When aiming to monitor an organization’s security 24/7, apart from breaches and attacks that are detected by existing tools, IT security specialists are interested in potential anomalies that seem transitory within IT systems. Sometimes such anomalies are just a random occurrence of multiple factors due to a pure technical set-up; other times they may have a low signification such as an improper use of internal IT resources and rules observation by employees. But in other situations, it may be representing a subtle breach or attack that has evaded the installed monitoring tools within an organisation.
In order to capture such anomalies, IT cybersecurity monitoring systems need to be designed to identify and monitor elements that could form them, bearing in mind that their combination can be theoretically infinite. Practically, we would need to tell a cybersecurity system what to look for and how to define ‘anomalies’ that are meaningful for humans in an IT set-up, remembering that while many odd events may happen in logs, not all are significant from a cybersecurity perspective.
In this respect, there are 2 philosophies that can theoretically be applied: supervised and unsupervised anomalies definition. The ‘supervised’ anomalies definition requires human specialist input in order to oversee how such anomalies will be defined and made of. In the ‘unsupervised’ approach, automated /off-the shelf tools will look for them, however they would still require very specialized design and then highly technical skills to be interpreted and used within a meaningful set-up.
While both approaches are valid and, in some ways, complementary, in the CS-AWARE platform, we have opted to start with ‘supervised’ anomalies definition through ‘cybersecurity patterns’ that we want to monitor. Firstly because we want full transparency and audit on what is ‘targeted’ by our tool, then because we want easy to use/alter/design/create functionalities for such patterns and finally because it is easier to understand by on-site technicians and does not require advanced training /statistical knowledge as the other approach would require.
So far, we have built a set of cybersecurity patterns to detect anomalies in the local public administrations our project has a pilot with, which are being consolidated and tested.