Publicação

Autonomous Incident Response

Ver documento

Detalhes bibliográficos
Resumo:Information security is a must-have for any organization willing to stay relevant and grow, it plays an important role as a business enabler, be it from a regulatory perspective or a reputation perspective. Having people, process, and technology to solve the ever growing number of security incidents as fast as possible and with the least amount of impact is a challenge for small and big companies. To address this challenge, companies started investing in Security Orchestration, Automation, and Response (SOAR) [39, 68, 70]. Security orchestration is the planning, integration, cooperation, and coordination of the activities of security tools and experts to produce and automate required actions in response to any security incident across multiple technology paradigms [40]. In other words, the use of SOAR is a way to translate the manual procedures followed by the security analysts into automated actions, making the process faster and scalable while saving on human resources budget. This project proposes a low-cost cloud native SOAR platform that is based on serverless computing, presenting the underlying details of its design. The performance of the proposed solution was evaluated through 364 real-world incidents related to 11 use cases in a large multinational enterprise. The results show that the solution is able to decrease the duration of the tasks by an average of 98.81% while having an operating expense of less than $65/month. Prior to the SOAR, it took the analyst 75.84 hours to perform manual tasks related to the 11 use cases. Additionally, an estimated 450 hours of the analyst’s time would be used to run the Update threat intelligence database use case. After the SOAR, the same tasks were automatically ran in 31.2 minutes and the Update threat intelligence database use case ran 9.000 times in 5.3 hours.
Autores principais:Siqueira, Juan Christian da Silva
Assunto:SOAR Computação em nuvem Segurança Orquestração Automação Teses de mestrado - 2023
Ano:2023
País:Portugal
Tipo de documento:dissertação de mestrado
Tipo de acesso:acesso aberto
Instituição associada:Universidade de Lisboa
Idioma:inglês
Origem:Repositório da Universidade de Lisboa
_version_ 1866810357237940224
author Siqueira, Juan Christian da Silva
author_facet Siqueira, Juan Christian da Silva
author_role author
contributor_name_str_mv Sá, Alan Oliveira de
Repositório Científico de Acesso Aberto da ULisboa
country_str PT
creators_json_txt [{\"Person.name\":\"Siqueira, Juan Christian da Silva\"}]
datacite.contributors.contributor.contributorName.fl_str_mv Sá, Alan Oliveira de
Repositório Científico de Acesso Aberto da ULisboa
datacite.creators.creator.creatorName.fl_str_mv Siqueira, Juan Christian da Silva
datacite.date.Accepted.fl_str_mv 2023-01-01T00:00:00Z
datacite.date.available.fl_str_mv 2023-04-24T16:09:30Z
datacite.date.embargoed.fl_str_mv 2023-04-24T16:09:30Z
datacite.rights.fl_str_mv http://purl.org/coar/access_right/c_abf2
datacite.subjects.subject.fl_str_mv SOAR
Computação em nuvem
Segurança
Orquestração
Automação
Teses de mestrado - 2023
datacite.titles.title.fl_str_mv Autonomous Incident Response
dc.contributor.none.fl_str_mv Sá, Alan Oliveira de
Repositório Científico de Acesso Aberto da ULisboa
dc.creator.none.fl_str_mv Siqueira, Juan Christian da Silva
dc.date.Accepted.fl_str_mv 2023-01-01T00:00:00Z
dc.date.available.fl_str_mv 2023-04-24T16:09:30Z
dc.date.embargoed.fl_str_mv 2023-04-24T16:09:30Z
dc.format.none.fl_str_mv application/pdf
dc.identifier.none.fl_str_mv http://hdl.handle.net/10451/57250
dc.language.none.fl_str_mv eng
dc.rights.none.fl_str_mv http://purl.org/coar/access_right/c_abf2
dc.subject.none.fl_str_mv SOAR
Computação em nuvem
Segurança
Orquestração
Automação
Teses de mestrado - 2023
dc.title.fl_str_mv Autonomous Incident Response
dc.type.none.fl_str_mv http://purl.org/coar/resource_type/c_bdcc
description Information security is a must-have for any organization willing to stay relevant and grow, it plays an important role as a business enabler, be it from a regulatory perspective or a reputation perspective. Having people, process, and technology to solve the ever growing number of security incidents as fast as possible and with the least amount of impact is a challenge for small and big companies. To address this challenge, companies started investing in Security Orchestration, Automation, and Response (SOAR) [39, 68, 70]. Security orchestration is the planning, integration, cooperation, and coordination of the activities of security tools and experts to produce and automate required actions in response to any security incident across multiple technology paradigms [40]. In other words, the use of SOAR is a way to translate the manual procedures followed by the security analysts into automated actions, making the process faster and scalable while saving on human resources budget. This project proposes a low-cost cloud native SOAR platform that is based on serverless computing, presenting the underlying details of its design. The performance of the proposed solution was evaluated through 364 real-world incidents related to 11 use cases in a large multinational enterprise. The results show that the solution is able to decrease the duration of the tasks by an average of 98.81% while having an operating expense of less than $65/month. Prior to the SOAR, it took the analyst 75.84 hours to perform manual tasks related to the 11 use cases. Additionally, an estimated 450 hours of the analyst’s time would be used to run the Update threat intelligence database use case. After the SOAR, the same tasks were automatically ran in 31.2 minutes and the Update threat intelligence database use case ran 9.000 times in 5.3 hours.
dirty 0
eu_rights_str_mv openAccess
format masterThesis
fulltext.url.fl_str_mv https://repositorio.ulisboa.pt/bitstreams/b3d46e3d-f5d2-4f67-8d16-b1e171b326eb/download
id ul_653152fb02101e91c85b4d87f8b01adb
identifier.url.fl_str_mv http://hdl.handle.net/10451/57250
instacron_str ul
institution Universidade de Lisboa
instname_str Universidade de Lisboa
language eng
network_acronym_str ul
network_name_str Repositório da Universidade de Lisboa
oai_identifier_str oai:repositorio.ulisboa.pt:10451/57250
organization_str_mv urn:organizationAcronym:ul
person_str_mv Siqueira, Juan Christian da Silva
publishDate 2023
reponame_str Repositório da Universidade de Lisboa
repository_id_str urn:repositoryAcronym:ul
service_str_mv urn:repositoryAcronym:ul
spelling engpt_PTInformation security is a must-have for any organization willing to stay relevant and grow, it plays an important role as a business enabler, be it from a regulatory perspective or a reputation perspective. Having people, process, and technology to solve the ever growing number of security incidents as fast as possible and with the least amount of impact is a challenge for small and big companies. To address this challenge, companies started investing in Security Orchestration, Automation, and Response (SOAR) [39, 68, 70]. Security orchestration is the planning, integration, cooperation, and coordination of the activities of security tools and experts to produce and automate required actions in response to any security incident across multiple technology paradigms [40]. In other words, the use of SOAR is a way to translate the manual procedures followed by the security analysts into automated actions, making the process faster and scalable while saving on human resources budget. This project proposes a low-cost cloud native SOAR platform that is based on serverless computing, presenting the underlying details of its design. The performance of the proposed solution was evaluated through 364 real-world incidents related to 11 use cases in a large multinational enterprise. The results show that the solution is able to decrease the duration of the tasks by an average of 98.81% while having an operating expense of less than $65/month. Prior to the SOAR, it took the analyst 75.84 hours to perform manual tasks related to the 11 use cases. Additionally, an estimated 450 hours of the analyst’s time would be used to run the Update threat intelligence database use case. After the SOAR, the same tasks were automatically ran in 31.2 minutes and the Update threat intelligence database use case ran 9.000 times in 5.3 hours.application/pdfpt_PTAutonomous Incident ResponseSiqueira, Juan Christian da SilvaSá, Alan Oliveira deHostingInstitutionOrganizationalRepositório Científico de Acesso Aberto da ULisboae-mailmailto:repositorio@reitoria.ulisboa.ptrepositorio@reitoria.ulisboa.ptURNurn:tid:2035045852023-04-24T16:09:30Z202320222023-01-01T00:00:00ZHandlehttp://hdl.handle.net/10451/57250http://purl.org/coar/access_right/c_abf2open accessSOARComputação em nuvemSegurançaOrquestraçãoAutomaçãoTeses de mestrado - 20234418508 bytesliteraturehttp://purl.org/coar/resource_type/c_bdccmaster thesishttp://purl.org/coar/access_right/c_abf2application/pdffulltexthttps://repositorio.ulisboa.pt/bitstreams/b3d46e3d-f5d2-4f67-8d16-b1e171b326eb/download
spellingShingle Autonomous Incident Response
Siqueira, Juan Christian da Silva
SOAR
Computação em nuvem
Segurança
Orquestração
Automação
Teses de mestrado - 2023
status SINGLETON
subject.fl_str_mv SOAR
Computação em nuvem
Segurança
Orquestração
Automação
Teses de mestrado - 2023
title Autonomous Incident Response
title_full Autonomous Incident Response
title_fullStr Autonomous Incident Response
title_full_unstemmed Autonomous Incident Response
title_short Autonomous Incident Response
title_sort Autonomous Incident Response
topic SOAR
Computação em nuvem
Segurança
Orquestração
Automação
Teses de mestrado - 2023
topic_facet SOAR
Computação em nuvem
Segurança
Orquestração
Automação
Teses de mestrado - 2023
url http://hdl.handle.net/10451/57250
visible 1

Registos relacionados