Explore chapters and articles related to this topic
Reinforcement Learning for Cybersecurity
Published in Chong Li, Meikang Qiu, Reinforcement Learning for Cyber-Physical Systems, 2019
The task of a cybersecurity analyst includes examining the alerts generated by an Intrusion Detection System (IDS), such as SNORT or a Security Information and Event Management (SIEM) tool, and then identifying those alerts that are considered significant. In this domain, dynamic scheduling to manage cybersecurity analysts to minimize risk is a critical infrastructure problem that poses several operational challenges and garners importance at the level of national security [48]. The cybersecurity analysts can be viewed as a resource that must be allocated to the process of examining alerts in an optimal way to minimize risk while satisfying the resource constraints. Such resource constraints include the number of sensors on which an analyst can be trained or assigned, the expertise mix that the cybersecurity defense organization wishes to own, the expected utilization of the analysts, the time taken by an analyst to investigate an alert (translates to analyst workload), and the preferences such as shift hours and days off in a week for the analysts. Given such a highly dynamic environment and conditions, the existing static or adaptive scheduling solutions in manufacturing and service applications cannot be directly applied to address the problem of scheduling cybersecurity analysts. However, if the problem is modeled as a dynamic programming problem and then solved using reinforcement learning with the objective to minimize the number of analysts and optimize the sensor-to-analyst allocation, it is proved that the overall risk can be minimized or reduced under a threshold.
Lubricant Blending Issues
Published in R. David Whitby, Lubricant Blending and Quality Assurance, 2018
Effective cyber security is not achieved by simply installing and relying on technology. Protection requires a combination of people, procedures and technology, and everyone in the blending plant must be involved. The main programmes required for industrial cyber security are listed in Table 8.1. A demilitarised zone (DMZ) on a router refers to a DMZ host, which is a host on the internal network that has all user datagram protocol (UDP) and transmission control protocol (TCP) ports open and exposed, except those ports otherwise forwarded. They are often used as a simple method to forward all ports to another firewall. In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Continuous industrial control system (ICS) security monitoring technologies provide defenders with the visibility needed. While some companies may not be aware of these solutions, others are already integrating them into their cyber security management programmes.
Assessing smart light enabled cyber-physical attack paths on urban infrastructures and services
Published in Connection Science, 2022
Ioannis Stellios, Kostas Mokos, Panayiotis Kotzanikolaou
Addressing risks due to logical access cyber interaction types (C2/3, C5/6) in diverse domains of an urban environment is a much more daunting task, to begin with. Remote management of critical systems, which has been on the rise due to the pandemic of COVID-19, must be submitted under exhaustive security evaluation and proper security controls must always be in place. Security countermeasures may include, among others, remote systems' access via VPN services, full systems audit on remote endpoints, logs analysis with centralised Security Information and Event Management (SIEM) systems, multi-factor authentication schemes and strict endpoint security rules. On the other hand, application auditing, database firewalling and anomaly detection/prevention systems can also be used to mitigate risks from insider threats such as executive stuff and software developers.
Data Loss Prevention from a Malicious Insider
Published in Journal of Computer Information Systems, 2022
Edson Machado de Sousa, Abid Shahzad
More than half of CSPs use Security Information and Event Management (SIEM), and Log Management Systems to detect and analyze insider attacks. Logs are a critical resource to detect malicious behavior and to protect the CSP’s environment. They must be well configured to ensure the integrity of the logs and keep them secure and stored for a certain period based on their obligations and requirements. Kajiyama et al.2 recommended that customers want to ensure their CSPs have systems that guarantee that all access and procedures performed in their system are being logged and monitored. SIEM systems have better capabilities to manage logs and their coverage and functions are broader than Log Management Systems. SIEM combines three main capabilities such as Security Event Management, which includes functionalities to aggregate and analyze log files from IDS/IPS, network devices, vulnerability scanners, and asset inventory tools. Security Information Management is another capability that can be employed to collect, monitor, and analyze data from computer event logs with automated features and alerts, and can be activated when pre-set conditions are met to indicate suspicious behavior. Security Event Correlation is used to correlate behaviors collected from event logs, which are then analyzed to discover patterns that could indicate a security issue.