See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/332704667

PROPOSAL OF SECURITY INFORMATION AND EVENT MANAGEMENT SYSTEM

FOR UNIVERSITY

Conference Paper · October 2014

CITATIONS READS

0 1,530

1 author:

Július Baráth
General Milan Rastislav stefanik Armed Forces Academy
15 PUBLICATIONS   12 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Network centric implementation in OS SR View project

Cyber threats and defense of military information systems View project

All content following this page was uploaded by Július Baráth on 27 April 2019.

The user has requested enhancement of the downloaded file.

 PROPOSAL OF SECURITY INFORMATION AND EVENT
MANAGEMENT SYSTEM FOR UNIVERSITY
Július BARÁTH 1

Abstract: The paper deals with management of security information using SIEM in university environment. We
start with explaining the role and structure of SIEM with reference to market leaders in the area.
The ext part of the paper is dedicated to communication protocol for exchange of security related
information and then we propose a scenario for implementing SIEM at a university. Selection of the
system is provided and design of human interface for data insertion is presented.

Keywords: SIEM, STIX, SPLUNK

1. INTRODUCTION
University information infrastructure is commonly described as a relatively open collection of
loosely coupled high speed networks interconnecting student and research labs, administrative
computers, libraries and more utilizing wired and wireless connections with both authenticated and
anonymous users (wifi free zones). Such environment with huge number of students, employees, and
visitors is open to internal and external attackers focusing on local and remote targets. Quick reaction
to security incidents requires collection and automated processing of huge data logs and taking
relevant steps to mitigate security threats.

2. SIEM
Security Information and Event Management (SIEM) technology was introduced in 1990s and
evolved to usable approach for collection, analyzing, prioritizing, grouping, visualizing, and reporting
of security related data used to find, understand, and react to security related threats. SIEM can be
realized as software only product, hardware appliance, or (cloud) service. Reference [1] provides
comparison of SIEM vs. Log Management based on log collection, log retention, reporting, analysis,
alerting and notification, and other features.
Identity and access
Vulnerability DB

management

reporting
sharing

Actions

logs

Data collection Data analysis presentation

alerts
correlation

Escalation
grouping
External
sources

actions
List of

Figure 1 Logical SIEM diagram

Functionality of SIEM can be explained using Figure 1. The data collection part is responsible for
receiving data logs from managed devices (computers, network devices, security devices etc.) in
different formats, accuracy, and trust levels. The logs include both security related and working events
automatically generated by devices and external security notifications exchanged with trusted
organizations using standard formats for exchange of security information. The data collection part
may include human (web based) interface for reporting security incidents – observations detected by
users of the system.

1
- Ing., PhD.; [email protected], Armed Forces Academy, Department of Informatics, Demänová 393,
Liptovský Mikuláš 03106, +421 960 423145
 The data analysis part of the system implements the mechanism for processing of big data. The
main task of the part is to automatically correlate, indentify and group events, safely recognize known
threats and identify potentially malicious actions in the protected network. Most common analyses
used in SIEM are general, time, statistical, behavioural, and topX.
The presentation part provides online information about active threats in prioritized order
associated with recommended courses of actions (with capability of automatic actions), overall
situation in the protected network, and tools for reporting and sharing of security related information
with trusted organizations.
According to [2] the majority of responding organizations are leveraging security logs and event
data for the following reasons:
• detecting and tracking suspicious behavior,
• supporting forensic analysis and correlation,
• preventing incidents,
• achieving/proving compliance with regulatory requirements.
It is expected that the total SIEM market to grow from $2.57 billion in 2014 to $4.54 billion in
2019 at a CAGR of 12.0% during the forecast period. The overall size of Security Information and
Event Management (SIEM) market is the summation of the market size of solutions and services of
SIEM [3].
Based on 2014 Gartner Magic Quadrant for Security Information and Event Management 2 the
leaders quadrant consists of IBM Security, HP, SPLUNK, McAfee and LogRhythm products; however
alternative in open source exists [4].

3. PROTOCOLS FOR SECURITY INFORMATION EXCHANGE

Currently automated management and exchange of cyber threat information is typically tied to the
specific security product lines, service offerings, or community-specific solutions. STIX (currently in
draft version 1.1) will enable the sharing of comprehensive, rich, “high-fidelity” cyber threat
information across organizational, community, and product/service boundaries.
STIX, however, aims to extend indicator sharing to enable the management and exchange of
significantly more expressive sets of indicators as well as other full-spectrum of cyber threat
information for use in SIEM.
STIX is a language being developed in collaboration with any and all concerned parties for
specification, capture, characterization, and communication of standardized cyber threat information.
It does so in a structured fashion to support more effective cyber threat management processes and
application of automation [5].
STIX addresses structured cyber threat information across and among full range of use cases
improving consistency, efficiency, interoperability, and overall situational awareness. In addition,
STIX provides a unifying architecture tying together a diverse set of cyber threat information:
• Cyber Observables,
• Indicators,
• Incidents,
• Adversary Tactics, Techniques, and Procedures (including attack patterns, malware,
exploits, kill chains, tools, infrastructure, targeting, etc.),
• Exploit Targets (e.g., vulnerabilities and weaknesses),
• Courses of Action (e.g., incident response or vulnerability/weakness remedies),
• Cyber Attack Campaigns,
• Cyber Threat Actors [5].
To achieve efficiency of proposed STIX structure, the language leverages XML definitions from
existing standardized languages and use Common Weakness Enumeration (CWE), Cyber
Observations (CybOX) Attack Patterns (CAPEC) etc. with Trusted Automated eXchange of Indicator
Information (TAXII) for sharing information. If we look at the proposed STIX schema, almost every
element is optional and it creates simple messages using only relevant portions of STIX.

2
www.gartner.com
 To demonstrate some of the STIX capabilities see Figure 2, where we summarize information
about a security incident.

Figure 2 Global view of incident

The example can be used as a form of report about a security incident from the past, where we can
see a group of observables seen during the incident, expanded list of Indicators, group of Tactics,
Techniques and Procedures (TTP), expanded list of Actors, Course of Actions, and group of
Campaigns. Detail information included in each element gives a security expert necessary information
about the sequence of steps taken during an attack (TTP), how attack was identified (Observables and
Indicators), who are attackers, how the attack was mitigated, and relationship with other attacks
(Campaign).

Figure 3 Fragment of incident

Another example - Figure 3 - shows infiltration of Zeus malware for documentation and
information exchange purposes. Due to the fact that the source of the attack and a broader attack
scenario are unknown, the example does not provide Treat Actor, Campaign and other optional
elements.
Using STIX can open reach and consistent information exchange between SIEM implementations
from different vendors in an automated way and reduce reaction time for future cyber threats.

4. SIEM FOR A UNIVERSITY

A University network provides services for mission-critical research and educational applications
utilizing variety of technologies. Such technologies need investments, which can be difficult in time of
recession, and professional supervision from IT department. To process huge amount of log data,
technology providing timely and cost-effective insights to institutional data is needed.
Most common mistakes in managing security of a university network are:
- not logging at all,
- collecting, but not reviewing logs,
- storing logs only for a short time,
- inability to prioritization of logs,
- ignoring the logs form applications by focusing only on the perimeter and internal network
devices [1].
To avoid these mistakes it is recommended to deploy some form of log management and SIEM
interconnected with other critical components like access control and rights management system, other
cooperating SIEMs, security databases, etc. One candidate for university SIEM is well recognized
product SPLUNK, listed in the leaders quadrant 2014 Gartner Magic Quadrant for Security
Information and Event Management. Key SPLUNK features are: index data from any format or
source, conduct root cause analysis, monitoring or reporting across IT silos, create highly flexible
dashboards for IT and administrative users alike, adapt to change with a schema-less approach; doesn’t
drop or ignore new or unexpected data and scale as needed—index terabytes of data per day [6].
4.1 Proposed solution
The solution for the university is based on SPLUNK with open interface to other (trusted) SIEMs
using open, community driven standard for exchange of security information – STIX. Currently
SPLUNK does not support STIX and such interface has to be created.
In addition to machine generated logs, human interface for inserting events is defined. The purpose
of the interface is to allow network users to report abuse of resources or to report unexpected –
unusual behavior in the system.

Figure 5 Valid STIX XML format for

observable

Figure 4 Web based entry form

Example of human interface - Figure 4 represents form to report a security incident. The name of
authenticated user (listed in field Information source) is retrieved from Identity and access
management and Reference number is automatically generated. Then the user provides input to green
boxes defining what, where, and when happened. After submission of information a validation and
formatting process starts, and valid STIX XML formatted message for element observable - Figure 5 -
is generated. Such information is then imported into SIEM and processed, or can be exchanged with
other participating SIEMs supporting STIX.

5. CONCLUSION
In the paper we described capabilities of SIEM and languages for exchange of security information.
After that we selected SPLUNK as a candidate for university SIEM.
The paper concludes with design and implementation of human web interface for reporting security
incident and its transformation to valid STIX XML document suitable for store, processing, and
exchange of information. The future work will focus on implementation and production phase of the
solution to achieve full power of SIEM in university environment.
 Acknowledgments: This work has been supported by the Ministry of Defence of Slovak Republic
grant No. VV3-2011 "Kybernetické ohrozenia a obrana vojenských informačných systémov".

REFERENCES
1. Chuvakin, A. The Complete Guide to Log and Event Management. 2012, [cited june 10 2014], pp.
19. Available from Internet:<https://www.netiq.com/>.
2. Shenk, J. SANS Eighth Annual 2012 Log and Event Management Survey Results: Sorting
Through the Noise. 2012, [cited june 10 2014]. Available from
Internet:<www.sans.org/reading_room/analysts_program/SortingThruNoise.pdf>.
3. Research and Markets: Security Information and Event Management Market by Solutions (Log
and Event Management, Firewall Security Management, Patch Management, Others) - Market
Forecasts and Analysis (2014-2019). In Business Wire. New York, 2014.
4. Kerner, S. M. How AlienVault Is Building With Open-Source for Unified Security Management.
eWeek, 2014, 3-3.
5. Standardizing Cyber Threat Intelligence Information with the Structured Threat Information
eXpression (STIX) [online]. 2014 [cited june 10 2014]. Available
from:<http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.1.pdf>.
6. Splunk for Higher Education and Universities [online]. [cited june 10 2014]. Available
from:<http://www.splunk.com/web_assets/pdfs/secure/Splunk_for_Higher_Education.pdf>.

View publication stats