Abstract
The number of actions at a user’s disposal in the digital arena is on the rise; the number of technologies available to track users’ activities in an organisation are on the rise; the volume of information logged using such technologies are on the increase. And yet, the number of security incidents recorded per unit time is also on the rise. While there is greater awareness in the community and a plethora of passionate analysts to triage and analyse incidents, there seems to develop an ever-widening gap between the number of such analysts to the growth of incident volumes, particularly so in the last decade. In fact, operational response remains largely in the realms of manual remediation. If one were to take an objective view of the sequence of actions that transpire between when a detection is observed to the time that it is remediated, there is a broad spectrum between completely objective tasks (that can be automated) to purely subjective evaluation tasks (largely manual). This can be regarded as the automation scale. During a response scenario, it is conceivable that an analyst would conduct a series of tasks, some of which are common across all incidents, some of it constrained to the technology pertaining to the alert that instigated the response, and the rest involving manual evaluation and context establishment. If one were to magnify that period of observation for a granular view of the tasks conducted over that time, we hypothesise that one can generate a calibration scale to uniquely identify tasks that warrant automation. In this work, we develop a cognitive model called SAI reinforced with a machine learning framework to organically escalate tasks into the operational automation. While the cognitive model discerns tasks from the sample space of {objective, technology-dependent, subjective}, the organic escalation is achieved through a reward-penalty model from amongst the possible response spectrum evaluated in a finite n-tuple context. Finding: In the absence of external business factors, if the number of parameters influencing an alert is limited to C and the total number of alerts in a given period is limited to K, then it is sufficient if, for any task involved in that alert remediation, the task receives at least 10.C.K endorsements during the same period, in order to escalate it into automation. We demonstrate how the framework can seamlessly accommodate false positives that are opportunistic to any operational environment while providing savings in expenditure by transforming as a measuring scale for alarms in an organisation.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Muscle memory is used synonymously with motor learning, which is a form of procedural memory that involves consolidating a specific motor task into memory through repetition. When a movement is repeated over time, a long-term muscle memory is created for that task, eventually allowing it to be performed without conscious effort. This process decreases the need for attention and creates maximum efficiency within the motor and memory systems.
In probability theory, the multi-armed bandit problem (sometimes called the K- or N-armed bandit problem) is a problem in which a gambler at a row of slot machines (sometimes known as "one-armed bandits") has to decide which machines to play, how many times to play each machine and in which order to play them. When played, each machine provides a random reward from a probability distribution specific to that machine. The objective of the gambler is to maximize the sum of rewards earned through a sequence of lever pulls.
In abstract algebra, a congruence relation is an equivalence relation on an algebraic structure (such as a group, ring, or vector space) that is compatible with the structure. Every congruence relation has a corresponding quotient structure, whose elements are the equivalence classes for the relation.
References
Dilman M, Raz D (2002) Efficient reactive monitoring. IEEE J Sel Areas Commun 20(4):668–676
Kampanakis P (2014) Security automation and threat information-sharing options. IEEE Secur Priv 12(5):42–51
Sundaramurthy SC, McHugh J, Ou X, Wesch M, Bardas A, Rajagopalan RS (2016) Turning contradictions into innovations or: how we learned to stop whining and improve security operations. In: 2016 USENIX symposium on usable privacy and security (SOUPS), pp 237–251
Werlinger R, Muldner K, Hawkey K, Beznosov K (2010) Preparation, detection, and analysis: the diagnostic work of IT security incident response. Inf Manag Comput Sec 18(1):26–42
Werlinger R, Hawkey K, Beznosov K (2008) Security practitioners in context: their activities and interactions. In: CHI’08 extended abstracts on human factors in computing systems. ACM, pp 3789–3794
Compagna L et al (2016) Cerberus: automated synthesis of enforcement mechanisms for security-sensitive business processes. In: International conference on tools and algorithms for the construction and analysis of systems. Springer, Berlin
Botta D, Werlinger R, Gagné A, Beznosov K, Iverson L, Fels S, Fisher B (2007) Towards understanding IT security professionals and their tools. In: Proceedings of the 3rd symposium on usable privacy and security. ACM, pp 100–111
Freitas L, Watson P (2014) Formalizing workflows partitioning over federated clouds: multi-level security and costs. Int J Comput Math 91(5):881–906
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Raghavan, S., Raghavan, S.V. SDN Security: Developing an organic escalation framework for operational automation on security incidents. CSIT 8, 93–99 (2020). https://doi.org/10.1007/s40012-020-00266-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s40012-020-00266-8