Functional model of cybersecurity situation center

Abstract

In general, the issue of building cybersecurity centers mainly stands for building a SOC which main function is monitoring and analyzing cybercrime questions and responding to cyber incidents online. The approach, mentioned above, implies insufficient attention to the stages of intrusions` prevention and the elimination of cyber attacks` outcomes. Conducted investigations represent the possibility of SOCs` functions expanding , but they are not formalized and described in terms of functions, which rely on such Cybersecurity Situation Center (hereinafter referred to as the CSSC). The aim of this work is to analyze the existing cybersecurity models and build a functional model of modern cyberprotection center. The article reviews cyberattacks` analyzing models from the position of a researcher (Diamond Model and Q Model), the implementation of cyberattacks from the position of an attacker (Model Cyber Kill-Chain) and models with a wider range of analytical approaches (Adaptive Safety Model) to achieve this goal. The functions of cyberprotection before, during and after cyberattacks have been determined taking into consideration data needs for cyberattack analysis, understanding of cyberattacks` realization stages and the Adaptive Security System`s architecture. The results of the selected models` analysis allow to suggest a new organizational model of a modern cyberprotection center as well as define it`s components and formulate main functions. The implementation of the CSSC is proposed to be realized through the construction of Cybercrime Intelligence Unit, Monitoring and Incident Security Control Unit and Cyber Incident Response Team. The mentioned model represents logical links between structures and information streams which circulate between them. The presented functional model of A-0 and A0 levels is based on the IDEF notations` requirements. The main cyberprotection center`s function, input and output data as well as the resources used in the process of center functioning , main restrictions under which the modern center operates are determined. The presented notations display the visualisations which demonstrate the results of the cyberprotection center`s functional analysis. They also give an opportunity to determine requirements for the center`s components, form the organizational structure of each unit and establish each employee`s functional responsibilities in subsequent decomposition.