Data Fusion of Security Logs to Measure Critical Security Controls to Increase Situation Awareness
Open Access
- Author:
- Kennedy, Matthew
- Graduate Program:
- Information Sciences and Technology
- Degree:
- Master of Science
- Document Type:
- Master Thesis
- Date of Defense:
- April 02, 2018
- Committee Members:
- Nicklaus A Giacobe, Thesis Advisor/Co-Advisor
Peter Kent Forster, Committee Member
Donald Richard Shemanski, Committee Member - Keywords:
- metrics
security metrics
data fusion
situation awareness
jdl
security logs
cybersecurity - Abstract:
- In Jan. 2018, a NIST draft to the Cybersecurity Framework called for the development of cybersecurity metrics, saying such work would be a “major advancement and contribution to the cybersecurity community (National Institute of Standards and Technology, 2017b).” Unfortunately, organizations and researchers continue to make little progress at measuring security. Along with this, research around measuring security fails to present detailed guides on how to implement security metrics collection and reporting in an organization. This research seeks to explore how measuring the CIS (formally SANS) Critical Security Controls, through data fusion of security logs, has the potential to increase situation awareness to strategic decision makers, and systems administrators. Metrics are built for each of the sub controls for Critical Security Control 8: Malware Defenses. Along with the development of these metrics, a proof of concept is implemented in a computer network designed to mimic a small business that is using Symantec Endpoint Protection and Splunk. A Splunk dashboard is created to monitor, in real time, the status of Critical Security Control 8.1 and 8.2. A discussion on the actionable information and value provided by these dashboards occurs. This work contributes to the industry’s need for cybersecurity metrics through the development of six metrics. Along with this, a detailed implementation guide is provided for security practitioners looking to implement metrics for Critical Security Controls 8.1 and 8.2 in an organization.