CoCoa: An Ontology for Cybersecurity Operations Centre Analysis Process

Onwubiko, Cyril

doi:10.1109/cybersa.2018.8551486

Cited by 23 publications

(20 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To a lesser extent, the use of languages such as SPARQL, SWRL, XML and OWL 2 is observed (Baesso Moreira et al, 2019;Onwubiko et al, 2018;Albalushi et al, 2018;Tseng et al, 2017;Bergner and Lechner, 2017;Fontenele and Sun, 2016;Maines et al, 2015;Geller et al, 2014).…”

Section: Table 5 Ontology Classification By Used Toolsmentioning

confidence: 99%

Cybersecurity Ontologies: A Systematic LiteratureReview

Rivadeneira¹,

Gómez

de³

2021

recibe

View full text Add to dashboard Cite

Cybersecurity is a young discipline that has gained relevance in our modern society.Thisresearchreportsthefindingsofasystematicreviewoftheliteratureonontologiesinthefieldofcybersecurity. From an initial set of 214 papers on the subject, 50 relevant papers were selected forthis SLR. With these documents we answered research questions related to the domains in whichontologies are reported, the methodologies, tools and languages used, and the verification andvalidation mechanisms reported. As results, we observed that the largest number of ontologies areclassified in the domains of infrastructure and networking, software and human factor. Regardingthe papers that report the use of a methodology for developing the ontologies (12%), Methontologyis the commonly used one. Protégé, in conjunction with the OWL language, are the preferred toolsfor ontology development. Regarding verification and validation (V&V) mechanisms, we observethat morethanhalf(62%) reporttheapplicationofV&Vmechanisms totheir ontologies.

show abstract

Section: Table 5 Ontology Classification By Used Toolsmentioning

confidence: 99%

Cybersecurity Ontologies: A Systematic LiteratureReview

Rivadeneira¹,

Gómez

de³

2021

recibe

View full text Add to dashboard Cite

show abstract

“…However, it is not designed to represents all possible network events but only those that are already identified as related to an attack. Note that Onwubiko proposed an ontology [22] for analysis in Security Operations Centre based on the same principles.…”

Section: Handling Security Related Informationmentioning

confidence: 99%

Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs

Leichtnam

Totel

Prigent

et al. 2020

2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

When analyzing the security of activities in a highly distributed system, an analyst faces a huge number of events, mainly coming from network supervision mechanisms. To analyze this huge amount of information, the analyst often starts from an indicator of compromise (IoC), an observable that suggests that a compromise may have occurred, and looks for the information related to this IoC as it could help to explain the related security incident. This approach is referred to as forensic analysis.In this paper, we propose an approach to treat automatically network events to provide the analyst with a new way to determine the subset of information related to a given IoC. This approach relies firstly on the generation of graphs between so-called "Security Objects" that are built from the logged network events, and secondly on the automatic processing of these graphs based on graphs communities analysis.

show abstract

“…firewall, routers, applications, intrusion detection systems (IDS) etc. and also, the ability to ingest network-wide information such as flow events and threat intelligence information to detect emerging and inflight incidents [3,4,5].…”

Section: C: Technologymentioning

confidence: 99%

“…a) The supplier organisation is tasked to do "the heavy lifting and shifting"a perception that the expertise to run a functional SOC is readily available in the supplier organisation, hence it is believed that the supplier organisation is by far better to run and maintain a SOC service, while the client organisation becomes responsible for security incident management, escalation and decision making as the overarching risk owner. b) Most client organisations work 9am to 5pm, therefore, client organisations prefer to leverage the 24x7 3 SOC service operated by the supplier organisations, a preference many client organisations believe to offer cost saving and value for money.…”

Section: C: Technologymentioning

confidence: 99%

Cyber Onboarding is ‘Broken’

Onwubiko

Ouazzane

2019

2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)

Self Cite

View full text Add to dashboard Cite

Cyber security operations centre (CSOC) is a horizontal business function responsible primarily for managing cyber incidents, in addition to cyber-attack detection, security monitoring, security incident triage, analysis and coordination. To monitor systems, networks, applications and services the CSOC must first on-board the systems and services onto their security monitoring and incident management platforms. Cyber Onboarding (a.k.a. Onboarding) is a specialist technical process of setting up and configuring systems and services to produce appropriate events, logs and metrics which are monitored through the CSOC security monitoring and incident management platform. First, logging must be enabled on the systems and applications, second, they must produce the right set of computing and security logs, events, traps and messages which are analysed by the detection controls, security analytics systems and security event monitoring systems such as SIEM, and sensors etc.; and further, network-wide information e.g. flow data, heartbeats and network traffic information are collected and analysed, and finally, threat intelligence data are ingested in real-time to detect, or be informed of threats which are out in the wild. While setting up a CSOC could be straightforward, unfortunately, the 'people' and 'process' aspects that underpin the CSOC are often challenging, complicated and occasionally unworkable. In this paper, CSOC and Cyber Onboarding are thoroughly discussed, and the differences between SOC vs SIEM are explained. Key challenges to Cyber Onboarding are identified through the reframing matrix methodology, obtained from four notable perspectives -Cyber Onboarding Perspective, CSOC Perspective, Client Perspective and Senior Management Team Perspective. Each of the views and interests are discussed, and finally, recommendations are provided based on lessons learned implementing CSOCs for many organisationse.g. government departments, financial institutions and private sectors.

show abstract

CoCoa: An Ontology for Cybersecurity Operations Centre Analysis Process

Cited by 23 publications

References 4 publications

Cybersecurity Ontologies: A Systematic LiteratureReview

Cybersecurity Ontologies: A Systematic LiteratureReview

Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs

Cyber Onboarding is ‘Broken’

Contact Info

Product

Resources

About