@techreport{CIMprimer,
key = {EPRI-3002001040},
title = {{IntelliGrid Common Information Model Primer: Second Edition}},
institution = {EPRI},
number = {3002001040},
note = {\url{http://www.epri.com/abstracts/Pages/ProductAbstract.aspx?ProductId=000000003002001040}},
month = oct,
address = {Palo Alto, CA},
year = {2013},
keywords = {Common Information Model (CIM), International Electrotechnical Commission (IEC), International standards Semantic model, Unified Modeling Language (UML)},
abstract = { The Common Information Model (CIM) Primer explains the basics of the CIM (IEC 61970, IEC 61968, and IEC 62325). Starting with a historical perspective, it describes how the CIM originated and grew through the years. The functions of various working groups of Technical Committee 57 of the International Electrotechnical Commission (IEC) are described. The process of how an IEC standard is created is also outlined.\par The basics of the Unified Modeling Language (UML) are detailed to introduce the reader to the language of the CIM. Then, building on commonly understood objects (basic shapes), the concepts that underline the CIM are carefully built step by step. The reader is then transported into the world of power systems where the concepts that were developed previously are applied to the complexities of the electric grid.\par The Second Edition is updated with a case study that follows a utility through its journey of discovery, learning, and then, utilizing the CIM for grid modeling and integration. Additionally, questions have been added to the end of each section for the reader to reinforce their learning.}
}
@techreport{ISOCreport,
title = {Guidelines for Planning an Integrated Security Operations Center},
institution = {EPRI},
year = {2013},
key = {EPRI-3002000374},
number = {3002000374},
address = {Palo Alto, CA},
month = dec,
keywords = {Cyber Incident Management, Incident Detection System, Security Event Monitoring, Security Status Monitoring, Security and Information Event Management, Security Operations Center},
note = {\url{http://www.epri.com/abstracts/Pages/ProductAbstract.aspx?ProductId=000000003002000374}},
abstract = { This report describes strategies and guidelines for utilities to plan and implement an Integrated Security Operations Center (ISOC) that includes corporate systems, control systems, and physical security. Currently, multiple groups and operators independently gather and analyze information from a datacenter, workstation networks, physical security, supervisory control and data acquisition (SCADA) systems, energy management systems (EMS), historians, and field equipment. Data is also collected and analyzed from Computer Emergency Readiness Teams (CERTs) and Information Sharing and Analysis Centers (ISACs). Correlating this data to find suspicious activity can be extremely challenging and often only occurs long after an incident happens. \par An ISOC is designed to collect, integrate, and analyze alarms and logs from these traditionally siloed organizations, providing much greater situational awareness to the utility’s security team. Additionally, an ISOC allows utilities to transition to an intelligence-driven approach to incident management, which is much more effective for handling advanced threats. Because of these advantages, creating an ISOC may provide significant value to utilities. However, building an ISOC requires significant technical resources, staff, and time. \par This research focuses on the initial steps in the process of setting up an ISOC: developing the business case, potential organizational challenges, tradeoffs for different ISOC architectures, and planning the implementation process. These results are based on current research, engagement with utilities, and an examination of ISOC implementations outside of the electric sector.}
}
@article{6003813,
author = {Dong Wei and Yan Lu and Jafari, M. and Skare, P.M. and Rohde, K.},
journal = {IEEE Transactions on Smart Grid},
title = {Protecting Smart Grid Automation Systems Against Cyberattacks},
year = {2011},
month = dec,
volume = {2},
number = {4},
pages = {782--795},
abstract = {The smart grid moves new power grid automation systems from being proprietary and closed to the current state of information technology (IT) which is highly interconnected and open. But open and interconnected automation platforms bring about major security challenges. The power grid automation network has inherent security risks due to the fact that the systems and applications for the power grid were originally designed without much consideration of cybersecurity. This paper first introduces scope and functionalities of power grid, its automation and control system, and communications. Potential cyberattacks and their adverse impacts on power grid operation are discussed, a general SCADA cyberattack process is presented. This paper discusses the major challenges and strategies to protect smart grid against cyberattacks and finally proposes a conceptual layered framework for protecting power grid automation systems against cyberattacks without compromising timely availability of control and signal data. The proposed ``bump-in-the-wire'' approach also provides security protection for legacy systems which do not have enough computational power or memory space to perform security functionalities. The on-site system test of the developed prototype security system is briefly presented as well.},
keywords = {SCADA systems;information technology;power system protection;power system security;risk analysis;smart power grids;IT;SCADA cyberattack process;bump-in-the-wire approach;conceptual layered framework;cybersecurity;information technology;interconnected automation platforms;on-site system test;power grid automation network;power grid automation systems;prototype security system;security risks;signal data;smart grid automation system protectionz;Computer crime;Computer security;Network security;Quality of service;Substations;Quality-of-Service (QoS);Smart grid;cyberattacks;network security;vulnerability},
doi = {http://dx.doi.org/10.1109/TSG.2011.2159999}
}
@inproceedings{6459894,
author = {Kowtha, S. and Nolan, L.A. and Daley, R.A.},
booktitle = {IEEE Conference on Technologies for Homeland Security (HST)},
title = {Cyber security operations center characterization model and analysis},
year = {2012},
month = nov,
pages = {470--475},
abstract = {While cyberspace knows no borders, there are commercial, regional, national and international interests that seek to assure the trust, availability and dependability of cyberspace for their specific needs. Cyber Security Operations is the term used to describe activities that span (a) securing a portion of cyberspace, (b) monitoring and analyzing threats and incidents, and (c) responsively and proactively managing incidents. These operations centers stand a better chance at securing and defending their portion of cyberspace if they adopt a collaborative and coordinated operations approach. In order to establish a strong analytical foundation required for developing collaborative cyber security operations tradecraft, an operations center characterization model is necessary to provide the common underlying framework for collaboration discussions. We have developed an analytical model to capture common and significant aspects of cyber security operations centers. The model addresses seven foundational areas or dimensions: scope, activities, process management, facilities, organizational dynamics, external interactions, and environment. We developed a simple, yet effective, operations center questionnaire based on the model, and used it to collect actual operations center data from a dozen diverse cyber security operations centers. In this paper we describe the operations center characterization model and discuss information gleaned from four of the cyber security centers. We demonstrate that the operations center characterization model's rapid data collection and visual analysis lends itself to aiding the cyber security community to (a) identify areas of collaboration, (b) customize information sharing, and (c) improve efficiency and effectiveness of a center's operations by learning from similar centers in the community},
keywords = {groupware;security of data;system monitoring;trusted computing;collaboration discussion;collaborative cyber security operation;commercial interest;coordinated operation;cyber security operations center characterization model;cyberspace availability assurance;cyberspace dependability assurance;cyberspace trust assurance;data collection;effectiveness improvement;efficiency improvement;external interaction;incident analysis;information sharing;international interest;organizational dynamics;proactive incident management;regional interest;threat analysis;threat monitoring;visual analysis;Analytical models;Collaboration;Communities;Computer security;Cyberspace;Data models;Organizations;collaborative cyber security operations;coordinated incident response;cyber security activities;cyber security information sharing;operations center characterization model},
doi = {http://dx.doi.org/10.1109/THS.2012.6459894}
}
@inproceedings{5590215,
author = {Sommestad, T. and Ericsson, G.N. and Nordlander, J.},
booktitle = {IEEE Power and Energy Society General Meeting},
title = {{SCADA system cyber security --- A comparison of standards}},
year = {2010},
month = jul,
pages = {1--8},
abstract = {Cyber security of Supervisory Control And Data Acquisition (SCADA) systems has become very important. SCADA systems are vital for operation and control of critical infrastructures, such as the electrical power system. Therefore, a number of standards and guidelines have been developed to support electric power utilities in their Cyber security efforts. This paper compares different SCADA Cyber security standards and guidelines with respect to threats and countermeasures they describe. Also, a comparison with the international standard ISO/IEC 17799 (now ISO/IEC 27002) is made. The method used is based on a comparison of use of certain key issues in the standards, after being grouped into different categories. The occurrences of the key issues are counted and comparisons are made. It is concluded that SCADA specific standards are more focused on technical countermeasures, such as firewalls and intrusion detection, whereas ISO/IEC 17799 is more focused on organizational countermeasures.},
keywords = {IEC standards;ISO standards;SCADA systems;security of data;Cyber security;ISO/IEC 17799;SCADA system;electrical power system;international standard;supervisory control and data acquisition system;technical countermeasure;Control systems;Cyber Security;SCADA systems;Smart Grids;Standards},
doi = {http://dx.doi.org/10.1109/PES.2010.5590215}
}
@article{Grimaila01072012,
author = {Grimaila, Michael R and Myers, Justin and Mills, Robert F and Peterson, Gilbert},
title = {Design and Analysis of a Dynamically Configured Log-based Distributed Security Event Detection Methodology},
volume = {9},
number = {3},
pages = {219--241},
year = {2012},
doi = {http://dx.doi.org/10.1177/1548512911399303},
abstract = {Military and defense organizations rely upon the security of data stored in, and communicated through, their cyber infrastructure to fulfill their mission objectives. It is essential to identify threats to the cyber infrastructure in a timely manner, so that mission risks can be recognized and mitigated. Centralized event logging and correlation is a proven method for identifying threats to cyber resources. However, centralized event logging is inflexible and does not scale well, because it consumes excessive network bandwidth and imposes significant storage and processing requirements on the central event log server. In this paper, we present a flexible, distributed event correlation system designed to overcome these limitations by distributing the event correlation workload across the network of event-producing systems. To demonstrate the utility of the methodology, we model and simulate centralized, decentralized, and hybrid log analysis environments over three accountability levels and compare their performance in terms of detection capability, network bandwidth utilization, database query efficiency, and configurability. The results show that when compared to centralized event correlation, dynamically configured distributed event correlation provides increased flexibility, a significant reduction in network traffic in low and medium accountability environments, and a decrease in database query execution time in the high-accountability case.},
journal = {The Journal of Defense Modeling and Simulation: Applications, Methodology, Technology}
}
@article{stouffer2007guide,
title = {Guide to industrial control systems ({ICS}) security},
author = {Stouffer, Keith and Falco, Joe and Scarfone, Karen},
journal = {NIST Special Publication},
volume = {800},
pages = {82},
year = {2007},
month = sep
}
@inproceedings{reissmann,
title = {{Automatisierte Korrelation und Aggregation von Syslog-Nachrichten in NoSQL-basierten Datenbanken}},
author = {Rei{\ss}mann, Sven and Frisch, Dustin and Rieger, Sebastian},
editor = {Paul M{\"u}ller and Bernhard Neumair and Helmut Reiser and Gabi Dreo Rodosek},
publisher = {German Informatics Society (GI)},
series = {Lecture Notes in Informatics (LNI)},
booktitle = {6.~DFN-Forum Kommunikationstechnologien, Beitr{\"a}ge der Fachtagung},
year = {2013},
month = jun,
volume = {217},
pages = {21--30},
url = {https://www.dfn.de/fileadmin/3Beratung/DFN-Forum6/3_Automatisierte_Korrelation_und_Aggregation_von_Syslog-Nachrichten_in_NoSQL-basierten_Datenbanken.pdf}
}
@mastersthesis{ludovice2012thesis,
title = {Analysis of the Impact of Data Normalization on Cyber Event Correlation Query Performance},
author = {Ludovice, Smile T},
school = {Air Force Institute of Technology, Graduate School of Engineering and Management},
year = {2012},
address = {Wright-Patterson Air Force Base, OH},
month = mar,
url = {http://www.dtic.mil/cgi-bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA557999},
abstract = {A critical capability required in the operation of cyberspace is the ability to maintain situational awareness of the status of the infrastructure elements that constitute cyberspace. Event logs from cyber devices can yield significant information, and when properly utilized they can provide timely situational awareness about the state of the cyber infrastructure. In addition, proper Information Assurance requires the validation and verification of the integrity of results generated by a commercial log analysis tool. Event log analysis can be performed using relational databases. To enhance database query performance, previous literatures affirm denormalization of databases. Yet database normalization can also increase query performance. Database normalization improved the majority of the queries performed using very large data sets of router events. In addition, queries performed faster on normalized tables when all the necessary data were contained in the normalized tables. Database normalization improves table organization and maintains better data consistency than a lack of normalization. Nonetheless, there are some tradeoffs when normalizing a database, such as additional preprocessing time and extra storage requirements. But overall, normalization improved query performance and must be considered an option when analyzing event logs using relational databases. There are three primary research questions addressed in this thesis: (1) What standards exist for the generation, transport, storage, and analysis of event log data for security analysis?; (2) How does database normalization impact query performance when using very large data sets (over 30 million) of router events?; and (3) What are the tradeoffs between using a normalized versus non-normalized database in terms of preprocessing time, query performance, storage requirements, and database consistency?}
}
@article{Stroeh+2013,
year = {2013},
journal = {Journal of Internet Services and Applications},
volume = {4},
number = {1},
doi = {http://dx.doi.org/10.1186/1869-0238-4-7},
title = {An approach to the correlation of security events based on machine learning techniques},
publisher = {Springer-Verlag},
keywords = {IDS; Security; Correlation; Machine learning},
author = {Stroeh, Kleber and Mauro Madeira, EdmundoRoberto and Goldenstein, SiomeKlein},
pages = {1--16},
abstract = {Organizations face the ever growing challenge of providing security within their IT infrastructures. Static approaches to security, such as perimetral defense, have proven less than effective — and, therefore, more vulnerable — in a new scenario characterized by increasingly complex systems and by the evolution and automation of cyber attacks. Moreover, dynamic detection of attacks through IDSs (Instrusion Detection Systems) presents too many false positives to be effective. This work presents an approach on how to collect and normalize, as well as how to fuse and classify, security alerts. This approach involves collecting alerts from different sources and normalizes them according to standardized structures — IDMEF (Intrusion Detection Message Exchange Format). The normalized alerts are grouped into meta-alerts (fusion, or clustering), which are later classified using machine learning techniques into attacks or false alarms. We validate and report an implementation of this approach against the DARPA Challenge and the Scan of the Month, using three different classifications — SVMs, Bayesian Networks and Decision Trees — having achieved high levels of attack detection with little false positives. Our results also indicate that our approach outperforms other works when it comes to detecting new kinds of attacks, making it more suitable to a world of evolving attacks.}
}
@inproceedings{5478473,
author = {Hui, P. and Bruce, J. and Fink, G. and Gregory, M. and Best, D. and McGrath, L. and Endert, A.},
booktitle = {International Symposium on Collaborative Technologies and Systems},
title = {Towards efficient collaboration in cyber security},
year = {2010},
month = may,
pages = {489--498},
abstract = {Cyber security analysts in different geographical and organizational domains are often largely tasked with similar duties, albeit with domain-specific variations. These analysts necessarily perform much of the same work independently- for instance, analyzing the same list of security bulletins released by largely the same set of software vendors. As such, communication and collaboration between such analysts would be mutually beneficial to the analysts involved, potentially reducing redundancy and offering the opportunity to preemptively alert each other to high-severity security alerts in a more timely fashion. However, several barriers to practical and efficient collaboration exist, and consequently, no such framework exists to support these efforts. In this paper, we discuss the inherent difficulties which make efficient collaboration between cyber security analysts a difficult goal to achieve. We discuss preliminary ideas and concepts towards a collaborative cyber-security framework currently under development, whose goal is to facilitate analyst collaboration across these boundaries. While still in its early stages, we describe work-in-progress towards achieving this goal, including motivation, functionality, concepts, and a high-level description of the proposed system architecture.},
keywords = {groupware;security of data;collaboration;cyber security analysts;security bulletins;Collaboration;Collaborative software;Collaborative work;Computer security;Data security;Information analysis;Laboratories;Linux;Performance analysis;Software performance;Cyber-security systems;collaborative security frameworks;collaborative software frameworks;computer security},
doi = {http://dx.doi.org/10.1109/CTS.2010.5478473}
}
@incollection{Coppolino+2011,
year = {2011},
booktitle = {Computer Safety, Reliability, and Security},
volume = {6894},
series = {Lecture Notes in Computer Science},
editor = {Flammini, Francesco and Bologna, Sandro and Vittorini, Valeria},
doi = {http://dx.doi.org/10.1007/978-3-642-24270-0_15},
title = {Integration of a System for Critical Infrastructure Protection with the {OSSIM SIEM} Platform: A dam case study},
publisher = {Springer Berlin Heidelberg},
keywords = {Critical Infrastructure Protection; SIEM; dam; OSSIM},
author = {Coppolino, Luigi and D'Antonio, Salvatore and Formicola, Valerio and Romano, Luigi},
pages = {199--212},
abstract = {In recent years the monitoring and control devices in charge of supervising the critical processes of Critical Infrastructures have been victims of cyber attacks. To face such threat, organizations providing critical services are increasingly focusing on protecting their network infrastructures. Security Information and Event Management (SIEM) frameworks support network protection by performing centralized correlation of network asset reports. In this work we propose an extension of a commercial SIEM framework, namely OSSIM by AlienVault, to perform the analysis of the reports (events) generated by monitoring, control and security devices of the dam infrastructure. Our objective is to obtain evidences of misuses and malicious activities occurring at the dam monitoring and control system, since they can result in issuing hazardous commands to control devices. We present examples of misuses and malicious activities and procedures to extend OSSIM for analyzing new event types.}
}
@article{SuleimanSvetinovic2012,
year = {2013},
journal = {Requirements Engineering},
volume = {18},
number = {3},
doi = {http://dx.doi.org/10.1007/s00766-012-0153-4},
title = {Evaluating the effectiveness of the security quality requirements engineering ({SQUARE}) method: a case study using smart grid advanced metering infrastructure},
publisher = {Springer London},
keywords = {Security requirements engineering method evaluation; Advanced metering infrastructure (AMI) security; Smart grid security; Security quality requirements engineering (SQUARE) method; Qualitative research evaluation},
author = {Suleiman, Husam and Svetinovic, Davor},
pages = {251--279},
abstract = {This paper presents an evaluation of the security quality requirements engineering (SQUARE) method. The evaluation of SQUARE was conducted by its application on the advanced metering infrastructure of smart grid as a case study. We evaluated the effectiveness of SQUARE with respect to its ability to elicit a set of artifacts, threats, and vulnerabilities; to perform likelihood, impact analysis, and risk level determination; and to elicit, categorize, and prioritize the security requirements. The main contribution of this work is the evaluation of the effectiveness of SQUARE using qualitative security requirements engineering method evaluation criteria.}
}
@misc{CEE-site,
key = {CEE web site},
title = {About Common Event Expression --- Archive},
howpublished = {\url{http://cee.mitre.org/about/}},
year = {retrieved Mar 4, 2014}
}
@misc{securosis-site,
key = {Securosis web site},
title = {{Understanding and Selecting SIEM/LM: Aggregation, Normalization, and Enrichment}},
howpublished = {\url{https://securosis.com/blog/understanding-and-selecting-siem-lm-aggregation-normalization-and-enrichmen}},
year = {retrieved Mar 4, 2014},
optnote = {}
}
@unpublished{Pantola+2010,
author = {Alexis V.~Pantola and Justin P.~Encarnacion and Justin David G.~Pineda and Roberto F.~Yatco Jr.},
title = {Normalization of Logs for Networked Devices in a Security Information Event Management System},
note = {\url{justinspeaks.files.wordpress.com/2010/10/device-normalizer-paper.pdf}},
year = {2010}
}
@phdthesis{el2012verification,
title = {Verification and test of interoperability security policies},
author = {El Maarabani, Mazen},
year = {2012},
school = {Evry, Institut national des t{\'e}l{\'e}communications},
abstract = {Nowadays, there is an increasing need for interaction in business community. In such context, organizations collaborate with each other in order to achieve a common goal. In such environment, each organization has to design and implement an interoperability security policy. This policy has two objectives: (i) it specifies the information or the resources to be shared during the collaboration and (ii) it define the privileges of the organizations' users. To guarantee a certain level of security, it is mandatory to check whether the organizations' information systems behave as required by the interoperability security policy. In this thesis we propose a method to test the behavior of a system with respect to its interoperability security policies. Our methodology is based on two approaches: active testing approach and passive testing approach. We found that these two approaches are complementary when checking contextual interoperability security policies. Let us mention that a security policy is said to be contextual if the activation of each security rule is constrained with conditions. The active testing consists in generating a set of test cases from a formal model. Thus, we first propose a method to integrate the interoperability security policies in a formal model. This model specifies the functional behavior of an organization. The functional model is represented using the Extended Finite Automata formalism, whereas the interoperability security policies are specified using OrBAC model and its extension O2O. In addition, we propose a model checking based method to check whether the behavior of a model respects some interoperability security policies. To generate the test cases, we used a dedicated tool developed in our department. The tool allows generating abstract test cases expressed in the TTCN notation to facilitate its portability. In passive testing approach, we specify the interoperability policy, that the system under test has to respect, with Linear Temporal logics. We analyze then the collected traces of the system execution in order to deduce a verdict on their conformity with respect to the interoperability policy. Finally, we show the applicability of our methods though a hospital network case study. This application allows to demonstrate the effectiveness and reliability of the proposed approaches}
}
@article{montesino2012siem,
title = {{SIEM-based} framework for security controls automation},
author = {Montesino, Raydel and Fenz, Stefan and Baluja, Walter},
journal = {Information Management \& Computer Security},
volume = {20},
number = {4},
pages = {248--263},
year = {2012},
publisher = {Emerald Group Publishing Limited},
doi = {http://dx.doi.org/10.1108/09685221211267639},
keywords = {Computer security, Data security, Information management, Information security management, Security automation, Security information and event management},
abstract = {Purpose---The purpose of this paper is to propose a framework for security controls automation, in order to achieve greater efficiency and reduce the complexity of information security management. \par Design/methodology/approach---This research reviewed the controls recommended by well known standards such as ISO/IEC 27001 and NIST SP 800-53; and identified security controls that can be automated by existing hard-and software tools. The research also analyzed the Security Information and Event Management (SIEM) technology and proposed a SIEM-based framework for security controls automation, taking into account the automation potential of SIEM systems and their integration possibilities with several security tools. \par Findings---About 30 percent of information security controls can be automated and they were grouped in a list of ten automatable security controls. A SIEM-based framework can be used for centralized and integrated management of the ten automatable security controls. \par Practical implications---By implementing the proposed framework and therefore automating as many security controls as possible, organizations will achieve more efficiency in information security management, reducing also the complexity of this process. This research may also be useful for SIEM vendors, in order to include more functionality to their products and provide a maximum of security controls automation within SIEM platforms. \par Originality/value---This paper delimits the boundaries of information security automation and defines what automation means for each security control. A novel framework for security controls automation is proposed. This research provides an automation concept that goes beyond what it is normally described in previous works and SIEM solutions.}
}
@inproceedings{5305052,
author = {Madrid, J.M. and Munera, L.E. and Montoya, C.A. and Osorio, J.D. and Cardenas, L.E. and Bedoya, R. and Latorre, C.},
booktitle = {IEEE Latin-American Conference on Communications (LATINCOM)},
title = {Functionality, reliability and adaptability improvements to the {OSSIM} information security console},
year = {2009},
month = sep,
pages = {1--6},
abstract = {Security consoles are among the most widely deployed tools for information security management in today's organizations. This article summarizes the work of our research team, in order to incorporate several enhancements to the OSSIM information security console. Such enhancements include integration with physical security control devices, automatic creation of correlation directives for OSSIM's correlation engine, and a significant improvement in information capture reliability on high-traffic networks.},
keywords = {security of data;OSSIM;high-traffic networks;information capture reliability;information security console;information security management;physical security control devices;Automatic control;Computer architecture;Detectors;Engines;Force measurement;Information management;Information security;Intrusion detection;Pattern analysis;Software tools;Information security;OSSIM;alert correlation;physical security;security consoles},
doi = {http://dx.doi.org/10.1109/LATINCOM.2009.5305052}
}
@mastersthesis{Mercer2013,
author = {Alan Mercer},
title = {Security Information and Event Management for Small and Medium-Sized Enterprises},
school = {Lule{\aa} University of Technology, Department of Computer science, Electrical and Space engineering},
year = {2013},
optmonth = {},
keywords = {Security Information Event Management (SIEM), Small and Medium Enterprise (SME), Action Design Research (ADR), Design Principles (DP)},
abstract = {Purpose---This research project sets out to identify the security event management problems perceived in the SME context, prioritise these problems and then seek to solve them through the design and implementation of a prototype Security Information and Event Management (SIEM) system. \par Design/Methodology/Approach---Action Design Research (ADR) is the research methodology used in this research project. ADR combines Action Research (AR) and Design Science (DS) research to solve a problem situation in a specific organisational setting through intervention and evaluation as well as the construction and evaluation of a novel IT artefact. A prototype SIEM was successfully designed and implemented in the case organisation over the course of a ten week intervention. \par Findings---A number of findings emerged related to the testing of Design Principles (DPs) extracted from earlier SIEM research, the testing of ADR in the context of an SME as well as the presentation of nine new DPs for SIEM design and implementation in similar future projects. \par Practical Implications---Apart from a working prototype SIEM in the SME context one output from the research project is a planning and implementation checklist for practitioners for future SIEM design and implementation projects, generalizable to all contexts and not just that of the SME. \par Originality/Value---This research provides a short state-of-the-art summary of current SIEM research, validates two DPs extracted from earlier SIEM research, proposes nine new DPs relevant to future SIEM design and implementation and tests the effectiveness of ADR in the context of an SME research project.}
}
@incollection{coppolino+2013b,
year = {2013},
booktitle = {Critical Information Infrastructures Security},
volume = {7722},
series = {Lecture Notes in Computer Science},
editor = {H{\"a}mmerli, Bernhard M. and Kalstad Svendsen, Nils and Lopez, Javier},
doi = {http://dx.doi.org/10.1007/978-3-642-41485-5_2},
title = {Enhancing {SIEM} Technology to Protect Critical Infrastructures},
publisher = {Springer Berlin Heidelberg},
keywords = {Security Information and Event Management (SIEM); Supervisory Control and Data Acquisition (SCADA); dam},
author = {Coppolino, Luigi and D'Antonio, Salvatore and Formicola, Valerio and Romano, Luigi},
pages = {10--21},
abstract = {Coordinated and targeted cyber-attacks on Critical Infrastructures (CIs) and Supervisory Control And Data Acquisition (SCADA) systems are increasing and becoming more sophisticated. Typically, SCADA has been designed without having security in mind, which is indeed approached by reusing solutions to protect solely Information Technology (IT) based infrastructures, such as the Security Information and Events Management (SIEM) systems. According to the National Institute of Standards and Technology (NIST), these systems are often ineffective for CIs protection. In this paper we analyze limits of current SIEMs and propose a framework developed in the MASSIF Project to enhance services for data treatment. Particularly, the Generic Event Translation (GET) module collects security data from heterogeneous sources, by providing intelligence at the edge of the SIEM; the Resilient Storage (RS), reliably stores data related to relevant security breaches. We illustrate a prototypal deployment for the dam monitoring and control case study.}
}
@incollection{Rieke+2012,
year = {2012},
booktitle = {Computer Network Security},
volume = {7531},
series = {Lecture Notes in Computer Science},
editor = {Kotenko, Igor and Skormin, Victor},
doi = {http://dx.doi.org/10.1007/978-3-642-33704-8_15},
title = {Security and Reliability Requirements for Advanced Security Event Management},
publisher = {Springer Berlin Heidelberg},
keywords = {security requirements; security information and event management; SIEM; architecting trustworthy systems},
author = {Rieke, Roland and Coppolino, Luigi and Hutchison, Andrew and Prieto, Elsa and Gaber, Chrystel},
pages = {171--180},
abstract = {With the growing size and complexity of current ICT infrastructures, it becomes increasingly challenging to gain an overview of potential security breaches. Security Information and Event Management systems which aim at collecting, aggregating and processing security-relevant information are therefore on the rise. However, the event model of current systems mostly describes network events and their correlation, but is not linked to a comprehensive security model, including system state, security and compliance requirements, countermeasures, and affected assets. In this paper we introduce a comprehensive semantic model for security event management. Besides the description of security incidents, the model further allows to add conditions over the system state, define countermeasures, and link to external security models.}
}
@incollection{Schuette+2012,
year = {2012},
booktitle = {Computer Network Security},
volume = {7531},
series = {Lecture Notes in Computer Science},
editor = {Kotenko, Igor and Skormin, Victor},
doi = {http://dx.doi.org/10.1007/978-3-642-33704-8_16},
title = {Model-Based Security Event Management},
publisher = {Springer Berlin Heidelberg},
keywords = {security strategy meta model; security information and event management; complex event processing},
author = {Sch{\"u}tte, Julian and Rieke, Roland and Winkelvos, Timo},
pages = {181--190},
abstract = {With the growing size and complexity of current ICT infrastructures, it becomes increasingly challenging to gain an overview of potential security breaches. Security Information and Event Management systems which aim at collecting, aggregating and processing security-relevant information are therefore on the rise. However, the event model of current systems mostly describes network events and their correlation, but is not linked to a comprehensive security model, including system state, security and compliance requirements, countermeasures, and affected assets. In this paper we introduce a comprehensive semantic model for security event management. Besides the description of security incidents, the model further allows to add conditions over the system state, define countermeasures, and link to external security models.}
}
@incollection{Boesch2013,
year = {2013},
booktitle = {Critical Information Infrastructures Security},
volume = {7722},
series = {Lecture Notes in Computer Science},
editor = {H{\"a}mmerli, Bernhard M. and Kalstad Svendsen, Nils and Lopez, Javier},
doi = {http://dx.doi.org/10.1007/978-3-642-41485-5_1},
title = {Approach to Enhance the Efficiency of Security Operation Centers to Heterogeneous IDS Landscapes},
publisher = {Springer Berlin Heidelberg},
keywords = {IDXP; Intrusion Detection; Standardization; Parameterization; IDS Management},
author = {B{\"o}sch, Bj{\"o}rn-C.},
pages = {1--9},
abstract = {Critical infrastructures include large scale environments with different platforms and / or platform generations. The maintenance interval of such large scaled, distributed systems to patch vulnerabilities increases with the amount of entities. IDS are necessary to protect the vulnerable system / entity until the patch will be applied to the distributed entity. This paper presents an approach to separate the IDS manager from the rest of an IDS by a standardized IDS parameterization independent of its scope (host based or network based IDS) and vendor. The exchange of the parameterization was integrated via communication modules in three open source IDS to demonstrate the common applicability of the format. An enhanced IDS model of the IETF will be illustrated.}
}
@incollection{AlcarazTuran2013,
year = {2013},
booktitle = {Critical Information Infrastructures Security},
volume = {7722},
series = {Lecture Notes in Computer Science},
editor = {H{\"a}mmerli, Bernhard M. and Kalstad Svendsen, Nils and Lopez, Javier},
doi = {http://dx.doi.org/10.1007/978-3-642-41485-5_3},
title = {{PDR}: A Prevention, Detection and Response Mechanism for Anomalies in Energy Control Systems},
publisher = {Springer Berlin Heidelberg},
keywords = {Detection; Energy Control Systems; Industrial Wireless Sensor Networks; MANET; Prevention; Response; The Internet; and Wide-Area Situational Awareness},
author = {Alcaraz, Cristina and S{\"o}nmez Turan, Meltem},
pages = {22--33},
abstract = {Prevention, detection and response are nowadays considered to be three priority topics for protecting critical infrastructures, such as energy control systems. Despite attempts to address these current issues, there is still a particular lack of investigation in these areas, and in particular in dynamic and automatic proactive solutions. In this paper we propose a mechanism, which is called PDR, with the capability of anticipating anomalies, detecting anomalous behaviours and responding to them in a timely manner. PDR is based on a conglomeration of technologies and on a set of essential components with the purpose of offering situational awareness irrespective of where the system is located. In addition, the mechanism can also compute its functional capacities by evaluating its efficacy and precision in the prediction and detection of disturbances. With this, the entire system is able to know the real reliability of its services and its activity in remote substations at all times.}
}
@article{bosch2012standardized,
title = {Standardized Parameterization of Intrusion Detection Systems},
author = {B{\"o}sch, Bj{\"o}rn-C},
journal = {International Journal of Advanced Research in Computer Engineering \& Technology (IJARCET)},
volume = {1},
number = {3},
pages = {1--5},
year = {2012},
month = may,
url = {http://ijarcet.org/wp-content/uploads/IJARCET-VOL-1-ISSUE-3-1-5.pdf}
}
@article{boscheconomical,
title = {Economical Benefits of Standardized Intrusion Detection Parametrization},
author = {B{\"o}sch, Bj{\"o}rn-C},
pages = {18--23},
volume = {1},
number = {10},
month = nov,
year = {2012},
url = {http://www.ijstr.org/final-print/nov2012/Economical-Benefits-of-Standardized-Intrusion-Detection-Parametrization.pdf},
journal = {International Journal of Scientific \& Technology Research},
keywords = {IDPEF,IDXP,Intrusion Detection,Network Management,System Management},
abstract = {Intrusion Detection Systems (IDS) are very important to protect important services against malicious actions. Detailed knowledge of information processing and protocols are necessary to protect the services and systems sufficient against attacks. IDS are currently independent and coexisting solutions. Each single IDS requires its individual administration access, administration handling and management infrastructure. Possible savings of a standardized parameterization infrastructure over all IDS will be analyzed. In every part of the solution life cycle process, design, infrastructure and additional expenses were analyzed. Based on the Return-on-Security-Investments model the benefit of a standardized parameterization was pointed out.}
}
@article{alcaraz2014wasam,
title = {{WASAM:} A dynamic wide-area situational awareness model for critical domains in Smart Grids},
author = {Alcaraz, Cristina and Lopez, Javier},
journal = {Future Generation Computer Systems},
volume = {30},
pages = {146--154},
year = {2014},
month = jan,
doi = {http://dx.doi.org/10.1016/j.future.2013.06.030},
publisher = {North-Holland},
abstract = {Control from anywhere and at anytime is nowadays a matter of paramount importance in critical systems. This is the case of the Smart Grid and its domains which should be monitored through intelligent and dynamic mechanisms able to anticipate, detect and respond before disruptions arise within the system. Given this fact and its importance for social welfare and the economy, a model for wide-area situational awareness is proposed in this paper. The model is based on a set of current technologies such as the wireless sensor networks, the ISA100.11a standard and cloud-computing together with a set of high-level functional services. These services include global and local support for prevention through a simple forecast scheme, detection of anomalies in the observation tasks, response to incidents, tests of accuracy and maintenance, as well as recovery of states and control in crisis situations.}
}
@techreport{Kent:2006:SGC:2206303,
author = {Kent, Karen and Souppaya, Murugiah P.},
title = {Guide to Computer Security Log Management},
year = {2006},
number = {NIST Special Publication 800--92},
institution = {Computer Security Division, Information Technology Laboratory, National Institute of Standards \& Technology},
publisher = {National Institute of Standards \& Technology},
address = {Gaithersburg, MD, United States},
month = sep,
url = {http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.zip},
abstract = {}
}
@misc{IDMEF,
author = {Debar, Herve and Curry, David A and Feinstein, Benjamin S},
howpublished = {RFC 4765 (Experimental)},
month = {March},
number = {4765},
organization = {Internet Engineering Task Force},
publisher = {IETF},
series = {Request for Comments},
title = {{The Intrusion Detection Message Exchange Format (IDMEF)}},
url = {http://tools.ietf.org/html/rfc4765},
year = {2007},
abstract = {The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems
and to the management systems that may need to interact with them. \par This document describes a data model to represent information exported by intrusion detection systems and explains the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) is presented, an XML Document Type Definition is developed, and examples are provided.}
}
@article{6200255,
author = {Kufel, L.},
journal = {IEEE Security \& Privacy},
title = {Security Event Monitoring in a Distributed Systems Environment},
year = {2013},
month = {Jan},
volume = {11},
number = {1},
pages = {36--43},
abstract = {Today, organizations depend much more on IT than they did in the past. Services such as internal portals, email communication, and financial and HR systems rely on computers to move businesses forward. These systems are under pressure to be securer than ever to protect organizations' operational environment. One aspect to consider in this situation is IT security event management. This article presents the design and implementation of two security event monitoring approaches in a distributed systems environment.},
keywords = {distributed processing;security of data;HR systems;IT security event management;distributed systems environment;email communication;internal portals;operational environment;security event monitoring;Computer security;Distributed processing;Event detection;Information technology;Monitoring;Servers;Software engineering;distributed systems;events monitoring;monitoring on demand;security events},
doi = {http://dx.doi.org/10.1109/MSP.2012.61}
}
This file was generated by bibtex2html 1.96.