Periodic Reporting for period 2 - DiSIEM (Diversity Enhancements for SIEMs)
Okres sprawozdawczy: 2018-03-01 do 2019-08-31
The DiSIEM project aims to enhance existing SIEM systems with diversity-related technology, addressing many limitations that the solutions available in the market have. More specifically, the project wants to (1) enhance the quality of collected events by using a diverse set of sensors and novel application-based anomaly detectors, (2) collect and process relevant cybersecurity-related information from open-source intelligence data available on diverse sources from the internet (e.g. social networks, security feeds, forums, blogs, dark web) to increase the capacity of SIEMs to correlate internal events with external threat information, (3) create new ways for visualising the information collected in the SIEM and provide high-level security metrics and models for improving security-related decision processes, and (4) allow the use of multiple storage clouds for secure GDPR-compliant long-term archival of the events collected by the SIEM.
Given the high costs involved in the deployment of SIEM infrastructures, all these enhancements will be developed in a SIEM-independent way, as extensions to currently available systems, and will be validated through pilot deployments in three large-scale test and production environments provided by members of the consortium.
(1) An in-depth analysis of the state-of-the-art in SIEM technology and on the topics related with the project (e.g. machine learning and OSINT processing for security, diversity and security metrics, visual analytics for multi-dimensional data). This analysis lead to the selection of four initial target SIEMs for integrating the components devised in the project: AcSight, Splunk, XL-SIEM, Elastic Stack;
(2) The definition of a reference architecture for the project, which includes the organization of the work in nine components that will be integrated in four different SIEMs. These components are aligned with all objectives of the project and are expected to represent significant innovations when compared with the state-of-the-art in SIEMs and related technology;
(3) design, implementation, and preliminary evaluation of the components. These results were reported in the technical deliverables produced during this period, and in some papers (published, under submission or under preparation).
These results can be applied transversally in any area of the society for which security monitoring is an important task, from the public sector to the SMEs. Nonetheless, they are particularly relevant to large organizations controlling complex ICT infrastructures that are appealing high-value targets for cybersecurity attacks (e.g. critical infrastructures operators such as EDP, large service providers such as Amadeus). Such organizations are already SIEM users in an unending race with potential attackers to keep up to date about existing threats and vulnerabilities in their infrastructures. The DiSIEM components can help them.