The DiSIEM project aims to address the limitations of SIEMs already deployed in production. Instead of proposing novel architectures for future SIEMs or modifications to existing ones, the project will address these limitations by extending current systems, leveraging their built-in capacity for extension and customisation. The core idea of the project is to enhance existing SIEM systems with several diversity mechanisms, representing five main advances in the state of the art:
- Integrate diverse OSINT (Open Source Intelligence) data sources available on the web, such as the NIST’s National Vulnerability Databases, vulnerability and patch databases offered by vendors; threat intelligence data that organisations share with each other (e.g., Internet addresses, URLs and file reputation databases like SANS ISC, VirusTotal, ThreatExpert, SpamHaus, OpenBL, EmergingThreats, etc.); security blogs and data streams from social networks (e.g., Twitter, Facebook, LinkedIn), collaborative platforms used in the Dark Web (e.g., Pastebin), search engines and online repositories (e.g., Google Hacking Database, Shodan, RIPE/ ARIN, Whois), standards-based Indicators of Compromise or IOC’s (e.g., STIX and OpenIOC), and many others. This data needs to be fetched, analysed, normalised and fused to identify relationships, trends and anomalies and hence help reacting to new vulnerabilities to the new infrastructure or even predict possible emerging threats against the infrastructure monitored by the SIEM.
- Develop novel probabilistic security models and risk-based metrics to help security analysts to decide which infrastructure configurations offer better security guarantees and increase the capacity of SOCs to communicate the status of the organisation to C-level managers.
- Design novel visualisation methods to present the diverse live and archival data sets, to better support the decision-making process by enabling the extraction of high-level security insight from the data which will be used by the security analysts working with SOCs that operate the SIEM.
- In order to increase the value of the events fed to the system we plan to integrate diverse, redundant and enhanced monitoring capabilities to the SIEM ecosystem. The idea is to have enhanced sensors and protection tools built using a set of diverse tools. For example, by using three different intrusion detection systems to monitor the same critical part of the network, we can have a much higher confidence on the alarms generated by such systems. Implementing these kinds of mechanisms requires probabilistic modelling of diversity for security to define which combinations of tools are more effective and how much improvement can be expected. Likewise, we propose to deploy and integrate novel behavioural anomaly detectors for business-critical applications and thus improve the SIEM’s visibility into the functional security status of these monitored applications.
- Add support for long term archival of events in public cloud storage services. In order to satisfy the security requirements of such data (which contains a lot of sensitive information), we will store such events in diverse cloud providers (e.g., Amazon, Windows Azure, Google), employing techniques such as secret sharing and information dispersal.
These contributions would be materialised through a set of tools and components, in the form of plugins, that can be integrated into existing SIEM systems. For example, redundant diverse analysis and trends obtained through OSINT sources can be fed to the SIEM, while new visualisation and analysis tools can be integrated by fetching data from the SIEM event database. The envisioned architecture of a SIEM implementation enhanced with DiSIEM contributions appears in the figure bellow.