Supporting Cyber Intelligence Analysts with Enterprise Security Modeling

Abstract

To maximize the value of human defensive cybersecurity intelligence analysts, effective situational awareness and triage capabilities are critical success factors. We describe an approach to support analysts with developing and maintaining service-oriented models that describe the security-relevant aspects of an enterprise. We refer to these models as enterprise security models. Inspired by enterprise architecture approaches, our enterprise security models are described from three perspectives: a business perspective, an application perspective, and an implementation perspective. The business perspective provides the business context in which activities take place. The application perspective refines business processes and activities into services. The implementation perspective provides the technical implementation details. The enterprise security model can be combined, through automation, with cyber threat intelligence to prioritize threats facing the enterprise. Cyber threat intelligence is commonly viewed at three different levels: strategic, operational, and tactical intelligence. These levels of threat intelligence correspond to the three perspectives in our proposed enterprise security modeling approach. It is our assertion that the ability to organize the enterprise architecture with a security focus viewed from the business, application, and implementation perspectives allows an organization to process different levels of threat intelligence in their proper context and to respond appropriately. Human security analysts can focus on threats that are likely to manifest, in the way in which they have been observed to manifest. This paper presents work on the creation and maintenance of enterprise security models. By using a proof-of-concept scenario, we suggest that a service-based modeling approach is effective to describe cybersecurity-relevant data concerning enterprise information systems architecture. Given the complexity of current enterprise architectures and the rapidly changing threat landscape, it is necessary to develop a well-developed situational awareness that spans the full enterprise. Our proposed modeling approach can provide the proper context for automation efforts to support human analysts in developing and maintaining such awareness.