Risk Management Enabled Security Incident and Event Management Solution

Risk management is the ability to identify, analyze, assess and then mitigate possible risks to an organization?s data. Risks or threats refer to an event or incident that could potentially harm a system/network or possibly the entire organization. To simplify the above statement, risk management si

Project Title

Risk Management Enabled Security Incident and Event Management Solution

Project Area of Specialization

Cyber Security

Project Summary

Risk management is the ability to identify, analyze, assess and then mitigate possible risks to an organization’s data. Risks or threats refer to an event or incident that could potentially harm a system/network or possibly the entire organization. To simplify the above statement, risk management simply tells us about the potential risks in the system and how we could potentially deal with them. It is made up of four main components; risk identification, risk analysis, risk assessment and risk mitigation. Our project aims to integrate a SIEM system with a risk manager to ensure an effective solution to cyber threats.

SIEM or Security information and event management is a set of tools that combines SEM (security event management) and SIM (security information management). Both of these systems are essential components and are very closely related to each other.
SIM refers to the way that a company collects data. In most cases, data is combined into a specific format, such as the log file. That format is then placed in a centralized location. Once you have a format and location for your data, it can be analyzed quickly.
SIM does not refer to a complete enterprise security solution, though it is often mistaken for one. SIM relates only to the data collection techniques used to discover problems within a system. SEM provides real-time system monitoring and notifies network administrators about potential issues. It can also establish correlations between security events.
The management of any organization, whether working in the public sector, whether working in the private sector, aims in order to achieve its objectives to monitor and reduce risks. Risk control is achieved by managing them effectively, namely by implementing an adequate risk management system.

Project Objectives

The main principle behind a SIEM system is to ensure a log management entity that monitors relevant data throughout the system and gather logs so that any abnormalities (threats) can be detected and an appropriate response can be generated. Risk assessment is the process of identifying possible threats (risks) to an information system, determining the probability of the threat actually occurring and identifying any vulnerabilities in the system that could potentially be exploited by the aforementioned threat. There are multiple SIEM systems deployed across the globe however, most of them are extremely costly and are also entirely third-party owned systems. Our project aims to provide a cheaper and locally assembled alternative, which would be answerable to local laws and regulations, something that the former are not. 

1. To develop a system that makes user system perform safely, efficiently and correctly without fear of unethical activities.
2. A system that regularly generates an alert whenever an unusual activity is detected.
3. To develop a prototype which may vary from business to business or organization.
4. Analysis of logs using risk management and provide a feasible solution under different scenarios.
5. Our project aims to contribute in the field of cyber security and networking.

Project Implementation Method

SIEM, helps organizations with its following functions:

• Reveals potential known and unknown threats
• Monitors the activities of authorized users and their privileged access to various resources
• Compiles a regular report
• Backs up incident response (IR)
• Simplified understanding and working of SIEM

For all IT professionals, SIEM makes your work easier by collecting log data and security incidents from various parts of the system. A log is a record left behind by each activity performed by the application or the operating system. For instance, open the browser—log 1; create a folder—log 2; create a new file—log 3, and so on.

With various security devices and technologies (such as firewall, intrusion detection system (IDS)/intrusion prevention system (IPS), antivirus, and many others) working simultaneously to keep thousands of logs on a per second basis, stored in different locations; it is highly impossible to monitor and analyze these logs, manually. So, the solution is to have a centrally organized system that can collect logs from several different security systems and can perform real-time monitoring and analyze them. Its ability to correlate security events from various defense systems is what makes it different from a mere log aggregation system. After connecting events, it looks for abnormal changes in the system that can give a clear picture of potential cybersecurity issues across the entire network.

Why is Risk Analysis needed?

• Risks of threats affects entire organizations and can lead to security issues
• Risk management allows organizations to identify any vulnerabilities that might occur.
• Risk analysis allows decisions to be made which help mitigate threats.
• Most attacks are based on poor security configurations and a risk manager allows detailed assessment of network security risks.
• It allows us to establish whether a risk is an acceptable risk or whether it would negatively impact us.

Benefits of the Project

. In today’s digital world, security is a very important aspect for any organization as there are numerous exploits which can be made to any organization if they are not careful. It is almost a must have for an organization to deploy some sort of security measures to ensure the sanctity of their data and their network. SIEM offers multiple features and capabilities to ensure that an organization can handle any possible threats that they might witness.

In figure, we can see the list of key features offered by a renowned SIEM system as compared to what our project aims to offer. We hope to be able to compete with renowned systems so that our deployment can be utilized as a cheaper alternative to what is available in the market  and provide risk analysis also with the solution which are not provided by these vendors.

Technical Details of Final Deliverable

Our project's aim is to detect and recognize the unusual activities on environment. Our project comprises of certain features

a) User and Entity Behavior Analysis

• User Entity and Behavior analysis assesses normal behavior and assigns risk scores to any unusual activity that might have occurred.
• It then exposes activities that exceed a threshold specified by the system (different for every organization). For example, if a single user makes multiple attempts at logging in, it would be triggered as an anomaly.
• It takes note of a user’s normal behavior through notes of normal patterns of the user’s activities and detects any anomalous behavior or instances that deviate from what it deems is the “normal” pattern for the specified user. For example, if a user regularly downloads up to a maximum of 20 MB’s of data every day but suddenly downloads multiple GB’s of data, then it would be an anomaly and the system would detect it immediately and generate an alert.

b) Automatic lateral movement tracking

Lateral movement is when cyber attackers progressively move through a network following the initial breach by changing some combination of credentials, IP addresses, or machines.Sometimes this is called east-west movement. The lateral quest is to find the high value data or assets that motivated the attack. Lateral movement is identified by a modern SIEM that includes the capability to automate cataloging and analyzing changes in credential, IP address or device type and follow an attack no matter where it spreads in an environment.
Clearly, it’s important for a SIEM to have this capability. Reliance on legacy SIEM technology elevates the risk of completely missing lateral attacks.

Risk Management

Risk management is an important concept related to safety and financial integrity of an organization, and risk assessment is an important part of its strategic development. The strategy of an organization on risk management should be that all the risks it faces must be identified, assessed, monitored and managed so that they are maintained in a certain limit, accept by entity’s management.

a) Firewall Security and Configuration Management (Firewall Analyzer)

• Log analytics and configuration management software for network security devices.
• Collects, archives, and analyzes security device logs and generates forensic reports from a central console.
• Provides end-point security monitoring and analysis, employee Internet monitoring, and bandwidth monitoring.
•  Supports change management, capacity planning, policy enforcement, security, and compliance audit reporting.
• Works with open source and commercial network firewalls (Check Point, Cisco, Juniper, Fortinet, Snort, and more) and IDS/IPS.
• Supports VPNs, proxies, and related security devices.

Final Deliverable of the Project

Software System

Core Industry

Security

Other Industries

Education , IT

Core Technology

Others

Other Technologies

Artificial Intelligence(AI)

Sustainable Development Goals

Industry, Innovation and Infrastructure

Required Resources

If you need this project, please contact me on contact@adikhanofficial.com