Autosoc: A low budget flexible security operations platform for enterprises and organizations

Abstract

Most of today's existing Security Operations Center (SOC) platforms follow a hybrid methodology in Security operations execution. However, these systems consist of a number of drawbacks. As there is a human component, there is a possibility of identification of false positives as true threat alerts. This will impact inversely towards the overall system. Currently there exists some automated SOCs as well, however their cost is considerably high for most small and medium scale companies. That is why we propose AutoSOC, a fully automated security operations center platform except for the Forensic investigation system, which requires a ticket to be generated with the approval of the user. This low budget enterprise solution comprises of an Intelligent Intrusion Detection and Prevention System (IIDPS), a Security Incident and Event Management System (SIEM), a Malware Analysis System and a Simple Forensic Investigation System. The Intelligent IIDPS contains an Intelligent Intrusion Detection System (IIDS) and an Intelligent Intrusion Prevention System (IIPS). IIDS is an alert system, which comprises components that notify and communicate in between integrated components when an attack or a breach occurs. The IIPS will understand the behavior of applications, and protocols are supposed to be according to their published standards. The SIEM is responsible for analyzing security event data, and it collects logs, stores, analyzes and reports on log data for incident response, forensics and regulatory compliance. The malware analysis process runs parallel to a forensic toolkit in order to accurately predict possible root causes for a certain incident. The forensic toolkit targets on the key components of analysis including processes running, packets captured etc. Therefore, the suggested solution will be able to reduce the cost of security implementations, increase the efficiency and accuracy of analysis results by eliminating false positives or the reporting of incorrect vulnerabilities by learning about the SOC network and environment.