SecViz – Cyber Situational Awareness

Cybercrime is a growth industry where the “returns are great and the risks are low” according to McAfee [Mcaf14] in a report which estimates the cost of cybercrime to the world economy as over $400 billion annually. The opportunities available to its practitioners has created a thriving ‘threat ecosystem’- with the primary purpose of reaping financial gain through the misuse of technology. Computer Security Incidence Response Team ( CSIRTs) struggle to keep up. They need ways to distinguish the critical alerts that pose the greatest risk to their business, from the background noise of low-level, low priority, alerts. Adopting a proactive security stance increases a CSIRTs capability to discover malicious activity in their managed domain before their end-users are impacted. Jointly, these two capabilities of critical alert prioritisation and proactive incident detection contribute towards an increased level of cyber situational awareness (CSA). Achieving a good level of CSA for a CSIRT means that it has an understanding of the security posture of its managed domain (constituency) and it is able to identify the most important threats to that constituency, their key characteristics and, at least to some degree, predict likely developments in the near future.

SRI has teamed up with an industrial partner to develop SecViz – to provide enhanced situational awareness of the ongoing threat situation in the enterprise network increasing the company’s capability to proactively monitor, detect and counteract cyber attacks.

The company operates a multi-site, multi-national business. It is in the business of data analytics and its cyberinfrastructure is critical to its ongoing success. It has many security applications in operation but has difficulty extracting added value across these different toolsets. SecViz is intended to give the company an integrated overall awareness of its security situation.

Picture1SecViz will develop a framework to integrate event data from existing security applications such as Lockpath (inventory), Nexpose (vulnerability), TippingPoint (IDS) and QRadar (SIEM). It will allow the company CSIRT to associate cyber infrastructure (including, hots, servers, networks etc) with the company mission and business priorities and organisation via customizable rules. SecViz will combine this information with data from other sources to asses the risk to particular assets and will aggregate risk information per organisation unit i.e. section, division site, country to give the CSIRT a near real time company level view of the current threat situation. Team members can drill down to explore the situation at a detailed, unit, level.
SRI is also applying machine learning techniques to automate the analysis of the data making it possible for the large amount of information regarding the network to be processed, classified and abstracted efficiently, leading to targeted independent analysis of the assets. This implements a multiclass perceptron approach in order to successfully classify asset vulnerability as either moderate, severe or critical based upon vulnerability analysis performed by vulnerability assessment software. We can thus eliminate the need for manual weight scoring and maintenance of the attributes by the company CSIRT while also allowing us to abstract the raw data obtained to a readily understandable, single integer representation of the vulnerability level of an asset.

This research work is described in a paper submitted to the ITT Conference “CAVIAR – Classification of Asset Vulnerability for Information Abstraction and Risk Analysis”