Alessandro Palma , Andrea Sorrentino , Silvia Bonomi
{"title":"How to assess measurement capabilities of a security monitoring infrastructure and plan investment through a graph-based approach","authors":"Alessandro Palma , Andrea Sorrentino , Silvia Bonomi","doi":"10.1016/j.eswa.2024.125623","DOIUrl":null,"url":null,"abstract":"<div><div>Security monitoring is a crucial activity in managing cybersecurity for any organization, as it plays a foundational role in various security processes and systems, such as risk identification and threat detection. To be effective, security monitoring is currently implemented by orchestrating multiple data sources to provide corrective actions promptly. Poor monitoring management can compromise an organization’s cybersecurity posture and waste resources. This issue is further exacerbated by the fact that monitoring infrastructures are typically managed with a limited resource budget. This paper addresses the problem of supporting security experts in managing security infrastructures efficiently and effectively by considering the trade-off cost-benefit between using specific monitoring tools and the benefit of including them in the organization’s infrastructure. To this aim, we introduce a graph-based model named <em>Metric Graph Model</em> (MGM) to represent dependencies between security metrics and the monitoring infrastructure. It is used to solve a set of security monitoring problems: (i) <em>Metrics Computability</em>, to assess the measurement capabilities of the monitoring infrastructure, (ii) <em>Instrument Redundancy</em>, to assess the utility of the instruments used for the monitoring, and (iii) <em>Cost-Bounded Constraint</em>, to identify the optimal monitoring infrastructure in terms of cost-benefit trade-off. We prove the NP-hardness of some of these problems, propose heuristics for solving them based on the Metric Graph Model and provide an experimental evaluation that shows their better performance than existing solutions. Finally, we present a usage scenario based on an instance of the Metric Graph Model derived from a state-of-the-art security metric taxonomy currently employed by organizations. It demonstrates how the proposed approach supports an administrator in optimizing the security monitoring infrastructure in terms of saving resources and speeding up the decision-making process.</div></div>","PeriodicalId":50461,"journal":{"name":"Expert Systems with Applications","volume":"262 ","pages":"Article 125623"},"PeriodicalIF":7.5000,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Expert Systems with Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0957417424024904","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}
引用次数: 0
Abstract
Security monitoring is a crucial activity in managing cybersecurity for any organization, as it plays a foundational role in various security processes and systems, such as risk identification and threat detection. To be effective, security monitoring is currently implemented by orchestrating multiple data sources to provide corrective actions promptly. Poor monitoring management can compromise an organization’s cybersecurity posture and waste resources. This issue is further exacerbated by the fact that monitoring infrastructures are typically managed with a limited resource budget. This paper addresses the problem of supporting security experts in managing security infrastructures efficiently and effectively by considering the trade-off cost-benefit between using specific monitoring tools and the benefit of including them in the organization’s infrastructure. To this aim, we introduce a graph-based model named Metric Graph Model (MGM) to represent dependencies between security metrics and the monitoring infrastructure. It is used to solve a set of security monitoring problems: (i) Metrics Computability, to assess the measurement capabilities of the monitoring infrastructure, (ii) Instrument Redundancy, to assess the utility of the instruments used for the monitoring, and (iii) Cost-Bounded Constraint, to identify the optimal monitoring infrastructure in terms of cost-benefit trade-off. We prove the NP-hardness of some of these problems, propose heuristics for solving them based on the Metric Graph Model and provide an experimental evaluation that shows their better performance than existing solutions. Finally, we present a usage scenario based on an instance of the Metric Graph Model derived from a state-of-the-art security metric taxonomy currently employed by organizations. It demonstrates how the proposed approach supports an administrator in optimizing the security monitoring infrastructure in terms of saving resources and speeding up the decision-making process.
期刊介绍:
Expert Systems With Applications is an international journal dedicated to the exchange of information on expert and intelligent systems used globally in industry, government, and universities. The journal emphasizes original papers covering the design, development, testing, implementation, and management of these systems, offering practical guidelines. It spans various sectors such as finance, engineering, marketing, law, project management, information management, medicine, and more. The journal also welcomes papers on multi-agent systems, knowledge management, neural networks, knowledge discovery, data mining, and other related areas, excluding applications to military/defense systems.