Motivation
German companies are increasingly affected by cyber attacks. Currently, ransomware is particularly targeting companies, incapacitating their IT infrastructure and extorting the operators. Often, the impact of such attacks can be greatly reduced through early detection and structured response. The detection and response of IT security incidents can be implemented with the help of a dedicated team, a so-called Security Operations Center (SOC), using tools that make the system and network behavior visible. In the SOC, comprehensive log data from endpoints, servers, network devices, as well as control units from industrial plants (Operational Technology, OT) are collected through Security Incident and Event Management systems (SIEM) to detect and correlate security-relevant events. Concrete measures for incident response are centrally initiated and monitored through Security Orchestration Automation and Response systems (SOAR). While this is often implemented in large companies, many SMEs fail at this point. This is primarily due to the considerable resources that a SOC in 24/7 operation or on-call duty with qualified personnel requires
Goals and Approach
The project “Cyber Security Incident Response for SMEs (CySIRK)” addresses this issue and consists of two components: CySIRK Live and CySIRK Labs. CySIRK Live aims to offer intrusion detection and incident response for SMEs through a Managed SOC concept (MSOC), in which the industrial partner nicos AG acts as a Managed Security Service Provider (MSSP). SMEs integrate this MSOC platform into their IT infrastructure and connect endpoints, servers, and network devices, even if they are located in remote, bandwidth-limited locations. The MSOC collects and aggregates events through an integrated SIEM system and forwards alerts to the central managing SOC of nicos AG. In the nicos SOC, alerts are reviewed 24/7, and if necessary, initial incident response measures are initiated through the MSOC. CySIRK Labs is operated by the Institute for Society and Digital (GUD) at FH Münster and the Institute for Internet Security (if(is)) at Westphalian University of Applied Sciences, combining expertise in cybersecurity, intrusion detection, and incident response with expertise in data science and machine learning. Here, research questions are addressed that are necessary for the success of the services offered by CySIRK Live or significantly improve them.
Innovations and Perspectives
Through CySIRK, SMEs can continue to focus on their core expertise and outsource the detection of cyber attacks to experts. The CySIRK approach with its hierarchical SOC architecture, where data sovereignty remains with the SMEs and incident response policies are tailored to the companies, including OT, is novel in both academia and the market.
At the core of the project is, on one hand, the primary technical goal and central innovation of building a multi-tenant SIEM and SOAR system that allows SMEs to aggregate events and alerts in an MSOC provided by an IT security provider. To achieve this goal, on the other hand, the following significantly scientific objectives are pursued, representing the second central CySIRK innovation. Through the use of data science and machine learning techniques, malicious behavior in SIEM mass data should be identified and recognized. Similarly, analysts should be supported in intrusion detection and attacker tracking by automatically comparing indicators and Tactics, Techniques and Procedures (TTPs) with SIEM events. In order to transmit events from remote systems confidentially, in compliance with data protection, complete and unchanged, considering bandwidth restrictions, adaptive filtering and compression strategies are to be developed.
The 4-year collaborative project CySIRK is a partnership between the research group led by Prof. Dietrich at the Institute for Internet Security at Westphalian University of Applied Sciences, FH Münster, and nicos AG. The sub-project at Westphalian University of Applied Sciences is funded by the German Federal Ministry of Education and Research (BMBF) under the funding code 13FH101KB1, with a total of approximately 330,000 EUR, and supported by nicos AG with approximately 50,000 EUR
Raphael Springer
My research interests cyber threat intelligence, machine learning in computer security, and reverse engineering.
Prof. Dr. Christian Dietrich
My research interests include machine learning, computer security and threat hunting. Especially I use machine learning methods for virtual machine introspection based detection systems.