In October this year we concluded the third round of a series of three one week long systems and dependency analysis workshops. A one week long workshop was held in Larissa and in Rome, with the purpose of identifying potentially malicious behaviour within the services we are monitoring within the CS-AWARE pilot, and how this behaviour may be reflected in the data sources we are collecting on the database, the service, the network and the security appliance level.

But before we go into more detail, a quick recap of the previous workshops: The first workshop focused on gaining a systems overview by identifying the critical assets/services within the LPA systems in order to identify the services CS-AWARE intends to monitor. This included an identification of potential information sources to monitor at key points in the systems, on the database, the service, the network and the security appliance level. The second round of workshops focused on the identification of the business processes that are run on the services monitored by CS-AWARE on a daily basis, as well as the information flows that those business processes cause through the previously identified systems, and how those information flows may be reflected in potential information sources on the database, service, network and security appliance level.

As you can already guess, the only remaining piece of the puzzle that enables the results of the analysis to interface with the CS-AWARE technology is to understand how malicious behaviour – which may be very specific to the individual monitored service – is reflected in log files that record data operations of services and business processes related to those services. This is what we achieved during this last round of workshops, in which we encouraged the users and administrators of the system to identify any abnormal behaviour in the context of their daily operations, and how such behaviour would be reflected in data. While there will be a separate blog post for describing the differences to expect when analyzing a mid-sized municipality like Larissa and a large metropolitan area like Rome, it can be said that the results that our soft systems based analysis approach produced, were equally satisfying in both in both piloting scenarios.

One of the main findings aside from the results of the analysis (that will allow us to provide appropriate monitoring and awareness was that in the context of CS-AWARE), was a core novel contribution that we can provide; that of the service-specific monitoring of data on the service and database level, that standard security systems do not provide to this level of customization. While on the network and security appliance level we expect to be able to provide additional contextual information to incidents that are detected by other systems, on the database and service level, as a result of  the comprehensive and individual analysis provided by CS-AWARE which enables  the provision a level of awareness that is not currently available to the municipalities.

Thomas Schaberreiter,
University of Vienna