Show simple item record

Advancing security information and event management frameworks in managed enterprises using geolocation

dc.contributor.advisorHutchison, Andrewen_ZA
dc.contributor.authorKhan, Herah Anwaren_ZA
dc.date.accessioned2015-12-03T14:18:02Z
dc.date.accessioned2018-11-26T13:53:51Z
dc.date.available2015-12-03T14:18:02Z
dc.date.available2018-11-26T13:53:51Z
dc.date.issued2015en_ZA
dc.identifier.urihttp://hdl.handle.net/11427/15561
dc.identifier.urihttp://repository.aust.edu.ng/xmlui/handle/11427/15561
dc.descriptionIncludes bibliographical referencesen_ZA
dc.description.abstractSecurity Information and Event Management (SIEM) technology supports security threat detection and response through real-time and historical analysis of security events from a range of data sources. Through the retrieval of mass feedback from many components and security systems within a computing environment, SIEMs are able to correlate and analyse events with a view to incident detection. The hypothesis of this study is that existing Security Information and Event Management techniques and solutions can be complemented by location-based information provided by feeder systems. In addition, and associated with the introduction of location information, it is hypothesised that privacy-enforcing procedures on geolocation data in SIEMs and meta- systems alike are necessary and enforceable. The method for the study was to augment a SIEM, established for the collection of events in an enterprise service management environment, with geo-location data. Through introducing the location dimension, it was possible to expand the correlation rules of the SIEM with location attributes and to see how this improved security confidence. An important co-consideration is the effect on privacy, where location information of an individual or system is propagated to a SIEM. With a theoretical consideration of the current privacy directives and regulations (specifically as promulgated in the European Union), privacy supporting techniques are introduced to diminish the accuracy of the location information - while still enabling enhanced security analysis. In the context of a European Union FP7 project relating to next generation SIEMs, the results of this work have been implemented based on systems, data, techniques and resilient features of the MASSIF project. In particular, AlienVault has been used as a platform for augmentation of a SIEM and an event set of several million events, collected over a three month period, have formed the basis for the implementation and experimentation. A "brute-force attack" misuse case scenario was selected to highlight the benefits of geolocation information as an enhancement to SIEM detection (and false-positive prevention). With respect to privacy, a privacy model is introduced for SIEM frameworks. This model utilises existing privacy legislation, that is most stringent in terms of privacy, as a basis. An analysis of the implementation and testing is conducted, focusing equally on data security and privacy, that is, assessing location-based information in enhancing SIEM capability in advanced security detection, and, determining if privacy-enforcing procedures on geolocation in SIEMs and other meta-systems are achievable and enforceable. Opportunities for geolocation enhancing various security techniques are considered, specifically for solving misuse cases identified as existing problems in enterprise environments. In summary, the research shows that additional security confidence and insight can be achieved through the augmentation of SIEM event information with geo-location information. Through the use of spatial cloaking it is also possible to incorporate location information without com- promising individual privacy. Overall the research reveals that there are significant benefits for SIEMs to make use of geo-location in their analysis calculations, and that this can be effectively conducted in ways which are acceptable to privacy considerations when considered against prevailing privacy legislation and guidelines.en_ZA
dc.language.isoengen_ZA
dc.subject.otherComputer Scienceen_ZA
dc.titleAdvancing security information and event management frameworks in managed enterprises using geolocationen_ZA
dc.typeThesisen_ZA
dc.type.qualificationlevelMastersen_ZA
dc.type.qualificationnameMScen_ZA
dc.publisher.institutionUniversity of Cape Town
dc.publisher.facultyFaculty of Scienceen_ZA
dc.publisher.departmentDepartment of Computer Scienceen_ZA


Files in this item

FilesSizeFormatView
thesis_sci_2015_khan_herah_anwar.pdf2.519Mbapplication/pdfView/Open

This item appears in the following Collection(s)

Show simple item record