SlideShare a Scribd company logo

Automated Security Tool Integration

Chadni Islam
Chadni Islam

Conference Presentation - CAiSE 2019 A security orchestration platform aims at integrating the activities performed by multi-vendor security tools to streamline the required incident response process. To make such a platform useful in practice in a Security Operation Center (SOC), we need to address three key challenges: interpretability, interoperability, and automation. In this paper, we proposed a novel semantic integration approach to automatically select and integrate security tools with essential capability for auto-execution of an incident response process in a security orchestration platform. The capability of security tools and the activities of the incident response process are formalized using ontologies, which have been used for NLP based approach to classify the activities for the emerging incident response processes. The developed ontologies and NLP approaches have been used for an interoperability model for selection and integration of security tools at runtime for the successful execution of an incident response process. Experimental results demonstrate the feasibility of the classifier and interoperability model for achieving interpretability, interoperability, and automation of security tools integrated into a security orchestration platform.

Technology
1 of 36
Download to read offline
Automated Interpretation and Integration of Security Tools Using Semantic Knowledge Authors: Chadni Islam, M. Ali Babar, and Surya Nepal CREST Research Centre, University of Adelaide, Adelaide, Australia Data61, CSIRO, Australia 31st International Conference on Advanced Information Systems Engineering Islam C., Babar M.A., Nepal S. (2019) Automated Interpretation and Integration of Security Tools Using Semantic Knowledge. In: Giorgini P., Weber B. (eds) Advanced Information Systems Engineering. CAiSE 2019. Lecture Notes in Computer Science, vol 11483. Springer, Cham
Outline Introduction Challenges Research Aim Proposed Solution Evaluation Experiment and Results Limitations Future Work CREST Centre | University of Adelaide 2
Security Orchestration “Security Orchestration is the planning, integration, cooperation, and coordination of the activities of security systems and experts to produce and automate required actions in response to any security incident across multiple technology paradigms.” CREST Centre | University of Adelaide 3 Integration Orchestration Automation
Introduction Detect and Prevent Integrate Analyze Validate Plan Monitor and Analyze Security Operation Centre I1 I2 S: Security Tool Firewall Intrusion Detection System (IDS) Endpoint Detection and Response (EDR) A: Assets AC: ActivityI: Security Incident Organization Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 4 The Security Operation Centre (SOC) of an organizations uses a variety of security tools, developed by different vendor’s to protect an organization’s information and communication technology and business application.
Introduction Detect and Prevent Integrate Analyze Validate Plan Monitor and Analyze Security Operation Centre I1 I2 S: Security Tool Firewall Intrusion Detection System (IDS) Endpoint Detection and Response (EDR) A: Assets AC: ActivityI: Security Incident Organization Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 5 The SOC are expected to monitory and analyse the activities (validate alerts, correlate logs and remove malware) of these security tools to respond to a incident. The continuous process of monitoring and analysing the security activities are time consuming, tedious and repetitive.
Introduction Detect and Prevent S: Security ToolA: Assets AC: Activity I1 I2 I: Security Incident Security Orchestration Platform Firewall Intrusion Detection System (IDS) Endpoint Detection and Response (EDR) Search Organization t: Task CREST Centre | University of Adelaide 6 IRP: Incident response plan Most SOC in recent years uses security orchestration platform to orchestrate the activities of security tools and automate the repetitive task manually performed by the human experts.
Introduction Detect and Prevent S: Security ToolA: Assets AC: Activity I1 I2 I: Security Incident Security Orchestration Platform Firewall Intrusion Detection System (IDS) Endpoint Detection and Response (EDR) Search Organization t: Task CREST Centre | University of Adelaide 7 IRP: Incident response plan Emerging threat behaviours and variation in organization infrastructure cause experts to change the deployment and execution environment of security orchestration platform, such as integration of new tools, updates of tools capabilities or modification of IRP
Organizations Plan to Response to a Security Incident 8 Example of Incident Response Plan (IRP) for Phishing Attack Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 # Response Task Activity ac1 Is this a phishing attack? Determine if this is a phishing attack? In the task, select yes or no in the outcome. ac2 Scan endpoint – malware found? After running a scan, determine whether malware was found. In the task, select yes or no in Outcome. ac3 Remove malware – success? Determine whether the malware was successfully remove. In the task, select Yes or no in outcome. ac4 Wipe and reimage If you did not successfully remove the malware found, this task instruct you to perform a wipe and reimage on the computers infected with the malware. ac5 Update email protection software If it was determined that this is a phishing attack, you are prompted to update your email protection software accordingly. ac6 Remove unread phishing email in queue Perform the steps necessary to remove the phishing email still in the queue for all of your users
Organizations Plan to Response to a Security Incident 9 Example of Incident Response Plan (IRP) for Phishing Attack Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 # Response Task Activity ac1 Is this a phishing attack? Determine if this is a phishing attack? In the task, select yes or no in the outcome. ac2 Scan endpoint – malware found? After running a scan, determine whether malware was found. In the task, select yes or no in Outcome. ac3 Remove malware – success? Determine whether the malware was successfully remove. In the task, select Yes or no in outcome. ac4 Wipe and reimage If you did not successfully remove the malware found, this task instruct you to perform a wipe and reimage on the computers infected with the malware. ac5 Update email protection software If it was determined that this is a phishing attack, you are prompted to update your email protection software accordingly. ac6 Remove unread phishing email in queue Perform the steps necessary to remove the phishing email still in the queue for all of your users A SOC does not follow any specific structure while defining the activity of an IRP. A security orchestration platform needs to deal with different tools that are not interoperable to automate the execution of an IRP’s activities.
Organizations Plan to Response to a Security Incident 10 Example of Incident Response Plan (IRP) for Phishing Attack Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 # Response Task Activity ac1 Is this a phishing attack? Determine if this is a phishing attack? In the task, select yes or no in the outcome. ac2 Scan endpoint – malware found? After running a scan, determine whether malware was found. In the task, select yes or no in Outcome. ac3 Remove malware – success? Determine whether the malware was successfully remove. In the task, select Yes or no in outcome. ac4 Wipe and reimage If you did not successfully remove the malware found, this task instruct you to perform a wipe and reimage on the computers infected with the malware. ac5 Update email protection software If it was determined that this is a phishing attack, you are prompted to update your email protection software accordingly. ac6 Remove unread phishing email in queue Perform the steps necessary to remove the phishing email still in the queue for all of your users For example, execution of activity ac1 may require a threat intelligence such as MISP. A MISP is used by a security orchestration platform to validate a incident. The execution of ac2 may require an EDR tools to scan endpoint and SIEM to identify the malware from EDR logs.
Challenges • A security orchestration platform is not adaptable towards the change in the execution environment. … … … Diverse nature of data generated and ingested by Security Tools Lack on Interpretability of the generated data Lack of Interoperability Integration of the Security tools is one of the most challenging task of SOC CREST Centre | University of Adelaide 11
Research Aim Automated Interpretation and Integration of Security Tools in a Security Orchestration Platform 12 |Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
Proposed Solution (1/4) • Formalized the core concepts of security orchestration platform in an ontology that are required to automate the execution of an IRP. • Follow a systematic set of guidelines to define the classes of the ontology and the relationship among the classes. • A prediction module to automatically classify the activities with text description according to the ontology. • An interoperability model to select the best suits of tools that have the required capability to execute an IRP. CREST Centre | University of Adelaide 13
Proposed Solution (2/4) Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 14 Ontological Model to enable Semantic Integration The proposed ontology contains three main classes, these classes are defined to formally represent heterogenous security tools.
Proposed Solution (2/4) Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 15 Ontological Model to enable Semantic Integration The proposed ontology contains three main classes, these classes are defined to formally represent heterogenous security tools.
Proposed Solution (2/4) 16 # Response Task Action ac1 Is this a phishing attack? Determine if this is a phishing attack? In the task, select yes or no in the outcome. ac2 Scan endpoint – malware found? After running a scan, determine whether malware was found. In the task, select yes or no in Outcome. ac3 Remove malware – success? Determine whether the malware was successfully removed. In the task, select Yes or no in outcome. Ontological Model to enable Semantic Integration Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 We define the categories of the activities as a subclass of the activity class. The activities are associated with detection prevention, recover and remediation actions of a threat defined.
Proposed Solution (2/4) 17 # Response Task Action ac1 Is this a phishing attack? Determine if this is a phishing attack? In the task, select yes or no in the outcome. ac2 Scan endpoint – malware found? After running a scan, determine whether malware was found. In the task, select yes or no in Outcome. ac3 Remove malware – success? Determine whether the malware was successfully removed. In the task, select Yes or no in outcome. Ontological Model to enable Semantic Integration ac1 : Is (Verb) this (Det) a (Det) phishing (Verb) Attack (Noun) ? (Punc) . = Is (Validate) Phishing Attack Subclass: Validate  Validate Phishing  Validate Phishing Email Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 We follow a system set of guidelines to define the classes of the activity class manually.
Proposed Solution (3/4) CREST Centre | University of Adelaide 18 | Classification of Activities based on Text Similarity Prediction Module Activity description Activity class from ontology Textpreprocessing Data splitting N-gram generation Feature transformation Model training and evaluation Model selection based on K fold cross validation Dataset
Proposed Solution (3/4) CREST Centre | University of Adelaide 19 | Classification of Activities based on Text Similarity Prediction Module Activity description Activity class from ontology Textpreprocessing Data splitting N-gram generation Feature transformation Model training and evaluation Model selection based on K fold cross validation Dataset • Part-of-speech tagging • Remove Null value, Punctuation, Stop words and Meaningless words • Four classifiers • Evaluation metrics: Accuracy, recall, precision, f1-score
Activity description Activity class from ontology Text preprocessing Data splitting N-gram generation Feature transformation Model training and evaluation Model selection based on K fold cross validation N-gram generation Optimal classifier Model trainingFeature transformation Feature configuration Model building Dataset Trained model Proposed Solution (3/4) CREST Centre | University of Adelaide 20 | Classification of Activities based on Text Similarity Prediction Module
Activity description Activity class from ontology Text preprocessing Data splitting N-gram generation Feature transformation Model training and evaluation Model selection based on K fold cross validation N-gram generation Optimal classifier Model trainingFeature transformation Feature configuration New activity description Text preprocessing Feature transformation Classification of activity description Model building Dataset Prediction Trained model Feature model Proposed Solution (3/4) CREST Centre | University of Adelaide 21 | Classification of Activities based on Text Similarity Prediction Module The prediction module reduces the manual analysis of the activity description by classifying the activity according to the ontology.
Proposed Solution (4/4) 22 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
Proposed Solution (4/4) 23 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
Proposed Solution (4/4) 24 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
Proposed Solution (4/4) 25 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
Proposed Solution (4/4) 26 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
Proposed Solution (4/4) 27 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
Evaluation How feasible is the proposed prediction module and interoperability model? CREST Centre | University of Adelaide 28
Experiments and Results (1/3) 29 | Preparing the Dataset for Prediction module Activity Description Level 1 Level 2 Level 3 Scan endpoint to see whether malware was found Scan ScanEndpoint ScanEndpointMalware Is this a phishing email Validate ValidatePhishing ValidatePhishingEmail Isolate the malicious node from the network Isolate IsolateMalicious IsolateMaliciousNode • 34 categories under level 1 • 67 categories under level 2 • 74 categories under level 3 Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 https://docs.servicenow.com/ Crawled 1080 activity descriptions
Experiments and Results (2/3) CREST Centre | University of Adelaide 30 | Implementing the Prediction module 0.926 0.909 0.865 0.93 0.911 0.869 0.833 0.817 0.792 0.918 0.905 0.864 LEVEL 1 LEVEL 2 LEVEL 3 SVM RF NB LR 0.96 0.94 0.9 0.97 0.93 0.87 0.96 0.94 0.9 0.96 0.93 0.88 LEVEL 1 LEVEL 2 LEVEL 3 Accuracy Precision Recall F1-score Validated weighted average of F1-score for optimal configuration of different classifiers, SVM (Support Vector Machine), RF (Random Forest), NB (Naïve Bayes), LR (Linear Regression) Testing results of Random Forest for three levels of classes
Experiments and Results (3/3) • Seven security solutions: Snort, Splunk, Limacharlie, Wireshark, WinPcap, Microsoft security essential, MISP • 21 different capabilities • Nine incident response plans with 17 activities. 31 | Success Rate around 90% Developing Interoperability Model Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
Limitations • The ontology is developed based on freely available and open source security tool’s capabilities and activities. • The selected optimal classifiers may not guarantee the highest performance for classifying new and updated activity description CREST Centre | University of Adelaide 32
Future Work • Use the semantic definition of the tools capabilities to auto-create the APIs when new security tools with new capability are integrated. • Design a probabilistic model for selecting and integrating security tools. Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 33
Key Takeaways • An ontological model to formalize the security tools, their capabilities and activities of Incident Response Plan (IRP). • A learning-based prediction module to automatically define the classes for new activity according to the ontology. • An interoperability model to select the required security tools that are interoperable for auto- execution of IRP. CREST Centre | University of Adelaide 34
References • Chadni Islam, Muhammad Ali Babar, and Surya Nepal, “Automated Interpretation and Integration of Security Tools Using Semantic Knowledge”, 31st International Conference on Advanced Information Systems Engineering, CAiSE, 2019, Rome, Italy, 3-7 June 2019. • Chadni Islam, Muhammad Ali Babar, and Surya Nepal. 2019. A Multi-Vocal Review of Security Orchestration. ACM Computing Survey. Vol 52, Issue 2, Article 37 (April 2019), 45 pages. DOI: https://doi.org/10.1145/3305268 • Chadni Islam, Muhammad Ali Babar, and Surya Nepal, “An Ontology-Driven Approach to Automate the Process of Integration Security Software Systems”, International Conference of Software and Systems Process, ICSSP, 2019, Montreal, Canada, 2019. • https://www.securityweek.com/cost-data-breach-uk-increases-more-41-two-years • https://www.ibm.com/downloads/cas/861MNWN2 • https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/ • https://bricata.com/blog/cybersecurity-alert-deluge 35 |Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
Questions? Chadni Islam CREST Centre https://crest-centre.net/ School of Computer Science, University of Adelaide, Australia CSIRO’s Data61, Australia https://research.csiro.au/distributed- systems-security/ CREST Centre | University of Adelaide 36 M. Ali Babar CREST Centre https://crest-centre.net/ School of Computer Science, University of Adelaide, Australia Email: ali.babar@adelaide.edu.au Surya Nepal CSIRO’s Data61, Australia Email:surya.Nepal@data61.csrio.au https://research.csiro.au/distributed- systems-security/ Twitter: @_chadni_ Email: chadni19@gmail.com, chadni.islam@Adelaide.edu.au Twitter: @alibabar

Recommended

Multi-vocal Review of security orchestration
Multi-vocal Review of security orchestrationMulti-vocal Review of security orchestration
Multi-vocal Review of security orchestrationChadni Islam
 
Architecture-centric Support for Integrating Security Tool in a Security Orch...
Architecture-centric Support for Integrating Security Tool in a Security Orch...Architecture-centric Support for Integrating Security Tool in a Security Orch...
Architecture-centric Support for Integrating Security Tool in a Security Orch...Chadni Islam
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationChadni Islam
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Implementation of Secured Network Based Intrusion Detection System Using SVM ...
Implementation of Secured Network Based Intrusion Detection System Using SVM ...Implementation of Secured Network Based Intrusion Detection System Using SVM ...
Implementation of Secured Network Based Intrusion Detection System Using SVM ...IRJET Journal
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseIIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseKaspersky
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsFrederic Roy-Gobeil, CPA, CGA, M.Tax.
 

Recommended

Multi-vocal Review of security orchestration
Multi-vocal Review of security orchestrationMulti-vocal Review of security orchestration
Multi-vocal Review of security orchestrationChadni Islam
 
Architecture-centric Support for Integrating Security Tool in a Security Orch...
Architecture-centric Support for Integrating Security Tool in a Security Orch...Architecture-centric Support for Integrating Security Tool in a Security Orch...
Architecture-centric Support for Integrating Security Tool in a Security Orch...Chadni Islam
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationChadni Islam
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Implementation of Secured Network Based Intrusion Detection System Using SVM ...
Implementation of Secured Network Based Intrusion Detection System Using SVM ...Implementation of Secured Network Based Intrusion Detection System Using SVM ...
Implementation of Secured Network Based Intrusion Detection System Using SVM ...IRJET Journal
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseIIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseKaspersky
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsFrederic Roy-Gobeil, CPA, CGA, M.Tax.
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
How to prepare for Infosec domain's best certifications?
How to prepare for Infosec domain's best certifications?How to prepare for Infosec domain's best certifications?
How to prepare for Infosec domain's best certifications?InfosecTrain
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superwormUltraUploader
 
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud ComputingCloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computingijtsrd
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scalePriyanka Aash
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsAdvance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsIRJET Journal
 
Anti malware solution using Machine Learning
Anti malware solution using Machine LearningAnti malware solution using Machine Learning
Anti malware solution using Machine LearningAkash Sarode
 
Csslp
CsslpCsslp
CsslpSushil Shakya
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...Tom Nipravsky
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Conducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignConducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignIJCSIS Research Publications
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Huntingn|u - The Open Security Community
 
Ciss previsionnotes
Ciss previsionnotesCiss previsionnotes
Ciss previsionnotesmadunix
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware DetectionKaspersky
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...Splunk
 
Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...IJECEIAES
 

More Related Content

What's hot

Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
How to prepare for Infosec domain's best certifications?
How to prepare for Infosec domain's best certifications?How to prepare for Infosec domain's best certifications?
How to prepare for Infosec domain's best certifications?InfosecTrain
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superwormUltraUploader
 
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud ComputingCloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computingijtsrd
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scalePriyanka Aash
 
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsAdvance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsIRJET Journal
 
Anti malware solution using Machine Learning
Anti malware solution using Machine LearningAnti malware solution using Machine Learning
Anti malware solution using Machine LearningAkash Sarode
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...Tom Nipravsky
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Conducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignConducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignIJCSIS Research Publications
 
Ciss previsionnotes
Ciss previsionnotesCiss previsionnotes
Ciss previsionnotesmadunix
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware DetectionKaspersky
 

What's hot (20)

Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat Intelligence
 
How to prepare for Infosec domain's best certifications?
How to prepare for Infosec domain's best certifications?How to prepare for Infosec domain's best certifications?
How to prepare for Infosec domain's best certifications?
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superworm
 
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud ComputingCloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
 
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsAdvance security in cloud computing for military weapons
Advance security in cloud computing for military weapons
 
Anti malware solution using Machine Learning
Anti malware solution using Machine LearningAnti malware solution using Machine Learning
Anti malware solution using Machine Learning
 
Csslp
CsslpCsslp
Csslp
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills Audit
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
Conducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class DesignConducting Security Metrics for Object-Oriented Class Design
Conducting Security Metrics for Object-Oriented Class Design
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Ciss previsionnotes
Ciss previsionnotesCiss previsionnotes
Ciss previsionnotes
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware Detection
 

Similar to Automated Security Tool Integration

SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...Splunk
 
Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...IJECEIAES
 
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATION
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATIONCYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATION
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATIONacijjournal
 
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATION
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATIONCYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATION
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATIONacijjournal
 
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET Journal
 
Managing Intrusion Detection Alerts Using Support Vector Machines
Managing Intrusion Detection Alerts Using Support Vector MachinesManaging Intrusion Detection Alerts Using Support Vector Machines
Managing Intrusion Detection Alerts Using Support Vector MachinesCSCJournals
 
Network Vulnerability and Patching
Network Vulnerability and PatchingNetwork Vulnerability and Patching
Network Vulnerability and PatchingEmmanuel Udeagha B.
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testingjatniwalafizza786
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
A Comparison Study of Open Source Penetration Testing Tools
A Comparison Study of Open Source Penetration Testing ToolsA Comparison Study of Open Source Penetration Testing Tools
A Comparison Study of Open Source Penetration Testing Toolsijtsrd
 
Darktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdfDarktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdfLeninHernnCortsLlang
 
Machine learning in network security using knime analytics
Machine learning in network security using knime analyticsMachine learning in network security using knime analytics
Machine learning in network security using knime analyticsIJNSA Journal
 
Articles - International Journal of Network Security & Its Applications (IJNSA)
Articles - International Journal of Network Security & Its Applications (IJNSA)Articles - International Journal of Network Security & Its Applications (IJNSA)
Articles - International Journal of Network Security & Its Applications (IJNSA)IJNSA Journal
 
MACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICS
MACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICSMACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICS
MACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICSIJNSA Journal
 
Malware analysis on android using supervised machine learning techniques
Malware analysis on android using supervised machine learning techniquesMalware analysis on android using supervised machine learning techniques
Malware analysis on android using supervised machine learning techniquesMd. Shohel Rana
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)April Mardock CISSP
 
IRJET- Improving Cyber Security using Artificial Intelligence
IRJET- Improving Cyber Security using Artificial IntelligenceIRJET- Improving Cyber Security using Artificial Intelligence
IRJET- Improving Cyber Security using Artificial IntelligenceIRJET Journal
 

Similar to Automated Security Tool Integration (20)

SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
 
Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...
 
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATION
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATIONCYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATION
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATION
 
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATION
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATIONCYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATION
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATION
 
smpef
smpefsmpef
smpef
 
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
 
Managing Intrusion Detection Alerts Using Support Vector Machines
Managing Intrusion Detection Alerts Using Support Vector MachinesManaging Intrusion Detection Alerts Using Support Vector Machines
Managing Intrusion Detection Alerts Using Support Vector Machines
 
Network Vulnerability and Patching
Network Vulnerability and PatchingNetwork Vulnerability and Patching
Network Vulnerability and Patching
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testing
 
Web application security measures
Web application security measuresWeb application security measures
Web application security measures
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
A Comparison Study of Open Source Penetration Testing Tools
A Comparison Study of Open Source Penetration Testing ToolsA Comparison Study of Open Source Penetration Testing Tools
A Comparison Study of Open Source Penetration Testing Tools
 
Darktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdfDarktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdf
 
Machine learning in network security using knime analytics
Machine learning in network security using knime analyticsMachine learning in network security using knime analytics
Machine learning in network security using knime analytics
 
Articles - International Journal of Network Security & Its Applications (IJNSA)
Articles - International Journal of Network Security & Its Applications (IJNSA)Articles - International Journal of Network Security & Its Applications (IJNSA)
Articles - International Journal of Network Security & Its Applications (IJNSA)
 
MACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICS
MACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICSMACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICS
MACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICS
 
Malware analysis on android using supervised machine learning techniques
Malware analysis on android using supervised machine learning techniquesMalware analysis on android using supervised machine learning techniques
Malware analysis on android using supervised machine learning techniques
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
IRJET- Improving Cyber Security using Artificial Intelligence
IRJET- Improving Cyber Security using Artificial IntelligenceIRJET- Improving Cyber Security using Artificial Intelligence
IRJET- Improving Cyber Security using Artificial Intelligence
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

Automated Security Tool Integration

  • 1. Automated Interpretation and Integration of Security Tools Using Semantic Knowledge Authors: Chadni Islam, M. Ali Babar, and Surya Nepal CREST Research Centre, University of Adelaide, Adelaide, Australia Data61, CSIRO, Australia 31st International Conference on Advanced Information Systems Engineering Islam C., Babar M.A., Nepal S. (2019) Automated Interpretation and Integration of Security Tools Using Semantic Knowledge. In: Giorgini P., Weber B. (eds) Advanced Information Systems Engineering. CAiSE 2019. Lecture Notes in Computer Science, vol 11483. Springer, Cham
  • 2. Outline Introduction Challenges Research Aim Proposed Solution Evaluation Experiment and Results Limitations Future Work CREST Centre | University of Adelaide 2
  • 3. Security Orchestration “Security Orchestration is the planning, integration, cooperation, and coordination of the activities of security systems and experts to produce and automate required actions in response to any security incident across multiple technology paradigms.” CREST Centre | University of Adelaide 3 Integration Orchestration Automation
  • 4. Introduction Detect and Prevent Integrate Analyze Validate Plan Monitor and Analyze Security Operation Centre I1 I2 S: Security Tool Firewall Intrusion Detection System (IDS) Endpoint Detection and Response (EDR) A: Assets AC: ActivityI: Security Incident Organization Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 4 The Security Operation Centre (SOC) of an organizations uses a variety of security tools, developed by different vendor’s to protect an organization’s information and communication technology and business application.
  • 5. Introduction Detect and Prevent Integrate Analyze Validate Plan Monitor and Analyze Security Operation Centre I1 I2 S: Security Tool Firewall Intrusion Detection System (IDS) Endpoint Detection and Response (EDR) A: Assets AC: ActivityI: Security Incident Organization Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 5 The SOC are expected to monitory and analyse the activities (validate alerts, correlate logs and remove malware) of these security tools to respond to a incident. The continuous process of monitoring and analysing the security activities are time consuming, tedious and repetitive.
  • 6. Introduction Detect and Prevent S: Security ToolA: Assets AC: Activity I1 I2 I: Security Incident Security Orchestration Platform Firewall Intrusion Detection System (IDS) Endpoint Detection and Response (EDR) Search Organization t: Task CREST Centre | University of Adelaide 6 IRP: Incident response plan Most SOC in recent years uses security orchestration platform to orchestrate the activities of security tools and automate the repetitive task manually performed by the human experts.
  • 7. Introduction Detect and Prevent S: Security ToolA: Assets AC: Activity I1 I2 I: Security Incident Security Orchestration Platform Firewall Intrusion Detection System (IDS) Endpoint Detection and Response (EDR) Search Organization t: Task CREST Centre | University of Adelaide 7 IRP: Incident response plan Emerging threat behaviours and variation in organization infrastructure cause experts to change the deployment and execution environment of security orchestration platform, such as integration of new tools, updates of tools capabilities or modification of IRP
  • 8. Organizations Plan to Response to a Security Incident 8 Example of Incident Response Plan (IRP) for Phishing Attack Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 # Response Task Activity ac1 Is this a phishing attack? Determine if this is a phishing attack? In the task, select yes or no in the outcome. ac2 Scan endpoint – malware found? After running a scan, determine whether malware was found. In the task, select yes or no in Outcome. ac3 Remove malware – success? Determine whether the malware was successfully remove. In the task, select Yes or no in outcome. ac4 Wipe and reimage If you did not successfully remove the malware found, this task instruct you to perform a wipe and reimage on the computers infected with the malware. ac5 Update email protection software If it was determined that this is a phishing attack, you are prompted to update your email protection software accordingly. ac6 Remove unread phishing email in queue Perform the steps necessary to remove the phishing email still in the queue for all of your users
  • 9. Organizations Plan to Response to a Security Incident 9 Example of Incident Response Plan (IRP) for Phishing Attack Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 # Response Task Activity ac1 Is this a phishing attack? Determine if this is a phishing attack? In the task, select yes or no in the outcome. ac2 Scan endpoint – malware found? After running a scan, determine whether malware was found. In the task, select yes or no in Outcome. ac3 Remove malware – success? Determine whether the malware was successfully remove. In the task, select Yes or no in outcome. ac4 Wipe and reimage If you did not successfully remove the malware found, this task instruct you to perform a wipe and reimage on the computers infected with the malware. ac5 Update email protection software If it was determined that this is a phishing attack, you are prompted to update your email protection software accordingly. ac6 Remove unread phishing email in queue Perform the steps necessary to remove the phishing email still in the queue for all of your users A SOC does not follow any specific structure while defining the activity of an IRP. A security orchestration platform needs to deal with different tools that are not interoperable to automate the execution of an IRP’s activities.
  • 10. Organizations Plan to Response to a Security Incident 10 Example of Incident Response Plan (IRP) for Phishing Attack Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 # Response Task Activity ac1 Is this a phishing attack? Determine if this is a phishing attack? In the task, select yes or no in the outcome. ac2 Scan endpoint – malware found? After running a scan, determine whether malware was found. In the task, select yes or no in Outcome. ac3 Remove malware – success? Determine whether the malware was successfully remove. In the task, select Yes or no in outcome. ac4 Wipe and reimage If you did not successfully remove the malware found, this task instruct you to perform a wipe and reimage on the computers infected with the malware. ac5 Update email protection software If it was determined that this is a phishing attack, you are prompted to update your email protection software accordingly. ac6 Remove unread phishing email in queue Perform the steps necessary to remove the phishing email still in the queue for all of your users For example, execution of activity ac1 may require a threat intelligence such as MISP. A MISP is used by a security orchestration platform to validate a incident. The execution of ac2 may require an EDR tools to scan endpoint and SIEM to identify the malware from EDR logs.
  • 11. Challenges • A security orchestration platform is not adaptable towards the change in the execution environment. … … … Diverse nature of data generated and ingested by Security Tools Lack on Interpretability of the generated data Lack of Interoperability Integration of the Security tools is one of the most challenging task of SOC CREST Centre | University of Adelaide 11
  • 12. Research Aim Automated Interpretation and Integration of Security Tools in a Security Orchestration Platform 12 |Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
  • 13. Proposed Solution (1/4) • Formalized the core concepts of security orchestration platform in an ontology that are required to automate the execution of an IRP. • Follow a systematic set of guidelines to define the classes of the ontology and the relationship among the classes. • A prediction module to automatically classify the activities with text description according to the ontology. • An interoperability model to select the best suits of tools that have the required capability to execute an IRP. CREST Centre | University of Adelaide 13
  • 14. Proposed Solution (2/4) Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 14 Ontological Model to enable Semantic Integration The proposed ontology contains three main classes, these classes are defined to formally represent heterogenous security tools.
  • 15. Proposed Solution (2/4) Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 15 Ontological Model to enable Semantic Integration The proposed ontology contains three main classes, these classes are defined to formally represent heterogenous security tools.
  • 16. Proposed Solution (2/4) 16 # Response Task Action ac1 Is this a phishing attack? Determine if this is a phishing attack? In the task, select yes or no in the outcome. ac2 Scan endpoint – malware found? After running a scan, determine whether malware was found. In the task, select yes or no in Outcome. ac3 Remove malware – success? Determine whether the malware was successfully removed. In the task, select Yes or no in outcome. Ontological Model to enable Semantic Integration Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 We define the categories of the activities as a subclass of the activity class. The activities are associated with detection prevention, recover and remediation actions of a threat defined.
  • 17. Proposed Solution (2/4) 17 # Response Task Action ac1 Is this a phishing attack? Determine if this is a phishing attack? In the task, select yes or no in the outcome. ac2 Scan endpoint – malware found? After running a scan, determine whether malware was found. In the task, select yes or no in Outcome. ac3 Remove malware – success? Determine whether the malware was successfully removed. In the task, select Yes or no in outcome. Ontological Model to enable Semantic Integration ac1 : Is (Verb) this (Det) a (Det) phishing (Verb) Attack (Noun) ? (Punc) . = Is (Validate) Phishing Attack Subclass: Validate  Validate Phishing  Validate Phishing Email Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 We follow a system set of guidelines to define the classes of the activity class manually.
  • 18. Proposed Solution (3/4) CREST Centre | University of Adelaide 18 | Classification of Activities based on Text Similarity Prediction Module Activity description Activity class from ontology Textpreprocessing Data splitting N-gram generation Feature transformation Model training and evaluation Model selection based on K fold cross validation Dataset
  • 19. Proposed Solution (3/4) CREST Centre | University of Adelaide 19 | Classification of Activities based on Text Similarity Prediction Module Activity description Activity class from ontology Textpreprocessing Data splitting N-gram generation Feature transformation Model training and evaluation Model selection based on K fold cross validation Dataset • Part-of-speech tagging • Remove Null value, Punctuation, Stop words and Meaningless words • Four classifiers • Evaluation metrics: Accuracy, recall, precision, f1-score
  • 20. Activity description Activity class from ontology Text preprocessing Data splitting N-gram generation Feature transformation Model training and evaluation Model selection based on K fold cross validation N-gram generation Optimal classifier Model trainingFeature transformation Feature configuration Model building Dataset Trained model Proposed Solution (3/4) CREST Centre | University of Adelaide 20 | Classification of Activities based on Text Similarity Prediction Module
  • 21. Activity description Activity class from ontology Text preprocessing Data splitting N-gram generation Feature transformation Model training and evaluation Model selection based on K fold cross validation N-gram generation Optimal classifier Model trainingFeature transformation Feature configuration New activity description Text preprocessing Feature transformation Classification of activity description Model building Dataset Prediction Trained model Feature model Proposed Solution (3/4) CREST Centre | University of Adelaide 21 | Classification of Activities based on Text Similarity Prediction Module The prediction module reduces the manual analysis of the activity description by classifying the activity according to the ontology.
  • 22. Proposed Solution (4/4) 22 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
  • 23. Proposed Solution (4/4) 23 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
  • 24. Proposed Solution (4/4) 24 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
  • 25. Proposed Solution (4/4) 25 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
  • 26. Proposed Solution (4/4) 26 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
  • 27. Proposed Solution (4/4) 27 | An Interoperability Model to Select the Security Tools to Automate the Sequence of Activities in an Incident Response Plan Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
  • 28. Evaluation How feasible is the proposed prediction module and interoperability model? CREST Centre | University of Adelaide 28
  • 29. Experiments and Results (1/3) 29 | Preparing the Dataset for Prediction module Activity Description Level 1 Level 2 Level 3 Scan endpoint to see whether malware was found Scan ScanEndpoint ScanEndpointMalware Is this a phishing email Validate ValidatePhishing ValidatePhishingEmail Isolate the malicious node from the network Isolate IsolateMalicious IsolateMaliciousNode • 34 categories under level 1 • 67 categories under level 2 • 74 categories under level 3 Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 https://docs.servicenow.com/ Crawled 1080 activity descriptions
  • 30. Experiments and Results (2/3) CREST Centre | University of Adelaide 30 | Implementing the Prediction module 0.926 0.909 0.865 0.93 0.911 0.869 0.833 0.817 0.792 0.918 0.905 0.864 LEVEL 1 LEVEL 2 LEVEL 3 SVM RF NB LR 0.96 0.94 0.9 0.97 0.93 0.87 0.96 0.94 0.9 0.96 0.93 0.88 LEVEL 1 LEVEL 2 LEVEL 3 Accuracy Precision Recall F1-score Validated weighted average of F1-score for optimal configuration of different classifiers, SVM (Support Vector Machine), RF (Random Forest), NB (Naïve Bayes), LR (Linear Regression) Testing results of Random Forest for three levels of classes
  • 31. Experiments and Results (3/3) • Seven security solutions: Snort, Splunk, Limacharlie, Wireshark, WinPcap, Microsoft security essential, MISP • 21 different capabilities • Nine incident response plans with 17 activities. 31 | Success Rate around 90% Developing Interoperability Model Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
  • 32. Limitations • The ontology is developed based on freely available and open source security tool’s capabilities and activities. • The selected optimal classifiers may not guarantee the highest performance for classifying new and updated activity description CREST Centre | University of Adelaide 32
  • 33. Future Work • Use the semantic definition of the tools capabilities to auto-create the APIs when new security tools with new capability are integrated. • Design a probabilistic model for selecting and integrating security tools. Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019 33
  • 34. Key Takeaways • An ontological model to formalize the security tools, their capabilities and activities of Incident Response Plan (IRP). • A learning-based prediction module to automatically define the classes for new activity according to the ontology. • An interoperability model to select the required security tools that are interoperable for auto- execution of IRP. CREST Centre | University of Adelaide 34
  • 35. References • Chadni Islam, Muhammad Ali Babar, and Surya Nepal, “Automated Interpretation and Integration of Security Tools Using Semantic Knowledge”, 31st International Conference on Advanced Information Systems Engineering, CAiSE, 2019, Rome, Italy, 3-7 June 2019. • Chadni Islam, Muhammad Ali Babar, and Surya Nepal. 2019. A Multi-Vocal Review of Security Orchestration. ACM Computing Survey. Vol 52, Issue 2, Article 37 (April 2019), 45 pages. DOI: https://doi.org/10.1145/3305268 • Chadni Islam, Muhammad Ali Babar, and Surya Nepal, “An Ontology-Driven Approach to Automate the Process of Integration Security Software Systems”, International Conference of Software and Systems Process, ICSSP, 2019, Montreal, Canada, 2019. • https://www.securityweek.com/cost-data-breach-uk-increases-more-41-two-years • https://www.ibm.com/downloads/cas/861MNWN2 • https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/ • https://bricata.com/blog/cybersecurity-alert-deluge 35 |Automated Interpretation and Integration of Security Tools Using Semantic Knowledge| CAiSE 2019
  • 36. Questions? Chadni Islam CREST Centre https://crest-centre.net/ School of Computer Science, University of Adelaide, Australia CSIRO’s Data61, Australia https://research.csiro.au/distributed- systems-security/ CREST Centre | University of Adelaide 36 M. Ali Babar CREST Centre https://crest-centre.net/ School of Computer Science, University of Adelaide, Australia Email: ali.babar@adelaide.edu.au Surya Nepal CSIRO’s Data61, Australia Email:surya.Nepal@data61.csrio.au https://research.csiro.au/distributed- systems-security/ Twitter: @_chadni_ Email: chadni19@gmail.com, chadni.islam@Adelaide.edu.au Twitter: @alibabar