Alarm Rationalization for Cybersecurity Monitoring
- 17:00
- Tue
- 14 Nov
Presenter:
One of the most important aspects of managing cybersecurity risk is threat monitoring. Threat monitoring solutions are unfortunately usually jeopardized by alarm flooding, which frequently happens in Security Information and Event Management (SIEM) solutions, for example, due to the unnecessary announcement of numerous logs and event data from a number of sources, including applications, network devices, firewall logs, and other sources. For security operators to monitor threats effectively and consistently, alarm management and rationalization are essential.
This study proposes prioritizing cybersecurity alerts based on penetration testing findings to reduce the number of less critical risk alerts provided to security operators while benchmarking with well-established industrial standards. First, a unique and efficient technique that uses Natural Language Processing (NLP) models to automatically map penetration testing findings to the Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) relationships to facilitate interaction with monitoring systems would be developed. Secondly, verification of performance improvement will be made using alarm management industrial standards.
Presenter: