Functional model of cybersecurity situation center
Keywords:Diamond Model, Q Model, Cyber Kill-Chain, Adaptive Cybersecurity Model, Cybersecurity Situation Center, Compromise Indicators, cyber incident, functional model, IDEF.
In general, the issue of building cybersecurity centers mainly stands for building a SOC which main function is monitoring and analyzing cybercrime questions and responding to cyber incidents online. The approach, mentioned above, implies insufficient attention to the stages of intrusions` prevention and the elimination of cyber attacks` outcomes. Conducted investigations represent the possibility of SOCs` functions expanding , but they are not formalized and described in terms of functions, which rely on such Cybersecurity Situation Center (hereinafter referred to as the CSSC). The aim of this work is to analyze the existing cybersecurity models and build a functional model of modern cyberprotection center. The article reviews cyberattacks` analyzing models from the position of a researcher (Diamond Model and Q Model), the implementation of cyberattacks from the position of an attacker (Model Cyber Kill-Chain) and models with a wider range of analytical approaches (Adaptive Safety Model) to achieve this goal. The functions of cyberprotection before, during and after cyberattacks have been determined taking into consideration data needs for cyberattack analysis, understanding of cyberattacks` realization stages and the Adaptive Security System`s architecture. The results of the selected models` analysis allow to suggest a new organizational model of a modern cyberprotection center as well as define it`s components and formulate main functions. The implementation of the CSSC is proposed to be realized through the construction of Cybercrime Intelligence Unit, Monitoring and Incident Security Control Unit and Cyber Incident Response Team. The mentioned model represents logical links between structures and information streams which circulate between them. The presented functional model of A-0 and A0 levels is based on the IDEF notations` requirements. The main cyberprotection center`s function, input and output data as well as the resources used in the process of center functioning , main restrictions under which the modern center operates are determined. The presented notations display the visualisations which demonstrate the results of the cyberprotection center`s functional analysis. They also give an opportunity to determine requirements for the center`s components, form the organizational structure of each unit and establish each employee`s functional responsibilities in subsequent decomposition.
Annual report on information security. Cisco 2018. [Online]. Available: www.cisco.com/c/dam/global/ru_ru/assets/offers/assets/cisco_2018_acr_ru.pdf.
C. Zimmerman. Ten Strategies of a World-Class Cybersecurity Operations Center. The MITRE Corporation, 2014.
J. Muniz, G. McIntyre, and N. AlFardan. Security Operations Center. Cisco Press, 2016.
M. Sanders, “How to Get the Most Value out of Your MSSP and Security Operations” [Online]. Available: https://securityintelligence.com/how-to-get-the-most-value-out-of-your-mssp-and-security-operations.
Модель адаптивної кібербезпеки для захисту промислових об’єктів [Електронний ресурс]. Доступно: https://www.kaspersky.ru/blog/ics-asa/4455.
S. Caltagirone, A. Pendergast, and C. Betz, “Diamond Model of Intrusion Analysis”, Center for Cyber Threat Intelligence and Threat Research, Hanover, MD, Technical Report ADA586960, 05 July 2013.
T. Rid, and B. Buchanan, “Attributing Cyber Attacks”, The Journal of Strategic Studies, vol. 38, no. 1-2, pp. 4-37, 2015.
E. M. Hutchins, M. J. Clopperty, and R. M. Amin, Ph.D. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation, 2010.
I. Tarnowski, “How to use cyber kill chain model to build cybersecurity?”, European Journal of Higher Education IT [Online]. Available: http://www.eunis.org/download/TNC2017/ TNC17-IreneuszTarnowski-cybersecurity.pdf.
N. MacDonald, and P. Firstbrook, Designing an Adaptive Security Architecture for Protection From Advanced Attacks. Gartner, 2014.
National Institute of Standards and Technology. (Okt. 31, 2016). NIST SP 800-150. Guide to Cyber Threat Information Sharing, 2014. doi: 10.6028/NIST.SP.800-150.
H. Bronk, M. Thorbruegge, and M. Hakkaja. CSIRT Setting up Guide, 2006.
Nippon CSIRT Association. CSIRT Starter Kit, 2016.
C. Feldmann. The Practical Guide to Business Process Reengineering Using IDEF0. Dorset House Publishing, New York, 1998.
How to Cite
Copyright (c) 2020 Collection "Information technology and security"
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors that are published in this collection, agree to the following terms:
- The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
- The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
- Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).