Basic terminology of security incident management

Security operations and incident management is a process that applies into cybersecurity, and automates, a more abstract feedback loop (MAPE-K), which consists of the phases monitor–analyse–plan–execute–share knowledge. The goal is to understand the effect of security incidents, to minimise their impact, to develop and implement a plan for remediation, and to use this understanding to improve defences against future attacks. The loop is closely related to risk management and its feedback loop.

In the context of security incident management, the loop aims to adapt ICT systems to changing operating conditions. The loop is driven by events that provide information about the current behaviour of the system. Successive phases of the loop analyse the event stream (trace) and provide feedback to the system, changing its behaviour according to observations and policies. This enables automatic adaptation and the provision of optimal service to users.

Workflow and terminology

This box collects abbreviations used later.

• SOIM = security operations and incident management. Note. The abbreviation SOIM is used only in this module.
• MAPE-K = monitor–analyze–plan–execute–knowledge, where the last termi is more precisely over a shared knowledge. Unlike SOIM, this is an established model. It nevertheless appears only in this module.
• SIEM = security information and event management. Note: SIEM = "M of SI + M of SE", whereas SOIM = "SO + IM".
• SOC = security operations center
• SOAR = security orchestration, analytics and reporting. (SOAR="SO+SA+SR")
• IDS | IPS = intrusion detection | prevention system, combined as IDPS.

The figure below presents the MAPE-K loop as applied in the SOIM context. In addition to protecting and monitoring an ICT system in order to detect attacks, the loop is influenced by two significant actors: the Internet as a whole and the regulatory environment in which the ICT system provides services. The Internet is a source of both service requests and threats, but also a source of information about threats. Regulatory bodies, such as national authorities and industry organisations, provide additional information about threats and observations and request information sharing.

The figure illustrates the locations of components performing SOIM workflows by using three partial loops. The innermost consists of IDS and IPS and thus covers monitoring and detection. The second, SIEM, extends detection and covers planning and execution of responses. IDS/IPS and SIEM platforms are nowadays integrated in security operations centers (SOC), which provide both technical and human resources. More recently, SOAR platforms (the third ring) have added analytics and enabled more advanced and more global responses to cyber threats. The knowledge base used in SOIM has gradually expanded over the years as a larger variety of data has become necessary for detecting and mitigating attacks. A key difference between knowledge and events is time: events are produced and consumed, whereas knowledge is more persistent.

The phases monitor, analyse, and plan are nowadays automated. This is necessary in order to handle the vast volumes of event data produced by modern ICT systems. Automation is also required to deal with the enormous amount of information related to cyber attacks. All three phases rely on knowledge that includes, for example, the configuration of the monitored system or signatures of many types and formats of attacks. The execute phase has largely been performed on SIEM platforms by manual processes. Security orchestration or dedicated components now enable partial automation of feedback into the ICT infrastructure, although this functionality is not yet as mature as the others.

Architectural principles

Cybersecurity does not operate in a vacuum. Deploying SOIM requires the protected system to satisfy certain general architectural principles that form the basis for the use of tools and processes. These are described below.

An information system that is (potentially) connected to the Internet is exposed to attacks. Not all attacks can be prevented by protection mechanisms such as firewalls. Best practices recommend defining different (network) zones in order to control the exchange of sensitive information. This is often implemented using a demilitarised zone (DMZ), which is located between the internal private network and the external Internet, acting as a communication endpoint, exchange point, and area of enhanced monitoring. To detect threats that may slip past other security mechanisms, system operators use IDS and IPS systems. An IDPS sensor is a device that observes system and network events. It may use data sources such as system or application log files (the ”page” icons in the figure). Sensors can also be deployed at the network level (the two servers with magnifying glasses in the figure).

The SOIM infrastructure is shown in the lower part of the figure on a blue background. IDPS sensors often have at least two network interfaces: one hidden within the monitored information system’s network for data collection and analysis, and another standard interface connected to the protected SOIM network infrastructure, where the SIEM that receives alerts is also located. Analysts (people) receive alerts, assess their impact, and deploy appropriate mitigating measures. Management of IDPS sensors may use this secondary interface as a maintenance channel for software and signature updates, or employ another mechanism, such as a virtual private network (VPN), for sensor maintenance and upkeep.

The SOIM domain also includes processes defined by the Chief Information Security Officer and followed by analysts. The first process concerns alert handling, in which the operator decides—using decision-support techniques provided by the SIEM—whether to 1) ignore the alert, 2) respond with some measures, or 3) forward the alert to analysts for further analysis, diagnosis, and decisions. The second process is the deployment and maintenance of IDPS sensors, in which decisions are made about sensor placement, what they record, and how continuity of monitoring is maintained. The third process is reporting, which is particularly important for management services, where the operation of the SIEM and SOC is analysed in order to improve them.

SOAR components come into play through Cyber-Threat Intelligence (CTI, red in the figure) and Information Sharing and Analysis Center (ISAC, green). These benefit the SOIM infrastructure by acquiring information from external, trusted sources and using it to enhance threat detection efficiency and impact assessment. Both interfaces provide different kinds of information to the SOC. CERTs and ISACs are trusted organisations that enable sector-specific information sharing and are often regulated. CTI is a much more fuzzy area, also including open-source sources and specialised feeds offered by commercial companies.

Bank account

The MAPE-K loop can also be applied to an everyday situation, such as unusual activity on a bank account. This ensures rapid reaction and continuous improvement of the security level.

You receive an email notification or a text message from your bank informing you of unusual activity on your account, such as large withdrawals or payments. This corresponds to the monitoring (Monitor) phase of the MAPE-K loop, in which your system (the bank) actively monitors transactions on your account.

You log in to your online banking service and review your account transactions. You notice that several withdrawals have been made in different locations that you do not recognise, possibly even in currencies you do not normally use. This corresponds to the analysis (Analyze) phase of the MAPE-K loop, in which you investigate the causes of unusual events.

You immediately decide to block your bank card and contact the bank’s customer service to report the suspicious activity. The bank may also perform additional checks and possibly block further actions on your account. This corresponds to the planning and execution (Plan and Execute) phases of the MAPE-K loop, in which a plan is developed and actions are carried out to remediate the damage.

Once the bank has handled the situation and strengthened the protection mechanisms, you receive confirmation of your account’s security. In addition, the bank may give recommendations on how to improve your account security in the future, such as enabling two-factor authentication or performing regular account reviews. This corresponds to the feedback loop phase of the MAPE-K loop, in which you learn from past events and improve your system’s security in the future.

Answer the questions.

Question 1

Security incident management refers to

automating the monitor–analyse–plan–execute loop and risk management within an ICT environment.

developing automation in ICT systems so that they repel attacks and recover from security incidents.

identifying incidents from event streams, isolating them, and preventing damage.

monitoring and analysing events in ICT systems so that problems are addressed and the system adapts to the threat environment.

Question 2

In the context of security incident management, the monitor–analyse–plan–execute loop is influenced by

IDPS sensors, the Internet, network arrangements.

systems, the Internet, attacks, regulation, information sources.

attacks, information sources, infrastructure, network devices.

the Internet, attacks, regulation, IDPS sensors, hardware.

Question 3

The purpose of IDPS sensors is to

prevent attacks.

observe network events.

acquire cyber-threat intelligence.

maintain a demilitarised zone.

Question 4

In security incident management, cyber-threat intelligence is used in particular for

information acquisition.

threat prevention.

enhancing threat detection.

reporting.

Posting submission...