METHODOLOGY

DiSIEM will bring together research in several technologies, including machine learning, probabilistic models for security assessment, application behaviour monitoring, novel methods for data visualisation, cloud storage and security key-performance metrics. These techniques will be used to enhance existing SIEMs. The project will be executed in five phases (see figure bellow).

To achieve the DiSIEM objectives, a first step of the project would be to study the most prominent SIEMs in detail, to assess the extensibility features of these systems. We already know that all these systems have the capacity to create new custom connectors and allow queries on their event database. However, we will study and clearly identify how these features should be used and compare how different these extensibility capabilities will be between the SIEMs. As an initial goal, we aim to clearly survey and identify the extension capabilities of the three different full-fledged SIEM systems that we will use in our project: HP ArcSight, IBM QRadar and AlienVault OSSIM. Some alternative options of SIEMs that we are considering for DiSIEM enhancements include Splunk App for Enterprise Security, OpenSOC and ELK-based platforms.

Knowing how to extend the systems, we will define a reference architecture to guide the integration of the novel components to a SIEM. This architecture will define key components and responsibilities of the developed enhancements, ensuring they can easily work together.

In parallel with this activity, an in-depth analysis of state of the art will be conducted in all technical areas of the DiSIEM project. We will produce detailed reports summarising the findings and defining the requirements for the new components. After this stage each component will be developed, mostly independently, leading to the production of detailed design documents that are agreed on by all involved partners, after which we will implement the enhanced tools and mechanisms outlined before and integrate the contributions to the existing SIEMs. These reports and components will constitute the deliverables of the project, detailed in Section 3 of this proposal.

All developed components will be internally tested and validated by each partner, following standard testing and quality assurance methodologies employed in software development. After this phase, all components will be made available to the partners that operate SIEMs. These partners will define a validation plan for the components, and will integrate them to their SIEMs through a two-stage deployment:

  • First, they will deploy the components in controlled (non-production) environments that they maintain to test new configurations and components of their SIEMs (all partners that operate a SIEM already have that). This will enable a safe first-phase of validation of the components, and the identification of any integration or performance problems. The partners responsible for developing the components will be readily available for correcting any problems or concerns and perform enhancements based on the feedback of the operators;
  • The second phase of the validation will be done through a controlled deployment in industrial partners production environments.