University of Twente Student Theses
Unboxing security analytics : towards effective data driven security operations
Slatman, H. (2016) Unboxing security analytics : towards effective data driven security operations.
PDF
1MB |
Abstract: | Security Operations Centers (SOCs) play a central role in protecting organizations from diverse threats targeting their primary business processes. It is their mission to detect, analyze, respond to, report on and prevent security incidents. Despite substantial investments in preventive and detective security controls, adversaries still manage to remain undetected for prolonged periods of time which can result in a security breach. SOCs face hard times when protecting their constituencies due to diverse causes. This thesis addresses these difficulties by introducing a holistic approach to security operations: Data Driven Security Operations. We first performed an investigation of the challenges SOCs face these days based on gray literature. We categorized the resulting challenges into four main categories: an increasingly complex IT environment, limited business alignment, ever - evolving adversaries and corresponding attacks, and finally, inadequate resources with respect to people and technology. A description of each of these categories and its associated elements are part of the problem analysis and formalization. We address the challenges by presenting a holistic approach to security operations: the conceptual model for Data Driven Security Operations. The model consists of the following six facets: Situational Awareness, Threat Intelligence, Detection Methods, Response & Investigation, SOC Staff and SOC Infrastructure. All six facets revolve around data and together they show how people, processes and technology are all crucial elements to perform security operations driven by data and analysis thereof. We also created an instantiation of the conceptual model for Data Driven Security Operations. SOCs can use it to assess their current status with respect to the six facets. Performing the assessment increases the tangibility of the model, lays the foundation for discussing the effectiveness of the SOC and provides recommendations for improvement. Both the model and the instantiation were evaluated with five professionals. Although the interviewees indicated that they liked the instantiation, several improvement points were identified. The conceptual model itself was received positively. |
Item Type: | Essay (Master) |
Faculty: | EEMCS: Electrical Engineering, Mathematics and Computer Science |
Subject: | 54 computer science |
Programme: | Computer Science MSc (60300) |
Link to this item: | https://purl.utwente.nl/essays/69788 |
Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Repository Staff Only: item control page