Final Report Summary - SAWSOC (Situation AWare Security Operations Center)
Executive Summary:
Security monitoring is a number one priority, since it is the pre-requisite for allowing system operation to continue also in the presence of attacks. A security monitoring facility produces three categories of outputs: 1) Alarms – Notifications to the personnel / machinery in charge of operating the monitored system/application of attacks that must be handled; 2) Remediation and Reaction triggers – Events that are sent to the personnel/machinery in charge of performing actions/procedures aiming at countering and/or mitigating the effects of attacks; 3) Actionable Evidence – Unforgeable electronic evidence of attacks (to be used in court). In order for security monitoring to be really useful, the aforementioned outputs must be made available in a timely fashion, i.e. in (near) real-time. A plethora of technologies exists, that individually represent a (potentially) effective building block of a real-time security monitoring facility, but – regrettably – they very much lack integration. While recently some achievements have been made, much is yet to be done, and a further advancements in the convergence of physical and logical security technologies are very much needed. SAWSOC proposes a novel approach – and a conceptual architecture – for real-time security monitoring of complex networked systems. The approach is to collect information at several architectural levels (namely: Physical, Network, Operating System and/or Virtual Machine, Data Base, Application, and Business Process) and to implement, and validate techniques for achieving effective correlation of the diverse information flows.
Project Context and Objectives:
Security has become one of the major topics in contemporary societies. While facing new security risks and challenges like e.g. international terrorism, crime, climate change and economic crises, an increased concern for security can generally be observed among many European populations. Increasingly, attempts are made to ‘produce’ security in a primarily technological way.
Technologies for implementing security services in the physical and in the electronic domain are both stable and mature, but they have been developed independently of each other.
Security Operations Center (SOC) technology has improved significantly, but SOC solutions have typically been developed using vertical approaches, i.e. based on custom specific needs. Other key security technologies (such as: Video Surveillance, Forensic support and Building Automation) have also made dramatic improvements, but there is still a limited capability of performing complex correlation on security relevant data.
The fragmentation of security approaches is perceived by citizens with confusion, disorientation, and fear. This discomfort is also amplified by the still too high rate of false alarms.
SAWSOC aims at bringing a significant advancement in the convergence of physical and logical security.
SAWSOC enhanced awareness capabilities allow accurate, timely and trustworthy detection and diagnosis of attacks, which ultimately results in the achievement of two goals of paramount importance and precisely:
1. guaranteeing the protection of citizens and assets;
2. reducing the perception of fragmentation of security approaches, thus improving citizen's perception of security.
SAWSOC objective is to identify, implement, and validate techniques for achieving the convergence of physical and cyber security solutions. More in detail, the project aims at:
- Advancing the state of the art of some of the key physical and logical security technologies;
- Developing techniques for correlating physical and logical security services, to achieve a consistent view and to be able to produce an irrefutable record of who did what, where, and when;
- Implementing those techniques in a Situation AWare Security Operations Center (SAWSOC) i.e. an integrated platform for providing sophisticated security services combining in a modular way diverse information from multiple data sources;
- Demonstrating and validating the proposed techniques and the framework by performing a thorough experimental campaign with respect to three substantial case studies.
Project Results:
SAWSOC Platform
The overall architecture of SAWSOC platform was created through a collaborative process, during which both general and use case specific requirements as well as the target of the platform were all taken into account. SAWSOC platform has the capability to combine event information from multiple event sources and to make sophisticated diagnosis based on the received information.SAWSOC platform consists of the following main components:
VIDEO CONTENT ANALYIS
receives the inputs from video surveillance and fuses the lower level results from video surveillance into higher level concepts and events.
CORRELATION ENGINE
The Correlation Engine is the component in charge of the event diagnosis process. It consists of two main parts:
- the data collection framework in charge to manage the high heterogeneity of formats and data sources.
- the centralized processing element. consisting of real time distributed Complex Event Processing (CEP) to ensure high performance with huge data volumes.
RULE ENGINE
The Rule Engine, including the Signature Based Support (SBS) and the Anomaly Based Support (ABS), provides the logical rules to be followed for the Correlation Engine.
FORENSIC MODULE
The Forensic Module, provides a set of services that enables the end user (SOC operator) to trace from an event to the log data from which it was identified. The module will ensure that the events and their associated logs are stored in a forensically sound manner. It will support processes that ensure, to the greatest extent possible, that the event data will be acceptable as evidence.
IDENTITY & CREDENTIAL MANAGEMENT SYSTEM
The Identity & Credential Management system, manages trusted, secure credentials for user and device authentication as well as (digital) event signing within the SAWSOC platform.
VISUALIZATION MODULE
The Visualization Module, implements the User Interfaces of the SAWSOC platform offering functionalities like e.g.: alarm notifications, alarm details presentation, actions list presentation, alarm statistics, 3D modelling of protected area etc.
Potential Impact:
BENEFITS DERIVING BY SAWSOC's OUTCOME
SAWSOC holistic approach and enhanced awareness technology will allow dependable detection and diagnosis of attacks. In this context, dependable means:
- Accurate - The detection rate will be high (i.e. a very high percentage - higher than what is currently achieved by SOTA products - of real attacks will be detected) and the false positives rate will be low (i.e. a very low percentage - lower than what is currently achieved by SOTA products - of innocuous events will be reported as attacks). It is worth emphasizing that in contexts such as highly available systems and applications (e.g. Critical Infrastructures) and crowded places (e.g. a stadium or an airport), false alarms can be as dangerous and harmful as false negatives. Accuracy is achieved by performing sophisticated correlations on the multitude of diverse events collected in the two domains (namely: logical and physical).
- Timely - The aforementioned sophisticated correlations is done in near real-time. This is a challenging task, since the amount of data that the system will have to process is massive and highly heterogeneous (both from the format and from the semantics point of view). The key enabling technologies which have been used are: Complex Event Processing, compiler generator tools, and ontology’s. Since for all the three aforementioned technologies there are already solutions available which allow the implementation of a proof of concept platform, the SAWSOC platform has been implemented using the "best of breed" of such solutions.
- Trustworthy - A largely overlooked issue in the design and development of security products is "who defends the defender”. The SAWSOC platform has been designed and implemented using fault- and intrusion-tolerant techniques. The platform is thus resilient to fault and attacks, i.e. it is able to perform its tasks correctly even in the presence of faults and/or if it will be under (successful) attack.
DISSEMINATION ACTIVITIES
In order to ensure that SAWSOC results have a lasting impact on European society, the project partners have undertaken significant efforts to make project results known and accessible to the public. SAWSOC dissemination activities included:
- Participation in workshops, conferences, and similar events.
- Local dissemination activities including initiatives carried out at national level by SAWSOC partners, according with the specificity of their organisation and the communities they are able to reach.
- Internal dissemination aims at developing solid links between consortium partners and the SAWSOC project itself.
- Cross-fertilization activities devoted to identify other European and National research projects which research topics of interested to the SAWSOC project.
Dissemination results include Poster, Leaflet, Project presentation, SAWSOC Website, five project newsletters, participation to more than thirty events and more than fifteen publications. Furthermore, the project has organized two workshops to present intermediate and final progress results and discuss them with the invited stakeholders.
Exploitation plans have been prepared by each partner highlighting an introduction to the business idea, the analysis of the market and an overview of the exploitation strategy. The consortium sees joint exploitation as an evolution out of individual exploitation, where the partner triggering its individual exploitation identifies an opportunity for joint exploitation.
List of Websites:
SAWSOC WebSite: http://www.sawsoc.eu/
Project Coordinator: Giuseppe La Posta (FINMECCANICA): giuseppe.laposta@finmeccanica.com
Technical Coordinator: Luigi Romano (CINI): luigi.romano@uniparthenope.it
Security monitoring is a number one priority, since it is the pre-requisite for allowing system operation to continue also in the presence of attacks. A security monitoring facility produces three categories of outputs: 1) Alarms – Notifications to the personnel / machinery in charge of operating the monitored system/application of attacks that must be handled; 2) Remediation and Reaction triggers – Events that are sent to the personnel/machinery in charge of performing actions/procedures aiming at countering and/or mitigating the effects of attacks; 3) Actionable Evidence – Unforgeable electronic evidence of attacks (to be used in court). In order for security monitoring to be really useful, the aforementioned outputs must be made available in a timely fashion, i.e. in (near) real-time. A plethora of technologies exists, that individually represent a (potentially) effective building block of a real-time security monitoring facility, but – regrettably – they very much lack integration. While recently some achievements have been made, much is yet to be done, and a further advancements in the convergence of physical and logical security technologies are very much needed. SAWSOC proposes a novel approach – and a conceptual architecture – for real-time security monitoring of complex networked systems. The approach is to collect information at several architectural levels (namely: Physical, Network, Operating System and/or Virtual Machine, Data Base, Application, and Business Process) and to implement, and validate techniques for achieving effective correlation of the diverse information flows.
Project Context and Objectives:
Security has become one of the major topics in contemporary societies. While facing new security risks and challenges like e.g. international terrorism, crime, climate change and economic crises, an increased concern for security can generally be observed among many European populations. Increasingly, attempts are made to ‘produce’ security in a primarily technological way.
Technologies for implementing security services in the physical and in the electronic domain are both stable and mature, but they have been developed independently of each other.
Security Operations Center (SOC) technology has improved significantly, but SOC solutions have typically been developed using vertical approaches, i.e. based on custom specific needs. Other key security technologies (such as: Video Surveillance, Forensic support and Building Automation) have also made dramatic improvements, but there is still a limited capability of performing complex correlation on security relevant data.
The fragmentation of security approaches is perceived by citizens with confusion, disorientation, and fear. This discomfort is also amplified by the still too high rate of false alarms.
SAWSOC aims at bringing a significant advancement in the convergence of physical and logical security.
SAWSOC enhanced awareness capabilities allow accurate, timely and trustworthy detection and diagnosis of attacks, which ultimately results in the achievement of two goals of paramount importance and precisely:
1. guaranteeing the protection of citizens and assets;
2. reducing the perception of fragmentation of security approaches, thus improving citizen's perception of security.
SAWSOC objective is to identify, implement, and validate techniques for achieving the convergence of physical and cyber security solutions. More in detail, the project aims at:
- Advancing the state of the art of some of the key physical and logical security technologies;
- Developing techniques for correlating physical and logical security services, to achieve a consistent view and to be able to produce an irrefutable record of who did what, where, and when;
- Implementing those techniques in a Situation AWare Security Operations Center (SAWSOC) i.e. an integrated platform for providing sophisticated security services combining in a modular way diverse information from multiple data sources;
- Demonstrating and validating the proposed techniques and the framework by performing a thorough experimental campaign with respect to three substantial case studies.
Project Results:
SAWSOC Platform
The overall architecture of SAWSOC platform was created through a collaborative process, during which both general and use case specific requirements as well as the target of the platform were all taken into account. SAWSOC platform has the capability to combine event information from multiple event sources and to make sophisticated diagnosis based on the received information.SAWSOC platform consists of the following main components:
VIDEO CONTENT ANALYIS
receives the inputs from video surveillance and fuses the lower level results from video surveillance into higher level concepts and events.
CORRELATION ENGINE
The Correlation Engine is the component in charge of the event diagnosis process. It consists of two main parts:
- the data collection framework in charge to manage the high heterogeneity of formats and data sources.
- the centralized processing element. consisting of real time distributed Complex Event Processing (CEP) to ensure high performance with huge data volumes.
RULE ENGINE
The Rule Engine, including the Signature Based Support (SBS) and the Anomaly Based Support (ABS), provides the logical rules to be followed for the Correlation Engine.
FORENSIC MODULE
The Forensic Module, provides a set of services that enables the end user (SOC operator) to trace from an event to the log data from which it was identified. The module will ensure that the events and their associated logs are stored in a forensically sound manner. It will support processes that ensure, to the greatest extent possible, that the event data will be acceptable as evidence.
IDENTITY & CREDENTIAL MANAGEMENT SYSTEM
The Identity & Credential Management system, manages trusted, secure credentials for user and device authentication as well as (digital) event signing within the SAWSOC platform.
VISUALIZATION MODULE
The Visualization Module, implements the User Interfaces of the SAWSOC platform offering functionalities like e.g.: alarm notifications, alarm details presentation, actions list presentation, alarm statistics, 3D modelling of protected area etc.
Potential Impact:
BENEFITS DERIVING BY SAWSOC's OUTCOME
SAWSOC holistic approach and enhanced awareness technology will allow dependable detection and diagnosis of attacks. In this context, dependable means:
- Accurate - The detection rate will be high (i.e. a very high percentage - higher than what is currently achieved by SOTA products - of real attacks will be detected) and the false positives rate will be low (i.e. a very low percentage - lower than what is currently achieved by SOTA products - of innocuous events will be reported as attacks). It is worth emphasizing that in contexts such as highly available systems and applications (e.g. Critical Infrastructures) and crowded places (e.g. a stadium or an airport), false alarms can be as dangerous and harmful as false negatives. Accuracy is achieved by performing sophisticated correlations on the multitude of diverse events collected in the two domains (namely: logical and physical).
- Timely - The aforementioned sophisticated correlations is done in near real-time. This is a challenging task, since the amount of data that the system will have to process is massive and highly heterogeneous (both from the format and from the semantics point of view). The key enabling technologies which have been used are: Complex Event Processing, compiler generator tools, and ontology’s. Since for all the three aforementioned technologies there are already solutions available which allow the implementation of a proof of concept platform, the SAWSOC platform has been implemented using the "best of breed" of such solutions.
- Trustworthy - A largely overlooked issue in the design and development of security products is "who defends the defender”. The SAWSOC platform has been designed and implemented using fault- and intrusion-tolerant techniques. The platform is thus resilient to fault and attacks, i.e. it is able to perform its tasks correctly even in the presence of faults and/or if it will be under (successful) attack.
DISSEMINATION ACTIVITIES
In order to ensure that SAWSOC results have a lasting impact on European society, the project partners have undertaken significant efforts to make project results known and accessible to the public. SAWSOC dissemination activities included:
- Participation in workshops, conferences, and similar events.
- Local dissemination activities including initiatives carried out at national level by SAWSOC partners, according with the specificity of their organisation and the communities they are able to reach.
- Internal dissemination aims at developing solid links between consortium partners and the SAWSOC project itself.
- Cross-fertilization activities devoted to identify other European and National research projects which research topics of interested to the SAWSOC project.
Dissemination results include Poster, Leaflet, Project presentation, SAWSOC Website, five project newsletters, participation to more than thirty events and more than fifteen publications. Furthermore, the project has organized two workshops to present intermediate and final progress results and discuss them with the invited stakeholders.
Exploitation plans have been prepared by each partner highlighting an introduction to the business idea, the analysis of the market and an overview of the exploitation strategy. The consortium sees joint exploitation as an evolution out of individual exploitation, where the partner triggering its individual exploitation identifies an opportunity for joint exploitation.
List of Websites:
SAWSOC WebSite: http://www.sawsoc.eu/
Project Coordinator: Giuseppe La Posta (FINMECCANICA): giuseppe.laposta@finmeccanica.com
Technical Coordinator: Luigi Romano (CINI): luigi.romano@uniparthenope.it
