Functional model of cybersecurity situation center

Authors

DOI:

https://doi.org/10.20535/2411-1031.2018.6.2.153490

Keywords:

Diamond Model, Q Model, Cyber Kill-Chain, Adaptive Cybersecurity Model, Cybersecurity Situation Center, Compromise Indicators, cyber incident, functional model, IDEF.

Abstract

In general, the issue of building cybersecurity centers mainly stands for building a SOC which main function is monitoring and analyzing cybercrime questions and responding to cyber incidents online. The approach, mentioned above, implies insufficient attention to the stages of intrusions` prevention and the elimination of cyber attacks` outcomes. Conducted investigations represent the possibility of SOCs` functions expanding , but they are not formalized and described in terms of functions, which rely on such Cybersecurity Situation Center (hereinafter referred to as the CSSC). The aim of this work is to analyze the existing cybersecurity models and build a functional model of modern cyberprotection center. The article reviews cyberattacks` analyzing models from the position of a researcher (Diamond Model and Q Model), the implementation of cyberattacks from the position of an attacker (Model Cyber Kill-Chain) and models with a wider range of analytical approaches (Adaptive Safety Model) to achieve this goal. The functions of cyberprotection before, during and after cyberattacks have been determined taking into consideration data needs for cyberattack analysis, understanding of cyberattacks` realization stages and the Adaptive Security System`s architecture. The results of the selected models` analysis allow to suggest a new organizational model of a modern cyberprotection center as well as define it`s components and formulate main functions. The implementation of the CSSC is proposed to be realized through the construction of Cybercrime Intelligence Unit, Monitoring and Incident Security Control Unit and Cyber Incident Response Team. The mentioned model represents logical links between structures and information streams which circulate between them. The presented functional model of A-0 and A0 levels is based on the IDEF notations` requirements. The main cyberprotection center`s function, input and output data  as well as the resources used in the process of center functioning , main restrictions under which the modern center operates are determined. The presented notations display the visualisations which demonstrate the results of the cyberprotection center`s functional analysis. They also give an opportunity to determine requirements for the center`s components, form the organizational structure of each unit and establish each employee`s functional responsibilities in subsequent decomposition.

Author Biographies

Artem Zhylin, Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv,

сandidate of technical sciences, associate professor of state information resources security academic department

Mykola Khudyncev, State Centre of Cyberdefence, Kyiv,

candidate of physical and mathematical sciences, associate professor, first deputy head

Maksym Litvinov, Cybersecurity Situation Center, Kyiv,

candidate of juridical sciences, head

References

Annual report on information security. Cisco 2018. [Online]. Available: www.cisco.com/c/dam/global/ru_ru/assets/offers/assets/cisco_2018_acr_ru.pdf.

C. Zimmerman. Ten Strategies of a World-Class Cybersecurity Operations Center. The MITRE Corporation, 2014.

J. Muniz, G. McIntyre, and N. AlFardan. Security Operations Center. Cisco Press, 2016.

M. Sanders, “How to Get the Most Value out of Your MSSP and Security Operations” [Online]. Available: https://securityintelligence.com/how-to-get-the-most-value-out-of-your-mssp-and-security-operations.

Модель адаптивної кібербезпеки для захисту промислових об’єктів [Електронний ресурс]. Доступно: https://www.kaspersky.ru/blog/ics-asa/4455.

S. Caltagirone, A. Pendergast, and C. Betz, “Diamond Model of Intrusion Analysis”, Center for Cyber Threat Intelligence and Threat Research, Hanover, MD, Technical Report ADA586960, 05 July 2013.

T. Rid, and B. Buchanan, “Attributing Cyber Attacks”, The Journal of Strategic Studies, vol. 38, no. 1-2, pp. 4-37, 2015.

doi: 10.1080/01402390.2014.977382.

E. M. Hutchins, M. J. Clopperty, and R. M. Amin, Ph.D. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation, 2010.

I. Tarnowski, “How to use cyber kill chain model to build cybersecurity?”, European Journal of Higher Education IT [Online]. Available: http://www.eunis.org/download/TNC2017/ TNC17-IreneuszTarnowski-cybersecurity.pdf.

N. MacDonald, and P. Firstbrook, Designing an Adaptive Security Architecture for Protection From Advanced Attacks. Gartner, 2014.

National Institute of Standards and Technology. (Okt. 31, 2016). NIST SP 800-150. Guide to Cyber Threat Information Sharing, 2014. doi: 10.6028/NIST.SP.800-150.

H. Bronk, M. Thorbruegge, and M. Hakkaja. CSIRT Setting up Guide, 2006.

Nippon CSIRT Association. CSIRT Starter Kit, 2016.

C. Feldmann. The Practical Guide to Business Process Reengineering Using IDEF0. Dorset House Publishing, New York, 1998.

Downloads

Published

2018-12-30

How to Cite

Zhylin, A., Khudyncev, M., & Litvinov, M. (2018). Functional model of cybersecurity situation center. Collection "Information Technology and Security", 6(2), 51–67. https://doi.org/10.20535/2411-1031.2018.6.2.153490

Issue

Vol. 6 No. 2 (2018)

Section

NETWORK AND APPLICATION SECURITY

License

Copyright (c) 2020 Collection "Information technology and security"

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The authors that are published in this collection, agree to the following terms:

  1. The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
     
  2. The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
     
  3. Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).