Politecnico di Torino (logo)

Next Generation SOC: Automations and Machine Learning in Cybersecurity

Riccardo Gracis

Next Generation SOC: Automations and Machine Learning in Cybersecurity.

Rel. Antonio Lioy. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (4MB) | Preview

SOC’s is becoming an important reality able to support organizations, which operational core is not ICT, to deal with cybersecurity operations. The artefact will present a detailed overview discussing how automated solutions and design aspects can enhance the security posture of an organization according to specific risk policies and impact tolerance. The entire solution is designed according to principles exposed in important standards such as ISO27001 Annex and PDCA Model; they are envisaged as fundamental requirements for a compliant and resilient ISMS. Starting from those assumptions the operative approaches will be based on the ones proposed by NIST Cybersecurity Framework which many times reference ISO Annex, then will be focused NIST Incident Response Framework. It will be also considered machine learning model principle to implement a detection system for malware detection, UEBA and email security as required in the Frameworks reported previously. After this basic introduction the artefact will focus on Response operation in sense to describe its operative modules in Playbook. Those semi-formal models can be involved in different scenarios like Incident Response and Recovery operations within Blue Teaming scope as well as proven mitigations for classical VAPT. To reduce the effort required to response to those security events, the mitigations process will be supported by leading technological solutions and automations provided by APIs. Will be discussed all the operative processes starting from playbook drafting to Incident Response management and recovery automations followed in NAIS’ SOC; then playbooks will be also involved to design automated mitigation operations to address VAPT evidence of risk to be compliant. The system designed will operate following a Purple Team oriented approach: starting from an assessment the system will automate mitigations boosting the cooperation among all parties. Red teaming will extend its scopes also to test the modelled playbooks as well to test normal IR Teaming for new threats. All the processes keep also into considerations Threat Intelligence providers as CERT and CSIRT to plan their internal procedures for assessment and new IoC definition. All evidence gathered will be compared with classical human approach to discuss about response-time, false positives aspects as well as playbook operational support in the context. Starting from the playbook, then the solution will be integrated by means of Python Snippet to consider basic aspects for both Machine Learning Models and basic APIs Interaction. The results collected thanks to my experience in the NAIS’ Security Operation Centre explain that models like the one exposed can be involved to improve the security posture of an organization thanks to automations and cooperation among SOC’s managed services in terms of frequency and duration between a risk identification and its complete mitigation; in addition, many controls provided in major standards are covered. Customers will be able to acquire those models to satisfy their security requirements even if they are not operating in cybersecurity field. Furthermore, under the SOC’s point of view, a process like the one explained can significantly reduce the effort by a human operator after a tuning period, that can be considered a huge step for the productivity and, more important, earnings. In conclusion those type of considerations consolidate the reason why a system like that should be adopted to satisfy security aspects nowadays.

Relators: Antonio Lioy
Academic year: 2022/23
Publication type: Electronic
Number of Pages: 129
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: Nais ICT Services & Consulting
URI: http://webthesis.biblio.polito.it/id/eprint/25397
Modify record (reserved for operators) Modify record (reserved for operators)