Equal Emphasis Layout

This chapter concerns the implementation of privacy within SIEMs. An introduction to the fundamental concerns in ensuring privacy and the position of this concept in the current infor-mation age is provided. The need with respect to data privacy is highlighted, techniques such as anonymisation employed to instill these attributes is discussed. The failure of anonymisa-tion is explained, identifying the flaws of the technique when it is incorrectly applied.

A privacy model based on EU legislation providing a legal guideline by which SIEM technolo-gies need to adhere, is given. The necessity of technolotechnolo-gies like SIEM containing meta-data of masses of information to comply with privacy, can be facitated through this guideline.

The position of geolocaton in privacy is assessed, and the implications towards privacy through its inclusion. Anonymisation is discussed in its application of geolocation, proving to be a useful privacy technique for this data type, albeit not a good approach for other forms of personal data.

Finally, the various spatial cloaking approaches are discussed, including the method of gen-eralisation to be used in the prototype implementation.

In conclusion, the SIEM solution we aim towards, is to provide anonymisation techniques which can ensure privacy as far as technology boundaries can facilitate. This can be en-compassed in regulations that provide an optimal privacy solution using both law and tech-nology. Anonymisation will be applied to geolocation, the characteristic of geolocation to be able to adjust in ranges, facilitates its ability to be sufficiently useful even after proce-dures of anonymisation. Thus, in fact advancing our SIEMs in privacy and utility through geolocation.

Design and Architecture

This chapter concerns the method and approach used to validate the research discussions surrounding geolocation in SIEM technology and the concerns of data exploitation within boundaries that encapsulate privacy concerns. The opening section discusses the experimental objectives in terms of the aims that need to be demonstrated to support this study. These objectives are then applied to the available tools, addressing tool feasibility and the overall approach. The conceptual testbed accommodates the tools and framework justified with individually determined purposes combining them into a process flow.

Finally, the integration and application strategies are determined towards committing the determined justifications through the collective processes. The experimental design will lead into the next chapter focusing on the complete implementation of a simulated testbed.

5.0.1 Misuse Cases of Managed Enterprise

The misuse cases (discussed in section 3.2) in the managed enterprise environment concerning common issues faced in such a scenario have been examined as current security challenges of enterprise. Each identified case and its applicability to the research investigations are considered in Table 5.1 to Table 5.4.

MC-5.5.1: Brute-Force Attack

Description Multiple attempts to log into a user account with all possible combi-nations till the correct combination is guessed, from sheer brute-force password testing.

Geolocation Applicability

The use of geolocation in such an attack can narrow down large analysis sets to physical areas of concern. This applies to the case of physical buildings that allow administrative use onlywithin the building, making an outside location an immediate trigger factor.

Possible Solutions

For this attack location-based identification or authentication confirma-tion is considered a viable soluconfirma-tion in efforts to re-affirm a genuine user or quickly identify a malicious one.

Table 5.1: MC-5.5.1 Brute-force solution using location-based authentication

45

MC-5.5.2: Unauthorised Login

Description A malicious user gains access and privileges to a system through the compromise of an authentication procedure of an account belonging to a valid user.

Geolocation Applicability

A scenario pattern to consider, log in attempts from different locations, if a user has been verified to be logged in from a certain location and an attempted successful login is made from a different location whilst still logged in at location ’workstation’, this identifies the anomaly that more than one person is using the account and alerts the admin of the double usage hinting to possible account compromise.

Possible Solutions

Using geolocation as the second factor in a ‘two-factor’ authentication approach, should a user successfully log in but their source location not an expected location, a flag is raised for additional security checks to be made of the user e.g answering security questions.

Table 5.2: MC-5.5.2 Unauthorised login solutions using geo-fencing

MC-5.5.3: SQL Injection & MC-5.5.4: Cross Site Scripting (XSS)

Description SQL injection is commmonly used to extract information from a vulner-able website by getting SQL queries to execute through it.

XSS is the case of an attacker attempting to get a valid user to execute malicious code giving the attacker rights into a website she does not own Geolocation

Applicability

IP reputation is used to circumvent attempts of these kind of attacks where the intent is obvious and cannot be done in err, geolocation can enforce IP reputation by facilitating geolocation-based blocking in cer-tain areas where attacks are habitually originating from, in a sense a form of geo-reputation.

Possible Solutions

Geo-reputation used as a consideration for user authentication proce-dures, as well as flagging suspect users that have high chances of per-forming malicious activities in the system network.

Table 5.3: MC-5.5.3/4: SQL injection and cross site scripting solutions using location restrictions

MC-5.5.5: Worm Propogation

Description A malicious user creates the spread of a self-propogating virus that infect computers in the network, such code can eat up resources and many other damages.

Geolocation Applicability

Worm propogation gives messy results. We can encourage their circum-vention in a broader security technique that restricts the possibilities of receiving such traffic in our network. When connected to the inter-net, an enterprise is exposed to incoming connections from all over the world. Enforcing policies that allow incoming connections to employee networks or customer portals depending on geographic location is a start in that direction. This can greatly reduce the exposure of an enterprise to dangerous zones that are key in producing such attacks, graciously reducing overall unwanted traffic in the process.

Possible Solutions

Location-based policies can be implemented to flag traffic from areas that repute illicit behaviour e.g areas of China consistently demonstrat-ing malicious intentions.

Table 5.4: MC-5.5.5: Worm propogation solution using location-based policies

To simulate the attack formation within a SIEM context, the source environment and data collected for the test experiments need to be examined. The events can emulate one or more of the misuse cases depending on the source it retrieves logs from, for example - Windows/Linux servers, intrusion detection systems or anti-virus solutions.