A novel kill-chain framework for remote security log analysis with SIEM software

Abstract

Network security investigations pose many challenges to security analysts attempting to identify the root cause of security alarms or incidents. Analysts are often presented with cases where either incomplete information is present, or an overwhelming amount of information is presented in a disorganized manner. Either scenario greatly impacts the ability for incident responders to properly identify and react to security incidents when they occur. The framework presented in this paper draws upon previous research pertaining to cyber threat modeling with kill-chains, as well as the practical application of threat modeling to forensic. Modifications were made to conventional kill-chain models to facilitate logical data aggregation within a relational database collecting data across disparate remote sensors resulting in more detailed alarms to security analysts. The framework developed in this paper proved effective in identifying the relationship of security alarms along a continuum of expected behaviors conducive to executing security investigations in a methodical manner. This framework effectively addressed incomplete or inadequate alarm information through aggregation, and provided a methodology for organizing related data and conducting standard investigations. Both improvements proved instrumental in the effective identification of security threats in a more expeditious manner.