Security Information and Event Management (SIEM) systems are a fundamental component of the ubiquitous ICT infrastructures that form the backbone of our digital society. These systems are used to monitor large-scale complex environments by collecting, normalising, correlating, and reporting events generated by security-related sensors (e.g. intrusion detection systems), protection devices (e.g. firewalls), and applications deployed in such environments. It is only through these systems that large organizations can hope to have a global understanding of the pervasive cybersecurity threats and related incidents affecting them.
The DiSIEM project aims to enhance existing SIEM systems with diversity-related technology, addressing many limitations that the solutions available in the market have. More specifically, the project wants to (1) enhance the quality of collected events by using a diverse set of sensors and novel application-based anomaly detectors, (2) collect and process relevant cybersecurity-related information from open-source intelligence data available on diverse sources from the internet (e.g. social networks, security feeds, forums, blogs, dark web) to increase the capacity of SIEMs to correlate internal events with external threat information, (3) create new ways for visualising the information collected in the SIEM and provide high-level security metrics and models for improving security-related decision processes, and (4) allow the use of multiple storage clouds for secure GDPR-compliant long-term archival of the events collected by the SIEM.
Given the high costs involved in the deployment of SIEM infrastructures, all these enhancements will be developed in a SIEM-independent way, as extensions to currently available systems, and will be validated through pilot deployments in three large-scale test and production environments provided by members of the consortium.