avoided. Keywords â big data processing; security operations center; taxonomy ... vulnerabilities exploited by IS threats for implementation as peculiar attacks ...
Taxonomy for Unsecure Big Data Processing in Security Operations Centers Natalia Miloslavskaya, Alexander Tolstoy and Sergey Zapechnikov National Research Nuclear University MEPhI (Moscow Engineering Physics Institute) Moscow, Russia {NGMiloslavskaya, AITolstoj, SVZapechnikov}@mephi.ru Abstract—While the media constantly describes new attacks, the organizations seriously concerned about their business protection need to be prepared for such sophisticated attacks against their IT infrastructures. Hence a properly designed and formalized information security (IS) management system with Security Operations Center (SOC) as its centric part is required as never before. Among the most important documents for SOC there are two policies: IS policy and IS incident management policy. In order to create a truly effective policy it is vital to adequately describe SOC’s operational environment from the IS viewpoint. The paper presents the most demand for these purposes classifications (taxonomy) of IS threats, vulnerabilities, attacks and IS incidents as the negative elements that should be avoided. Keywords — big data processing; security operations center; taxonomy; information security; information security incidents; information security threats; vulnerabilities; attacks
I. INTRODUCTION Modern organizations face today many challenges in their heterogeneous, highly distributed IT infrastructures (ITIs) with connect-from-anywhere-and-anytime users. ITIs are implemented by so called elastic networks having high information security (IS) risks to their perimeters caused by inclusion of clouds, virtualization, wireless networks with home offices, roaming users, consumerization and “bring your own device” (BYOD) approach. These dramatic changes are driving current IS trends and require adequate specialized structures to manage IS. The wide range of sophisticated IS threats, especially those related to new network technologies, services and devices, is constantly growing. Handling an increasing complexity with the existing head-count are challenges that will continue into the foreseeable future. Two important sources of complexity are the vast quantity and variety of security alarms detected and reported by security information and event management (SIEM), Unified Threat Management (UTM) and intrusion detection and prevention systems (IDPSs), firewalls (FWs), operating systems (OSs), security appliances (SAPP) and anti-viruses (AVs), and the diversity of tasks performed by IS department including management of assets, risks, information protection tools (IPTs), patching, IS incidents, encryption, etc. A single FW alone can produce over gigabytes of log data daily and an IDPS can produce over millions messages over
the same period. A part of the information generated by the IPTs is dominated by false positives (an indication of hostile activity when there is none). Most of the messages are simply artifacts of normal and legitimate use of ITI’s resources. The problem is to isolate and prioritize the few messages that do indeed indicate real IS threats and events. The need to isolate significant IS incidents from the white noise of IDPS, FW, OS, SAPP and AV messages is a part of the larger economic reality requiring organizations to utilize their existing security measures more effectively. Automation of the security operations workload and prioritization of the tasks are critical. The key to a more effective automation of IS maintenance (ISM) including defense against known or emerging IS threats before ITI may be compromised lies in creating a Security Operations Center (SOC). At present we require a heightened level of IS for SOCs that brings security intelligence and knowledge management to the forefront. For the informed and competent formulation of IS requirements for secure big data processing (BDP) in SOCs it is vital to precisely and fully describe an internal and external environment of their functioning. Continuing research specified in [1] the paper presents the main results worked out by the authors for unsecure BDP (including information transfer and storage) taxonomy development. Here “unsecure” means that only negative elements influencing secure BDP are considered: vulnerabilities exploited by IS threats for implementation as peculiar attacks, being estimated by an organization as IS incidents. The right choice of adequate IS strategy, policies, system, methods, tools and controls will depend on the completeness and quality of their classifications. Thus, the paper is organized as follows. The main IS terms used are introduced in Section 2. A section with the related works is intentionally omitted because of the limited paper size as such an analysis has been already done in [1]. Section 3 is devoted to brief description of SOCs as a security object. The proposed basic classifications for IS threats, vulnerabilities, attacks and IS incidents for BDP in SOC are shown one after the other in Sections 4-7 correspondently. Finally, the main results and area of their application are outlined. II. INFORMATION SECURITY TERMINOLOGY Many IS terms and their definitions (even those listed in [2]), while they can be accepted in terms of practice, do not reflect the specifics of the present stage of the information
society and require refinement with modern scientific views. From viewpoint of the general scientific categories and the recent changes in the approaches to the new IT creation let IS be a quality (property) of information to maintain its integrity, confidentiality, availability, authenticity, accountability, nonrepudiation and reliability. Herewith IS is seen as not add-ons but as the initial basis of IT, i.e. its indispensable quality [3]. IS of a system (system’s IS) is its quality to be characterized, on the one hand, by its ability to resist the destabilizing effects of external and internal threats, and, on the other hand, by the level of threats posed by its operation to the elements of the system and its external environment [3]. IS maintenance (ISM) is a complicated process divided into many sub-processes of maintaining the secure (protected) state of information, characterized by its confidentiality, integrity, availability, etc. [3]. "IS maintenance" is a broader term in comparison with IS management as it contains management added by information protection tools/systems. ISM can be presented by two parallel processes: information protection and protection against information (for example information with a harmful content, misinformation or malicious software). In many cases it is more correct to say "IS maintenance" but "IS" is used for brevity. Information protection implying "protection of information" involves all the activities aimed at IS maintaining, namely, preventing diversion of protected information, unauthorized and unintended impacts on the protected information [3]. Information protection tools/systems (IPTs) are the tools/systems that implement information protection in a particular environment such as a separate computer, network or whole organization’s ITI [3]. IPT is an organized collection of all tools, methods and activities allocated (provided) to solve selected protection tasks. IS threat (short from "a threat of IS violation") is a set of conditions and factors that create an actual or potential opportunity for violation of IT assets’ IS. IS threat source/actor/agent is a person, a material object or a physical event, realizing an IS threat. Vulnerabilities in an organization’s ITI are the IT assets’ properties (including IPTs themselves) exploited by IS threat source for IS threat realization. Attack is any intruder’s action leading to IS threat implementation via vulnerabilities exploitation. It is the actual violation of IS with the aim to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an IT asset. Intruder is an entity or a subject that implements the IS threats to IT assets, using their vulnerabilities and disrupting the authority given to him for access or control them. IS incident is a single or series of unwanted or unexpected IS events that have a significant probability of compromising business operations and threatening IS [4]. In turn, IS event is an identified occurrence of a system, service or network state indicating a possible breach of IS, policy or failure of controls, or a previously unknown situation that may be security relevant [4]. Any attack on a system, service or network can be classified as an IS event or incident (depending on an organization’s viewpoint). III. SECURITY OPERATIONS CENTERS SOC is a centralized organization’s ITI unit that deals with IS issues for all types of sensitive data [5]. SOC is the nucleus
of ITI’s protection, providing continuous prevention, detection, visibility, alerting, investigation and response capabilities against IS threats, remotely exploitable vulnerabilities and realtime IS incidents. SOC is expected by any organization to be its productive, real-time analytical and predictive center, which output gives a logical picture of the IS health of organization’s ITI to make informed decisions in order to minimize IS risks and to instantly respond to critical IS events as they happen. In general, SOC performs the following functions: asset tracking and recovery, IS risk management, vulnerability scanning, security information management, sniffing, data forensics, command console, AV/FW/IDPS centralized management, patch management, reporting and response. Thereby an ITI-wide data collection, aggregation, detection, analytics and management solution is the core technology of a successful SOC. A huge amount of data about the current state of ITI and at first glance unrelated (scattered) events taking place in it need to be processed correctly and promptly to identify IS incidents and to highlight ITI areas being at high risk for its rapid elimination. The data are generated from the information considered in a particular context and coming not just from the separate domain controllers, proxy servers, DNS servers, IPTs, but also describing the current configuration of network devices, the characteristics of network traffic, application and network services functioning, activity and specific actions of individual end-users, as well as containing e-mails, phone records, web-based content, metadata, digitized audio and video, GPS locations, the data of business processes, enterprise’s internal documents and analytical data for many years of its existence. All these data should be evaluated from a viewpoint of any attack to find its source, consider its type, weight its consequences, visualize its vector, associate all target systems, prioritize countermeasures and offer mitigation solutions with weighted impact relevance. Volumes and heterogeneity of data and related activity for further scrupulous monitoring and consolidated analysis in SOC are very high. Ever-increasing volumes of data on IS events, ITI’s assets, their vulnerabilities, users, IS threats and related information, as well as the need for more rapid obtaining of systematic and analyzed in a certain way “raw” heterogeneous information for faster understanding of the current situation in ITI’s IS are typical problems of BDP. ISM urgency for BDP in SOC is defined by the contradiction between the increasing needs in comprehensive, real-time and reliable IS-related data processing, and lack of capacity to ensure the confidentiality, integrity and availability of data to be processed and their processing facilities allocated in SOC. The need for securing BDP has already shown in [1] as today’s attacks are no longer a matter of “if” but “when”. IV. CLASSIFICATION OF IS THREATS FOR SOC IS threats are always been a big part of the security picture. Their implementation in the real-world attacks such as highly targeted and selective APT, phishing e-mails and spearphishing messages from mobile platforms and social networks, pharming, never-dying Nigerian spam, Denial-of-service (DoS) attacks, Cross-Site Scripting (XSS), SQL injections, watering hole attacks, ransomware and scareware, 2014 Heartbleed,
ShellShock, Poodle, Gotofail and BadUSB, etc. and their widespreading brought the topic front and center. The PricewaterhouseCoopers’s Global State of Information Security® Online Survey shows that the top IS threats to organizations are mobile devices, modern malware, browsers with their vulnerabilities, phishing, employee use of social networking sites, insider abuse of privileged access, employee use of consumer cloud services, social engineering (non-email) and distributed DoS. The Ernst & Young Global audit firm characterized the rapidly expanding IS threats (including cyber threats) by increased external and internal threats emerging because of the following reasons: disappearing organization’s network perimeter; growing attacking power of criminals; threats multiplying; lack of skills, agility and budget in organizations. We listed the following typical main IS threats to a separate SOC staff workstation while using different intranet connections: computer viruses; masquerade; establishing the full control with an unauthorized remote access to information on a computer and collection of user’s information (through the completed questionnaires, cookies, java scripts, etc.); computer hang (nukes); active and passive information interception (distortion or destruction of data and programs on a computer; theft of information, including the interception of unencrypted messages by e-mail, etc.); spam, phishing and so on. All the IS threats to servers, databases, operating platforms and other SOC’s components should be defined similarly. While analyzing modern IS threats landscape and the international standard ISO/IEC 27035:2011 on IS security incident management [4] we distinguished their different verbal descriptions. To justify the structure and content of IS indicators’ system, to investigate the influence of different parameters on these indicators and to develop a set of models and methodologies for IS assessment we categorized the IS threats for SOC using mainly heuristics (Table 1) [3]. The main classification parameters are IS threat types (according to violation of physical integrity, logical structure, content, confidentiality, property rights, availability, privacy, etc.), IS threat origin nature, IS threat sources and prerequisites. Of course the given classification does not pretend to completeness as new IS threats are detected almost every day. It should be borne in mind that the parameters of classification shown in Table 1 are interrelated in a complex manner. For example, the IS threats sources and the form of their implementation determine the possibility of forming a plurality of the IS threats origin nature and vice versa. V. CLASSIFICATION OF VULNERABILITIES Thousands of attacks are launched against different targets every day. However, only a few of them prove to be successful. This primarily happens because the absolute prerequisite for an attack to succeed is its ability to successfully exploit an existing vulnerability (not eliminated in a timely manner). To understand possibilities of IS threats implementation against SOC’s elements it is necessary to know various vulnerabilities exploited by these threats. Thousands of vulnerabilities are included for storing in the
biggest metabase and vulnerabilities risk counting system called Common Vulnerability Scoring System [nvd.nist.gov]. TABLE 1. Classification parameters
Types Violation of…
Origin nature
CLASSIFICATION OF IS THREATS (FRAGMENT)
Parameter Content physical integrity logical structure content confidentiality property rights availability privacy etc. Accidental Malicious
Anthropogenic
IS threat sources
Technogenic
Environmental
Prerequisites
Objective (natural) Subjective (artificial)
Description or destructive actions Destruction (distortion). Distortion of the structure. Unauthorised modification. Unauthorised obtaining. Misappropriation of rights. Disconnection, destruction. Personal data theft. Failures, crashes, errors, disasters, adverse impact. Improper actions of people. Internal: main staff (programmers, administrators, technicians, users, developers); IS department officers (administrators); supporting staff (cleaners, guards); technical staff; management, etc. External: criminals and hackers; unscrupulous partners; technical staff of telecommunications service providers, etc.; Combined: collision of internal and external. Internal: bad-quality general-purpose/ applied/auxiliary hand/interactive/ intra-machine/network/technical/ technological/hardware/software (including models and algorithms) for registration, transmission, storage, processing and delivery; supporting tools (guard, signalling, phones); another technical tools, etc. External: communications; utilities (water supply, sewerage); transport, etc. Natural/technological/anthropogenic disaster; thunderbolt; dust, pollution; unacceptable temperature/humidity; magnetic fields; adverse noise and stray; fire; flood; radiation exposure; bomb/terrorism attack; accident of capital facilities/engineering systems (electricity, plumbing, heating, air conditioning and sanitation); etc. Quantitative or qualitative paucity of SOC’s system elements. Criminals, disgruntled employees, etc.
On this base analysis we allocated the following typical SOC’s host vulnerabilities: the presence of uncorrected errors in operational system (OS), software, etc., widely discussed on the Internet; computer’s hardware or software failures; heterogeneity of hardware, software and OS version used in the same network; the complexity of interworking protection implementation; errors in IPTs’ configurations and improper or erroneous system management; untimely monitoring and implementation of experts’ recommendations on IS incidents response to eliminate back doors and errors; “savings” on IPTs or ignoring them; concealment of host or network security breaches; system openness, free access to information on networking, protocols and security mechanisms implementation; tampering with user computer equipment, etc.
The Symantec in its 2015 Internet Security Threat Report [6] allocated three so called Zero-Day vulnerabilities of 2014: 81 % of attacks detected were associated with the specific vulnerabilities in Microsoft ActiveX Control, 10 % of attacks were caused by vulnerabilities in Microsoft Internet Explorer and 7 % in Adobe Flash Player. And again summarizing different verbal descriptions of the vulnerabilities as SOC’s elements properties providing an IS threats implementation and using mainly heuristics they can be classified from different points of view as shown in Table 2 [3]. The main classification parameters are vulnerability origin sources, its risk level (criticality, severity), vulnerability in SOC levels, vulnerability according to a probability/likelihood of a threat realization on their basis and vulnerability prerequisites. This classification does not pretend to completeness as new vulnerabilities are detected every day.
infrastructures, machine-to-machine and even machine-topeople attacks as well as detection evading techniques. TABLE 2.
Classification parameters
While analyzing numerous publications on the topic we can conclude that attacks in 2015 exhibited a massive increase in volume, velocity and variation. And in 2016 hackers can launch increasingly sophisticated attacks on everything from critical infrastructures (including SOCs) to medical devices. The research company Gartner predicts there will be 6.8 billion connected devices in use, a 30 % increase over 2015 [9]. The Fortinet’s global security strategist Derek Manky says that every minute they are seeing about half a million attack attempts that are happening in cyber space. 2016 will likely bring entirely new worms and viruses able to propagate from device to device (such as smartwatches, smartphones and medical devices) and the rise of attacks against cloud
Parameters content Design (technologies, protocols, services)
Origin sources
Implementation (programming)
Operation Decommissioning
VI. CLASSIFICATION OF ATTACKS According to the PricewaterhouseCoopers’s “2015 Information Security Breaches Survey” [7] 90 % of large organizations-respondents reported in 2015 that they had suffered IS breaches, which is very close to the 2014 figures. Small organizations-respondents recorded a similar picture, with nearly 3/4 reporting a security breach; this is an increase on the 2014 and 2013 figures. All types of organizations continue to experience external attack: they appear to be subject to greater targeting by outsiders using more sophisticated methods to affect organizations, with malicious software impacting nearly 3/4 of large organizations and 3/5 of small organizations (up from 36 % in 2014) and continuing the decreasing trend since 2013 in DoS attacks (30 % of large organizations and 16 % of small organizations). The respondents isolated as a common the following types of unauthorized outsider attacks: actual penetration into the organization’s network, DoS attacks, attacks on the internet or telecommunications traffic, phishing attacks, identity theft. As for malicious software infections 38 % the affected organizations-respondents suffered a few times, once only – 13 %, monthly – 8, weekly – 7, several times a day – 5, daily – 4, hundreds of times every day – 1. The McAfee Labs Threats Report May 2015 shows the most common network attacks detected as follows: DoS – 37 %, Brute force – 25, Browser – 9, Shellshock – 7, SSL – 6, Backdoor – 2 and Botnet – 2 [8].
CLASSIFICATION OF VULNERABILITIES (FRAGMENT)
High
Risk level (criticality, severity)
Intermediate
Low
Infrastructure Platform Software Service Delivery SOC layer Operations
Management
Personnel
Probability/ likelihood of a threat realization
Highly probable or probable Possible Unlikely/ impossible Objective
Prerequisites
Subjective Spontaneous
Description or examples Telnet with user’s login and password transferred via the Internet as a plain text. Mistakes in TCP/IP protocols stack programming, leading to DoS attacks; mistakes in application implementation, leading to buffer overflow, etc. OS, protocols and services misconfiguring, non-persistent passwords, default accounts. In-memory information. Vulnerabilities allowing an attacker to access a host with a superuser’s rights and/or to bypass firewalls or another security tool. Vulnerabilities allowing an attacker to get information which with high probability will allow him to access a host (e.g. after password hash interception) and vulnerabilities leading to high system resource consumption (DoS attacks). Vulnerabilities allowing to collect sensitive information about a system (e.g. unused services, current time on a computer -> for attacks against crypto algorithms). Vulnerabilities in channel equipment, protocols, etc. Vulnerabilities in hardware, platforms, OSs, etc. Vulnerabilities in client and server software, applications and software that support a business activity (e.g. CRM). DBMS, etc. Vulnerabilities in service application software and SOC ITI. Vulnerabilities in service management and operational processes carried out by IT operations and support staff. Vulnerabilities in management and protection tools and services to the Infrastructure, Platform and Software Layers. “Holes in users’ heads” is a more serious problem than back doors in software! Vulnerability is easy to use; protection is absent or very weak. Vulnerability can be used, but protection exists. Vulnerability is hard to use, good protection exists. Dependence on design features and specifications of hardware and software used in SOC ITI. Dependence on personnel actions. Dependence on environmental features and contingencies.
Attacks against SOCs can be categorized in many ways (Table 3). We proposed the following main attack characteristics: influence type, attack aim, condition of influence beginning, allocation of a victim and an attacker relatively to each other, number of victims and attackers, with or without feedback, implementation level according to the seven layer ISO/OSI model, implementation tools, motivation and so on [10, 11]. Again, the given classification does not pretend to completeness as many new attacks are predicted for the coming years. It can be used as a framework for a significant extension in future. VII. CLASSIFICATION OF IS INCIDENTS Even the most advanced safeguards that decrease IS risks, for example, comprehensive IS policies, Next Generation Firewalls (NGFWs), IDPSs, SIEM systems, UTM systems, etc. cannot completely prevent an occurrence of IS-related events (IS events) in organization’s SOC. After all the appropriate controls have been implemented, residual vulnerabilities are likely to remain. That fact can make IS incidents possible. Therefore, according to the special international standard ISO/IEC 27035:2011 [4] it is essential for any organization serious about its SOC’s IS to have an effective IS incidents management system with all the necessary documents and processes in place as a basic part of the general organization’s IS management system (ISMS). Additional it should have a structured and planned approaches to detect, report and assess IS events and IS incidents; to respond to IS incidents, including the activation of appropriate controls for the prevention and reduction of, and recovery from, impacts; to report vulnerabilities that have not yet been exploited to cause IS events and possibly IS incidents, and assess and deal with them appropriately; and to learn from IS incidents and vulnerabilities, institute preventive controls, and, over time, make improvements to the overall approach to IS incident management. According to the PricewaterhouseCoopers’s “2015 Information Security Breaches Survey” [5] the worst IS incidents faced by respondents were incidents caused by staff (43 %), attacks by unauthorized outsiders (excluding hacking) (23 %), system failure or data corruption (11 %), infection by viruses or malicious software (11 %), theft or fraud involving computers (2%). In turn, the types of staff-related IS incidents reported by large organizations included loss or leakage of confidential information (66 % in 2015, up from 55 % in 2014), unauthorized access to systems or data (e.g. using someone else’s ID) (65 % in 2015, 57 % in 2014); breach of data protection laws or regulations (57 % in 2015, 45 % in 2014); misuse of confidential information (23 % in 2015).
that are important to timely respond to them. The list can be used as a framework for its extension. TABLE 3.
Classification parameters
Parameter content Passive
Influence type
Aim – Violation of
Start conditions
Active physical integrity logical structure content confidentiality property rights availability privacy etc. On request from a victim On a particular event occurrence
Description or destructive actions E.g. sniffing. DoS attack, spoofing, “Man-inthe-Middle” (MiTM), flooding. Destruction (distortion). Distortion of the structure. Unauthorized modification. Unauthorized obtaining. Misappropriation of rights. Disconnection, destruction. Personal data theft. E.g. MiTM. E.g. replay attack, spoofing.
E.g. sniffing, phishing, MiTM, flooding. In one network E.g. sniffing, spoofing, segment flooding. In different network E.g. DoS attack, spoofing, segments MiTM, flooding. One attacker to one/many Traditional victims. Many attackers to one/many Distributed victims. With a feedback E.g. spoofing, MiTM. Without a feedback E.g. sniffing, spoofing, MiTM. E.g. lock picking, hardware Physical modification, wiretapping. E.g. MiTM,MAC modification, sniffing, ARP cache poisoning, Data link de-authentication of wireless clients, DHCP starvation. E.g. spoofing, ICMP flooding, Wormhole and Blackhole Network attacks, Route cache poisoning, DHCP attack. E.g. spoofing, Smurf attack, session hijacking, TCP port Transport scan, TCP host sweeps, UDP flooding. E.g. Telnet DDoS, flooding, Session, Presentation sniffing, viruses, MiTM, & Application repudiation, buffer overflow. E.g. DDoS attack, jamming, Combined SYN flooding. Scanning & probing, sniffing, flooding, spoofing, hijacking, MiTM, masquerade, APT, etc. Information interchange, user’s commands, software (including scripts), toolkits/rootkits, viruses, worms, social engineering, etc. Internet, Intranet, Extranet, Cloud (public/private), Workstation, Mobile device, etc. Unconditionally
Allocation of a victim and an attacker Number of victims and attackers Feedback with a victim
ISO/OSI implementation level
Method Tools Attack from…
IS incidents for SOCs can be described as in Table 4. Their main characteristics are type, priority, malefactors, aims to be achieved, methods and tools used, actions and targeted objects on which these actions were directed, affected objects and particular information assets, damage and its severity, detection and response complexity, etc. [12]. The given classification does not pretend to completeness as any organization can choose its own set of IS incidents’ attributes
CLASSIFICATION OF ATTACKS (FRAGMENT)
Anonymizing proxies usage
Yes or no
Motivation
Enrichment, hacktivism, vengeance, self-assertion, sabotage, espionage, vandalism, etc.
TABLE 4.
CLASSIFICATION OF IS INCIDENTS (FRAGMENT)
Classification parameters Type Priority Malefactors Agents of realization Started from… Incident aims Method and tools used Actions
Affected objects
Affected information Damage Damage severity Reasons IPTs disruption Detection/response complexity and response urgency Status Probability of recurrence
Parameter content Accomplished (duration), in progress, attempt, suspected. Origin nature: malicious or accidental. 0 (highest), 1 (high), 2 (above average), 3 (average), 4 (low) or 5 (minimum). Employee (user, administrator, manager, developer), criminal, etc.
intruders’ classification and description of their experience, knowledge, available resources for IS threats implementation, possible motivation of their actions and IS threats implementation techniques used. These models are described either in the separate documents or in the high level documents (IS strategies, concepts, policies). The fourth classification is a basis for elaboration of IS incident management policy and program. These classifications are discussed all together for the first time.
People, software, hardware, processes, data, etc. Internet, Intranet, Extranet, Cloud (public/private), Workstation, Mobile device, etc. Financial profit, Violation of availability (including Business continuity violation), Violation of integrity (physical, logical structure, files, databases, content…), Violation of confidentiality, property rights, etc. Social engineering, Physical attack, Hardware, Software (including scripts), Information interchange, User’s commands, Toolkits/rootkits, Virus, etc. Copying, Reading, Modification, Deleting, Scanning & Probing, Sniffing, Flooding, Spoofing, Hijacking, MiTM, Phishing/spear phishing, Pharming, Masquerade, Spamming, etc. Business/management/technological process, IPT, Service delivery, SOC’s infrastructure and its elements, Computer-aided system, Network/subnetwork, Device, Channels, Workstations, Database and Database management system, OS, Server, Client, Media, Files, Information, Accounts, etc. General and special purpose control and management information, billing information, personal data, financial and analytical information, service information, reference information, operating and telecommunication environment information, etc. Software and hardware failures, DoS, Disclosure, Resource theft, Assets damage, IS policies breach, etc. Minimum, medium, high or critical. Lack of IS knowledge, poor IS policies, IS policies violation, lack of IPTs, etc. None, failure, unavailability of critical information to perform functions, violation of IPT’s software/hardware integrity, IPT’s settings change, etc. Normal or high. Registered, assigned to, being processed or closed. Minimum, medium, high or critical.
VIII. CONCLUSION The proposed taxonomy can be used by any organization while designing its SOC and writing internal documentation for supporting its ISM system and processes as a framework for further expansion and refinement. First three classifications are completely ready for developing IS threat and intruder models for BDP in SOCs. The IS threat model includes a formalized description of IS threat sources, vulnerabilities exploited by them, objects suitable for realization, implementation techniques, types of possible loss, extent of the potential damage and additional information such as likelihood of implementation; destructive impact (including interconnecting); damage elimination/ limitation; frequency and duration, etc. The IS intruder model contains a formalized
IX. ACKNOWLEDGEMENT This work was supported by Competitiveness Growth Program of the Federal Autonomous Educational Institution of Higher Education National Research Nuclear University MEPhI (Moscow Engineering Physics Institute). REFERENCES [1]
Miloslavskaya N., Senatorov М., Tolstoy А, Zapechnikov S. Information Security Maintenance Issues for Big Security-Related Data. Proceedings of 2014 International Conference on Future Internet of Things and Cloud FiCloud 2014. International Simposium on Big Data Research and Innovation (BigR&I). 27-29 August 2014. Barcelona (Spain). Pp. 361-366. [2] ISO/IEC 27000:2014 "Information technology -- Security techniques -Information security management systems -- Overview and vocabulary". [3] Malyuk A., Miloslavskaya N. Information Security Theory Development. Proceedings of the 7th International Conference on Security of Information and Networks (SIN2014), September, 9-11 2014 Glasgow (UK). ACM New York. Pp. 52-55. [4] ISO/IEC 27035:2011 "Information technology -- Security techniques -Information security incident management". [5] Building a World-Class Security Operations Center: A Roadmap. A SANS Whitepaper. May 2015. URL: https://www.sans.org/readingroom/whitepapers/analyst/building-world-class-security-operationscenter-roadmap-35907 (access date 23/01/2016). [6] Symantec: 2015 Internet Security Threat Report. URL: https://www.symantec.com/content/en/us/enterprise/other_resources/213 47933_GA_RPT-internet-security-threat-report-volume-20-2015.pdf (access date 23/01/2016). [7] PricewaterhouseCoopers: 2015 Information Security Breaches Survey. URL: https://dm.pwc.com/HMG2015BreachesSurvey (access date 23/01/2016). [8] McAfee Labs Threat Report. May 2015. URL: http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q12015.pdf (access date 23/01/2016). [9] Taylor H. Biggest cybersecurity threats in 2016. URL: http://www.cnbc.com/2015/12/28/biggest-cybersecurity-threats-in2016.html (access date 23/01/2016). [10] Katsikas S., Miloslavskaya N. Securing Information and Communications Systems: Principles, Technologies, and Applications (Textbook). Chapter 8. Network Security. Artech House. 2008. ISBN 13: 978-1-59693-228-9. Pp. 139-170. [11] Information security of open systems. Textbook for educational institutions. Volume 1 – Threats, vulnerabilities, attacks and security approaches / Zapechnikov S.V., Miloslavskaya N.G., Tolstoy A.I.,. Ushakov D.V. Moscow, Goriachaja linia-Telecom, 2006. – 536 p.; Volume 2 – Protection tools in networks Moscow, Goriachaja liniaTelecom, 2008. 558 p. (in Russian) [12] Kostina A., Miloslavskaya N., Tolstoy А. Information Security Incident Management Process. Proceedings of the 2nd International Conference on Security of Information and Networks. 6-10 October 2009, Famagusta, North Cyprus. by Elci A., Orgun M.A. & Chefranov A. (eds.) Association for Computing Machinery, New York, USA, 2009. ISBN: 978-1-60558-412-6. Pp. 93-97.
