Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Â
Socio-technical Secuirty Value Chain
1. A Framework and Prototype for
A Socio-Technical Security Information
and Event Management System
ST-SIEM
Bilal AlSabbagh
Department of Computer and Systems Science
Stockholm University
Stockholm, Sweden
bilal@dsv.su.se
Stewart Kowalski
Norwegian Information Security Lab
Center for Cyber and Information Security
Norwegian University of Science and Technology
GjĂžvik, Norway
stewart.kowalski@ntnu.no
2. 2
Outline 19 slides 15 minutes!
âą Personal Introductions
â Industrial Doctoral Student 1 slide
â A very old jaded Cyber Security (Knowledge) Worker (3 slides )
âą Meta Goal and Goal $
â (5 minutes - 6 slides)
âą Problem(s) and Background (s)
â (5 Minutes- 3 slides)
âą Contributions
â (5 minutes â 4 slides)
âą Questions and Next Steps
â 5 minutes 2-slides)
3. Bilal Al Sabbagh
âą Academic Credentials:
â PhD Candidate, DSV, Stockholm University
â Research Interests:
âą Social aspects of information security, security culture
â Academic Degrees
âą MSc Information and Communication Systems Security, KTH, 2006
âą BSc Computer Engineering, 2002
âą Industrial Credentials
â Information and Network Security Consultant at
â Works full time with the security on the dot sa (Saudia Arabia),
â Industrial Credentials
âą CISSP, CISA, CCSP, CCNA
3
10/2/2016
Bilal Al Sabbagh, - DSV
4. 4JAG= A CUP THAT RUNNETH OVER
My research work and industrial work in security stretch over 30
years and include both theoretical and empirical research in
security and product and services.
5. 5INDUSTRIAL VS UNIVERSITY
WORK
Deal with complex problems.
Must give simple solutions.
Deal with simple problems.
Must give complex solutions.
As a Professor âSwedish rumpnisseâ in Norway I have earned the right to ask simple questions
and give complex answers!
6. 6
IT/IS SECURITY VALUE CHAIN
Researching
Teaching
Standardizing
+
Regulation
Product
Management
Development
Sales
Support
Operations
&
Services
Crypto Key Managment Systems Designer
Philips Fiancial Business System
1988
12. 12
Researching
Teaching
Standardizing
+
Regulation
Product
Management
Development
Sales
Support
Operations
&
Services
Manager
Research
Business + Security
Telia 1998
Senior Security
Management Consult Ericsson
1999
Strategic Product Manager
Security and Fraud Prevention
Core Networks Ericsson
2002
Crypto Key Managment Systems Designer
Philips Fiancial Business System
1988
Manger
Risk & Security
Business Unit Global Services
Global Network Operations Center
2006-2009
Manager
Ericsson Security Evaluations
Competence Center
2003
Assitant Professor
Computer & Telecom
Secruity and Business
1989
Stockholm Universtiy
Royal Institute of Technology
University College GĂ€vle
Stockholm School of Economics
IT/IS SECURITY VALUE CHAIN
13. 13
Researching
Teaching
Standardizing
+
Regulation
Product
Management
Development
Sales
Support
Operations
&
Services
Manager
Research
Business + Security
Telia 1998
Senior Security
Management Consult Ericsson
1999
Strategic Product Manager
Security and Fraud Prevention
Core Networks Ericsson
2002
Crypto Key Managment Systems Designer
Philips Fiancial Business System
1988
Manger
Risk & Security
Business Unit Global Services
Global Network Operations Center
2006-2009
Manager
Ericsson Security Evaluations
Competence Center
2003
Associate Professor 17 May 2010
Assitant Professor
Computer & Telecom
Secruity and Business
1989
Stockholm Universtiy
Royal Institute of Technology
University College GĂ€vle
Stockholm School of Economics
Senior Security Architecte and
Product Manager
Huawei Technologies
2009- 2011
IT/IS SECURITY VALUE CHAIN
14. 14
Researching
Teaching
Standardizing
+
Regulation
Product
Management
Development
Sales
Support
Operations
&
Services
Manager
Research
Business + Security
Telia 1998
Senior Security
Management Consult Ericsson
1999
Strategic Product Manager
Security and Fraud Prevention
Core Networks Ericsson
2002
Crypto Key Managment Systems Designer
Philips Fiancial Business System
1988
Manger
Risk & Security
Business Unit Global Services
Global Network Operations Center
2006-2009
Manager
Ericsson Security Evaluations
Competence Center
2003
Full time academic 1st April 2011
Associate Professor
Computer & Telecom
Secruity and Business
1989
Stockholm Universtiy
Royal Institute of Technology
University College GĂ€vle
Stockholm School of Business
Senior Security Architecte and
Product Manager
Huawei Technologies
2009- 2011
IT/IS SECURITY VALUE CHAIN
15. Meta Goal of The Research
âą 7 year industrial doctoral research plan to
investigate how best to add value $ to the socio-
technical global cyber security value chain.
In system X
16. Concrete Goal
Open Source Security Event Management Systems-
How to make it socio-technically efficient and
or/Cheaper?
17. A Value Chain is
âą the interconnect group of industry participants that
collectively create value for the end user.
âą If technologies or services are to succeed they must
deliver financial or operational value at every stage of the
chain.
âą For any technology or service to be adopted, each
element on the chain must add value for the next
element.
Ref: The strategic Implications of Computing and the Internet on Wireless: The Competitive Blur Through 2008, Herschel Schoteck Associates. )
Meta-Goal
18. Security Spending Mental Models
IT Workers individuals (Saudi Arabia)
Personal
Organizational
Natiional
Spending
/Priority
Deter Prevent Detect Correct Recover
18Bilal Al Sabbagh, Stewart Kowalski - DSV
20. 20
Concrete Value Chain
Hardware Software Systems Services
âthe primary defining concept in a value chain is what the customer
is willing to pay forâ
Porter 1985 The Competitive Advantage
21. Security Value Chain
Concrete $ View
Hardware Software System ServicesBuyers
Total global market size for e-business security products in $ millions (2000â2005)
2000 2001 2002 2003 2004 2005
Access security 940 2,160 4,830 7,850 12,690 16,120
Communication
security
810 1,610 2,970 4,680 7,340 9,040
Content security 660 1,300 2,390 3,700 5,660 6,910
Security
Management
700 1,520 2,790 4,460 9,490 11,820
Services 410 1,020 2,390 4,610 9,050 14,780
Total 3,520 7,610 15,370 25,300 44,230 58,670
$ Security Incident Event
Management Systems and Services $
22. Outline
âą Goal and Meta Goal $
â (5 minutes - 6 slides)
âą Concrete Problem and Background
â (5 Minutes- 3 slides)
âą Contributions
â (5 minutes â 4 slides)
âą Questions and Next Steps
â 5 minutes 2-slides)
23. National Computer Emergency Response Teams (CERT)s Role
âą Support organizations with security incident
response capabilities
âą Provide actionable security information
âą Utilize several tools (SIEMs and others) for
effectiveness and efficiency
âą Collects; prepare; process; enrich ;
disseminate security information
Background
24. Problems with Security Event Management
Reduce False positives by ABC = Always be contextualizing
Ref : https://www.linkedin.com/pulse/contextualization-security-analytics-niranjan-mayya
Hardware Software System ServicesBuyers
$ Security Incident Event
Management Systems and Services $
25. ENISA HIGHLIGHTS
âą Actionable information disseminated by CERTs are not equally
relevant (or even actionable) to constituents
âą Challenges for security managers how to respond to this
information using their information security management
systems (ISMS)
Problem
CERT.SE
Company X SIEM
Company X ISMS
26. Outline
âą Goal and Meta Goal $
â (5 minutes - 2 slides)
âą Problem and Background
â (5 Minutes- 5 slides)
âą Contributions
â (5 minutes â 6 slides)
âą Questions and Next Steps
â 5 minutes 2-slides
27. Paper contribution
1. Framework for a socio-technical SIEM to
improve security response at organizations
2. Correlating technical security events with the
risk escalation maturity levels of constituents
(socio-technical)
3. The risk factor is not generic but directed
based on the organization security culture
and technological security posture
28. Paper contribution 1
âą Framework for a socio-technical SIEM to
improve security response at organizations
29. Paper contribution
1. Framework for a socio-technical SIEM to
improve security response at organizations
2. Correlating technical security events with the
risk escalation maturity levels of constituents
(socio-technical)
3. The risk factor is not generic but directed
based on the organization security culture
and technological security posture
30. Framework for information security risk
management and escalation
Combination of NIST and ISO Frameworks
32. Paper contribution
1. Framework for a socio-technical SIEM to
improve security response at organizations
2. Correlating technical security events with the
risk escalation maturity levels of constituents
(socio-technical)
3. The risk factor is not generic but directed
based on the organization security culture
and technological security posture
33. Security Event: Managed organization firewall has rejected a
connection from a source host to the destination organization asset
because the configured per-client connections limit was exceeded.
Priority: 1 of 5 Reliability: 1 of 10
Targeted asset value: 4 of 5 (Asset in this case was the DNS
server)
Risk factor: 4 x 1 x 1 /25 = 0.16 of 10
Contribution 3
Page 73 of the user guide https://www.alienvault.com/doc-repo/usm/v5/USM-v5-User-Guide.pdf
34. 34
Outline
âą Goal and Meta Goal $
â (5 minutes - 2 slides)
âą Problem and Background
â (5 Minutes- 5 slides)
âą Contributions
â (5 minutes â 4 slides)
âą Next Steps and Your Suggestion Questions
â 5 minutes 2-slides
35. Next Step
Desk-Top/Ex-Post Risk Scenario
Test of Socio-technical Correlation Engine
Risk factor = f (security event technical attributes, organization risk escalation maturity level)
?
EX-post
Ex-Ante
Risk
Scenari
o
?
CERT.X
Org ML3
Org ML3..MLN