection of four initial target SIEMs for integrating the components devised in the project: AcSight, Splunk, XL-SIEM, Elastic Stack;
(2) The definition of a reference architecture for the project, which includes the organization of the work in nine components that will be integrated in four different SIEMs. These components are aligned with all objectives of the project and are expected to represent significant innovations when compared with the state-of-the-art in SIEMs and related technology;
(3) design, implementation, and preliminary evaluation of the components. These results were reported in the technical deliverables produced during this period, and in some papers (published, under submission or under preparation).
DiSIEM preliminary results indicate that the project contributions can substantially improve the capacity of Security Operating Centres and other SIEM operators to uncover, analyse and report threats and risks against their managed ICT infrastructures. Some highlights are (1) a multi-level risk metric that uses incident and asset information targeting C-level management of cybersecurity, (2) mathematically-sound methods for assessing and predicting the benefits of using diverse defence-in-depth techniques through the use of different redundant sensors, (3) machine learning pipelines for processing cybersecurity-related tweets and other OSINT data and generation of indicators of compromise to be feed to SIEMs and other threat intelligence systems, (4) visual analytics methods and tools for user behaviour analysis, (5) new sensors for anomaly and fraud detection in complex applications and networked services, (6) low-cost algorithms for indexing SIEM data archived in the cloud, among other results.
These results can be applied transversally in any area of the society for which security monitoring is an important task, from the public sector to the SMEs. Nonetheless, they are particularly relevant to large organizations controlling complex ICT infrastructures that are appealing high-value targets for cybersecurity attacks (e.g., critical infrastructures operators such as EDP, large service providers such as Amadeus). Such organizations are already SIEM users in an unending race with potential attackers to keep up to date about existing threats and vulnerabilities in their infrastructures. The DiSIEM components can help them.
More info: http://disiem-project.eu.