There have been a lot of research exertions and studies to improve the safety of critical infrastructures using the Security Operations Center (SOC). As part of efforts, the purpose of this research is to propose a framework to automate the SOC’s performance of triage, containment and escalation. The research leveraged on qualitative desk review to collect data for analysis, deduced strengths and weaknesses for the current SOC implementations and used that as a basis for proposing the framework. In view of the constant evolution of SOC operations and capabilities coupled with the huge volumes of data collected for analysis, an efficient framework for SOC operations is proposed. The qualitative analysis is used to deduce strengths and weaknesses for the current SOC implementations as a premise for proposing the framework. It consists of eight interactive stages that further leverage on a proposed algorithm for baselining, remediation and escalation. The result of this research is a proposed framework that serves as a unique contribution to enhancing the SOC’s ability to automatically perform triage, containment and escalation. Supplementary to similar and earlier work reviewed, the framework is proposed as the way forward to automatically enable SOC setups with the capacity to efficiently perform triage of security threats, vulnerabilities and incidents, effectively contain identified breaches and appropriately escalate for prompt and accurate solutions.
References
[1]
Kokulu, F.B., Shoshitaishvili, Y., Soneji, A., Zhao, Z., Ahn, G.J., Bao, T. and Doupé, A. (2019) Matched and Mismatched SOCs: A Qualitative Study on Security Operations Center Issues. Proceedings of the ACM Conference on Computer and Communications Security, Limasol, Cyprus, April 2019, 1955-1970. https://doi.org/10.1145/3319535.3354239
[2]
DeCusatis, C., Cannistra, R., Labouseur, A. and Johnson, M. (2019) Design and Implementation of a Research and Education Cybersecurity Operations Center. In: Cybersecurity and Secure Information Systems, Advanced Sciences and Technologies for Security Applications, Springer, Berlin, 287-310. https://doi.org/10.1007/978-3-030-16837-7_13
[3]
Brewer, R. (2019) Could SOAR Save Skills-Short SOCs? Computer Fraud and Security, 2019, 8-11. https://doi.org/10.1016/S1361-3723(19)30106-X
[4]
Li, Y., Zhang, P. and Ma, L. (2019) Denial of Service Attack and Defense Method on Load Frequency Control System. Journal of the Franklin Institute, 356, 8625-8645. https://doi.org/10.1016/j.jfranklin.2019.08.036
[5]
Han, C.H., Park, S.T. and Lee, S.J. (2019) The Enhanced Security Control Model for Critical Infrastructures with the Blocking Prioritization Process to Cyber Threats in Power System. International Journal of Critical Infrastructure Protection, 26, Article ID: 100312. https://doi.org/10.1016/j.ijcip.2019.100312
[6]
Axon, L., Happa, J., Goldsmith, M. and Creese, S. (2019) Hearing Attacks in Network Data: An Effectiveness Study. Computers and Security, 83, 367-388. https://doi.org/10.1016/j.cose.2019.03.004
[7]
Hu, Z. and Xie, C. (2006) Security Operation Center Design Based on D-S Evidence Theory. 2006 International Conference on Mechatronics and Automation, Luoyang, 25-28 June 2006, 2302-2306. https://doi.org/10.1109/ICMA.2006.257690
[8]
Dudovskiy, J. (2018) The Ultimate Guide to Writing a Dissertation in Business Studies: A Step-by-Step Assistance.
[9]
Cohen, L.E. and Felson, M. (1979) Social Change and Crime Rate Trends: A Routine Activity Approach. American Sociological Review, 44, 588-608. https://doi.org/10.2307/2094589
[10]
Horne, C.A., Ahmad, A. and Maynard, S.B. (2016) A Theory on Information Security. Australasian Conference on Information Systems, Wollongong, 2016, 1-12.
[11]
Bossler, A. and Holt, T. (2009) Online Activities, Guardianship, and Malware Infection: An Examination of Routine Activities Theory. International Journal of Cyber Criminology, 3, 400-420.
[12]
Cox-Johnson, R. (2009) Routine Activity Theory and Internet Crime. In: Schmalleger, F. and Pittaro, M., Eds., Crimes of the Internet, Pearson-Prentice Hall, Upper Saddle River, 302-316.
[13]
Felson, M. and Clarke, R.V. (1998) Opportunity Makes the Thief: Practical Theory for Crime Prevention (Police Research Series Paper No. 98). Research, Development and Statistics Directorate, London. https://popcenter.asu.edu/sites/default/files/opportunity_makes_the_thief.pdf
[14]
Rogers, R.W. (1975) A Protection Motivation Theory of Fear Appeals and Attitude Change. Journal of Psychology, 91, 93-114. https://doi.org/10.1080/00223980.1975.9915803
[15]
Ortmeier, P.J. (2012) Introduction to Security: Operations and Management. 4th Edition, Pearson, London.
[16]
Business White Paper 5G/SOC: SOC Generations HP ESP Security Intelligence and Operations Consulting Services (2013). http://www.cnmeonline.com/myresources/hpe/docs/HP_ArcSight_WhitePapers_5GSOC_SOC_ Generations.pdf
[17]
McIntyre, G. and AlFardan, N. (2015) Security Operations Center: Building, Operating, and Maintaining Your SOC. Cisco Press, Indianapolis.
[18]
Ramasastri, A.S. (2017) Handbook on Information Security Operations Center, Institute for Development and Research in Banking Technology (Established by Reserve Bank of India).
[19]
Torres, A. (2015) Maturing and Specializing: Incident Response Capabilities Needed. SANS? Institute, London. http://www.cnmeonline.com/myresources/hpe/docs/Report_SANS_Incident_Response_Capabilities_ Needed.pdf
[20]
Ullman, D.G. (2007) “OO-OO-OO!” The Sound of a Broken OODA Loop. Robust Decisions. https://www.researchgate.net/profile/David_Ullman4/publication/268415631_OO-OO-OO_The_sound_of_a_broken_OODA_loop/links/575ea54108ae9a9c955f6091/OO-OO-OO-The- sound-of-a-broken-OODA-loop.pdf
