The modern Security Operations Center (SOC) is a highly complex system of point tools, all designed to keep sensitive corporate data secure. Each of these tools creates disparate data points and incidents. Security analysts investigate the barrage of incidents and alerts, looking for clues while asking themselves: is this alert stemming from an actual event? What is the source of this alert? Has this been through our system before?
Out of context, these cyber security events are all just data points living in their own silos. The signs are easily misinterpreted, potentially leading to security disasters. But when viewed in context, these individual clues can tell a lot about the organization’s security. With context, analysts can understand relationships, see the entire story, and keep their organizations secure.
How can organizations create that context?
Legacy Approach
Each cyber security event involves several entities, such as IPs, hosts, users, processes, etc. When creating Siemplify, we asked ourselves, how should analysts see cyber security events?Legacy methods are failing them.
Traditional security solutions are built atop a tabular data structure, which creates an inherently flawed approach to cyber investigation and response. The challenges with this approach are well documented: analysts must be reliant on slow and cumbersome queries; there is an inability to see all relevant relationships; challenges adding data sources and manipulating relationships greatly affect efficiency. Most importantly, as data sources feeding the security environment continue to expand, the constraints are more pronounced and detrimental. In between the layers and silos of traditional approaches, events fall through the gaping cracks.
Creating Context with Siemplify Cyber Ontology
Cyber security ontology defines a common vocabulary for security analysts who need to analyze and share information. It includes human-interpretable definitions of basic concepts in the cyber security domain and relationships among them.
Siemplify Cybersecurity Ontology (SCO) is intended to support information integration and cyber situational awareness across the security ecosystem. This ontology helps to incorporate, integrate and fuse large amounts of heterogeneous security data from disparate cybersecurity systems and organizational data silos into a unified language.
Cyber ontology is used to show cyber security data (events, incidents/cases, STIX, correlations, etc. ) into the representation of entities (IP, user, removable device, etc.) and their relationships (event names, properties of event, internal relations, etc.).
Different entities and relationships are shown as different icons, creating an easier and more meaningful understanding of these entities and relationships. The following 2 examples show how we present events, using Siemplify Cyber Ontology, in our system:
Comments
Post a Comment