Abstract
Security Operation Centers (SOC) leverage a number of tools to detect, thwart and deal with security attacks. One of the key challenges of SOC is to quickly integrate security tools and operational activities. To address this challenge, an increasing number of organizations are using Security Orchestration, Automation and Response (SOAR) platforms, whose design needs suitable architectural support. This paper presents our work on architecture-centric support for designing a SOAR platform. Our approach consists of a conceptual map of SOAR platform and the key dimensions of an architecture design space. We have demonstrated the use of the approach in designing and implementing a Proof of Concept (PoC) SOAR platform for (i) automated integration of security tools and (ii) automated interpretation of activities to execute incident response processes. We also report a preliminary evaluation of the proposed architectural support for improving a SOAR’s design.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Feitosa, E., Souto, E., Sadok, D.H.: An orchestration approach for unwanted internet traffic identification. Comput. Netw. 56(12), 2805–2831 (2012)
Islam, C., Babar, M.A., Nepal, S.: A multi-vocal review of security orchestration. ACM Comput. Surv. (CSUR) 52(2), 37 (2019)
Luo, S., Salem, M.B.: Orchestration of software-defined security services. In: 2016 IEEE International Conference on Communications Workshops (ICC 2016), Kuala Lumpur, Malaysia (2016)
Nadkarni, H.: Security orchestration framework. US Patent 9,807,118 (2017)
Koyama, T., Hu, B., Nagafuchi, Y., Shioji, E., Takahashi, K.: Security orchestration with a global threat intelligence platform. NTT Tech. Rev. 13, 1–6 (2015)
Chauhan, M.A., Babar, M.A., Sheng, Q.Z.: A reference architecture for provisioning of tools as a service: meta-model, ontologies and design elements. Future Gener. Comput. Syst. 69, 41–65 (2017)
Jansen, A., Bosch, J.: Software architecture as a set of architectural design decisions. In: Proceedings of the 5th Working IEEE/IFIP Conference on Software Architecture, USA (2005)
Bass, L., Clements, P., Kazman, R.: Software Architecture in Practice. Addison-Wesley Professional, Boston (2003)
Haesevoets, R., Weyns, D., Holvoet, T.: Architecture-centric support for adaptive service collaborations. ACM Trans. Softw. Eng. Methodol. 23(1), 1–40 (2014)
FireEye.: Security orchestration in action: integrate – automate –manage. https://www2.fireeye.com/Webinar-FSO-EMEA.html?utm_source=fireeye&utm_medium=webinar-page. Accessed 20 Nov 2017
IBM.: Orchestrate incident response. https://www.ibm.com/security/solutions/orchestrate-incident-response. Accessed 1 Nov 2019
Andersson, J., Johnson, P.: Architectural integration styles for large-scale enterprise software systems. In: Proceedings Fifth IEEE International Enterprise Distributed Object Computing Conference, Seattle, WA, USA, pp. 224–236 (2001)
Islam, C., Babar, M.A., Nepal, S.: Automated interpretation and integration of security tools using semantic knowledge. In: Advanced Information Systems Engineering (CAiSE 2019), Rome, Italy (2019)
Islam, C.: Proof of concept SOAR (2020). https://github.com/Chadni-Islam/Security-Orchestration-PoC
Demisto.: Demisto platform content repository. https://github.com/demisto/content. Accessed 21 Jan 2020
Islam, C., Babar, M.A., Nepal, S.: An ontology-driven approach to automate the process of integration security software systems. In: IEEE/ACM International Conference on Software and System Processes (ICSSP 2019), Montreal, Canada, 25–26 June (2019)
Babar, M.A., Zhu, L., Jeffery, R.: A framework for classifying and comparing software architecture evaluation methods. In: Proceedings of 2004 Australian Software Engineering Conference, pp. 309–318 (2004)
Siemplify.: What is security orchestration and automation?. https://www.siemplify.co/resources/what-is-security-orchestration-automation/. Accessed 5 Dec 2019
Swimlane.: Security automation and orchestration. https://swimlane.com/use-cases/security-orchestration-for-automated-defense/. Accessed 20 Nov 2017
Demisto.: Security orchestration and automation. https://www.demisto.com/wp-content/uploads/2017/04/MH-Demisto-Security-Automation-WP.pdf. Accessed 5 Dec 2017
Digiambattista, E.: Enterprise level security orchestration. US Patent 2017/0017795 A1 (2017)
Poornachandran, R., Shahidzadeh, S., Das, S., Zimmer, V.J., Vashisth, S., Sharma, P.: Premises-aware security and policy orchestration. US Patent 14/560,141 (2016)
Acknowledgement
This work is partially supported by CSIRO’s data61, Australia. We acknowledge the contribution of Faheem Ullah, Aufeef Chauhan and Triet Mihn Le for their feedbacks in improving the work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Islam, C., Babar, M.A., Nepal, S. (2020). Architecture-Centric Support for Integrating Security Tools in a Security Orchestration Platform. In: Jansen, A., Malavolta, I., Muccini, H., Ozkaya, I., Zimmermann, O. (eds) Software Architecture. ECSA 2020. Lecture Notes in Computer Science(), vol 12292. Springer, Cham. https://doi.org/10.1007/978-3-030-58923-3_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-58923-3_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58922-6
Online ISBN: 978-3-030-58923-3
eBook Packages: Computer ScienceComputer Science (R0)