Cyberattacks have attracted interest due to both the frequency that successful attacks occur at, as well as the strong impact they may have on organisations. In response to this, the security industry developed a variety of products and solutions providing security event management and incident response. These products rely on gathering and analysing a broad variety of data, including logs and events from network security controls, such as firewalls, intrusion detection and prevention systems, artefacts related to malware, e-mail headers or messages and so on. However, organisations still struggle to analyse the explosion of this security data and the lack of collecting appropriate operational and security-related data to make associations is still one of the main impediments of threat detection and response. The aforementioned barrier can be overcome by establishing a systematic and effective exchange of actionable security information between organisations, and especially Computer Emergency Response Teams (CERTs). Despite the fact that such information exchanges already exist, they have not reached the desired level of maturity yet.
Security vendors, Computer Security Incident Response Teams (CSIRTs) and other stakeholders, such as large organisations, SMEs and government agencies, can benefit from cybersecurity information exchange among them, thus sparing them precious time when dealing with the same re-occurring threats and vulnerabilities, and therefore increase their effectiveness and efficiency in confronting or shielding against cyberthreats. In order to efficiently process such data to identify vulnerabilities and threats, robust analytics platforms capable of handling and correlating such volumes and complexities are required. Big data analytics has successfully been employed for extracting knowledge out of large volumes of information-security-related data (e.g. log files, IP addresses), in order to identify attacks, either in almost real time, or in an off-line manner. Alternatively, such data could be converted into semantically-enhanced information (by normalisation into a structured form) and then attempt to identify attacks more efficiently and more effectively by employing the appropriate information retrieval techniques.
Stakeholders could benefit from an advanced early-warning system that provides them with timely notifications regarding current and latest cyberthreats. Furthermore, a suitable communication system between security vendors, CSIRTs, SMEs and Public Organisations would be very useful especially for cases where there are limited resources to allocate to cybersecurity-related tasks. However, appropriate measures have to be taken to ensure that any cybersecurity-related data will be shared on a need-to-know basis and they are adequately protected, so as to prevent potential misuse of sensitive data and also safeguard their competitive advantage (due to the information being shared).
Alexandros Papanikolaou
InnoSec, Greece.