A novel kill-chain framework for remote security log analysis with SIEM software

Network security investigations pose many challenges to security analysts attempting to identify the root cause of security alarms or incidents. Analysts are often presented with cases where either incomplete information is present, or an overwhelming amount of information is presented in a disorgan...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2017-06, Vol.67, p.198-210
Main Authors: Bryant, Blake D., Saiedian, Hossein
Format: Article
Language:English
Subjects:
Agglomeration
Alarm systems
Computer security
Cyber forensics
Cyber ontology
Cybersecurity
Data management
Forensic computing
Intrusion detection alerts
Kill-chains
Network security
Operating system audit logs
Relational data bases
Remote logging
Remote sensors
SIEM
Threat models
Citations: Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Network security investigations pose many challenges to security analysts attempting to identify the root cause of security alarms or incidents. Analysts are often presented with cases where either incomplete information is present, or an overwhelming amount of information is presented in a disorganized manner. Either scenario greatly impacts the ability for incident responders to properly identify and react to security incidents when they occur. The framework presented in this paper draws upon previous research pertaining to cyber threat modeling with kill-chains, as well as the practical application of threat modeling to forensic. Modifications were made to conventional kill-chain models to facilitate logical data aggregation within a relational database collecting data across disparate remote sensors resulting in more detailed alarms to security analysts. The framework developed in this paper proved effective in identifying the relationship of security alarms along a continuum of expected behaviors conducive to executing security investigations in a methodical manner. This framework effectively addressed incomplete or inadequate alarm information through aggregation, and provided a methodology for organizing related data and conducting standard investigations. Both improvements proved instrumental in the effective identification of security threats in a more expeditious manner.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2017.03.003