The Intelligent Process Lifecycle of Active Cyber Defenders

Abstract

“There are a thousand hacking at the branches of evil to one who is striking at the root.” Henry David Thoreau Successful information security requires careful application of tools to goals. The tools must be well used and well configured and require skillful interpretation of results. If problems occur in daily digital forensic workflows, then they must be documented in a systematic manner that aids process improvement. This article is the third in a series of three articles, where the connection between all the articles is displayed in the “Intelligent Process Lifecycle of Active Cyber Defenders” poster [ 1 ]. The poster showcases the main cyber defence disciplines and how, if false-positive events are classified in a systematic manner for each service, this information can afterwards be used to identify improvement areas. It focuses on false positives, error states, and common operation problems that occur when identifying and assessing vulnerabilities, as well as problems that happen when the security operations centre (SOC) tries to add a log source for continuous monitoring. For all these problems it also includes suggestions on how to solve or document them if they cannot be solved. We also demonstrate how to map these practical SOC outcome failures into clear risk management categories. That mapping can be used to optimize workflows, improve strategic cyber risk management, as well as deliver valuable metrics.