SDN Security: Developing an organic escalation framework for operational automation on security incidents

Abstract

The number of actions at a user’s disposal in the digital arena is on the rise; the number of technologies available to track users’ activities in an organisation are on the rise; the volume of information logged using such technologies are on the increase. And yet, the number of security incidents recorded per unit time is also on the rise. While there is greater awareness in the community and a plethora of passionate analysts to triage and analyse incidents, there seems to develop an ever-widening gap between the number of such analysts to the growth of incident volumes, particularly so in the last decade. In fact, operational response remains largely in the realms of manual remediation. If one were to take an objective view of the sequence of actions that transpire between when a detection is observed to the time that it is remediated, there is a broad spectrum between completely objective tasks (that can be automated) to purely subjective evaluation tasks (largely manual). This can be regarded as the automation scale. During a response scenario, it is conceivable that an analyst would conduct a series of tasks, some of which are common across all incidents, some of it constrained to the technology pertaining to the alert that instigated the response, and the rest involving manual evaluation and context establishment. If one were to magnify that period of observation for a granular view of the tasks conducted over that time, we hypothesise that one can generate a calibration scale to uniquely identify tasks that warrant automation. In this work, we develop a cognitive model called SAI reinforced with a machine learning framework to organically escalate tasks into the operational automation. While the cognitive model discerns tasks from the sample space of {objective, technology-dependent, subjective}, the organic escalation is achieved through a reward-penalty model from amongst the possible response spectrum evaluated in a finite n-tuple context. Finding: In the absence of external business factors, if the number of parameters influencing an alert is limited to C and the total number of alerts in a given period is limited to K, then it is sufficient if, for any task involved in that alert remediation, the task receives at least 10.C.K endorsements during the same period, in order to escalate it into automation. We demonstrate how the framework can seamlessly accommodate false positives that are opportunistic to any operational environment while providing savings in expenditure by transforming as a measuring scale for alarms in an organisation.