SecViz – Cyber Situational Awareness
SRI has teamed up with an industrial partner to develop SecViz – to provide enhanced situational awareness of the ongoing threat situation in the enterprise network increasing the company’s capability to proactively monitor, detect and counteract cyber attacks.
ObjectiveThe company operates a multi-site, multi-national business. It is in the business of data analytics and its cyberinfrastructure is critical to its ongoing success. It has many security applications in operation but has difficulty extracting added value across these different toolsets. SecViz is intended to give the company an integrated overall awareness of its security situation.
ApproachSecViz will develop a framework to integrate event data from existing security applications such as Lockpath (inventory), Nexpose (vulnerability), TippingPoint (IDS) and QRadar (SIEM). It will allow the company CSIRT to associate cyber infrastructure (including, hots, servers, networks etc) with the company mission and business priorities and organisation via customizable rules. SecViz will combine this information with data from other sources to asses the risk to particular assets and will aggregate risk information per organisation unit i.e. section, division site, country to give the CSIRT a near real time company level view of the current threat situation. Team members can drill down to explore the situation at a detailed, unit, level.
SRI is also applying machine learning techniques to automate the analysis of the data making it possible for the large amount of information regarding the network to be processed, classified and abstracted efficiently, leading to targeted independent analysis of the assets. This implements a multiclass perceptron approach in order to successfully classify asset vulnerability as either moderate, severe or critical based upon vulnerability analysis performed by vulnerability assessment software. We can thus eliminate the need for manual weight scoring and maintenance of the attributes by the company CSIRT while also allowing us to abstract the raw data obtained to a readily understandable, single integer representation of the vulnerability level of an asset.
This research work is described in a paper submitted to the ITT Conference “CAVIAR – Classification of Asset Vulnerability for Information Abstraction and Risk Analysis”