Table of content
Aggregation
Aggregation is the consolidation of similar events into a single event.
Example :
- A server connection changing successively from up to down
- The same drone detected many times in the sensor capture zone
Alert
An alert is a notification/message that a particular event/incident (or series of events/incidents) has occurred. In IDMEFv2 the alert is represented by a JSON file being send from an analyzer to another analyzer or a manager. An alert should be generated for “events of interest” only, not for all events.
Analyser
The module/device that analyzes the data captured by the sensors, identified an event of interest and decided to create an alert. Analyzer can also analyze alert sent by other analyzers and enrich existing alerts or create new ones (e.g. correlation, aggregation)
Analyst
The analyst is responsible of further analysis of an alert if the operator has not find a “known” solution. The analyst will use IDMEFv2 information has well as other information. Analyst might contact external organization for help. In this case it might send an IODEF message and possibly attached IDMEFv2 alert to this message. Analyst are often called “Second Level Support”
Attack
An attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of a cyber or physical asset. An attack is one or many kinds of incidents.
Correlation
The identification of relationships between two or more events usually following a scenario.
CPS (Cyber-Physical Systems)
CPS are systems composed of physical systems (hardware), software systems and potentially other types of systems (e.g., human systems). These are closely integrated and networked to deliver some global behaviour.
CPSIEM (Cyber & Physical Security Information & Event Management)
A CPSIEM is a combination of a SIEM, a PSIM and a NMS systems.
CTI : Cyber Threat Intelligence
(Cyber) Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.
Event
An event is something that triggered a notice. Any incident starts off as an event or a combination of events, but not all events result in an incident. An event need not be an indication of wrongdoing. E.g. someone successfully logging in or entering a building is an event.
Event of interest, suspicious event
Those are events that are likely to become or to create incidents. They can also be necessary to help detecting an incident. Events of interest are very dependant on the organization security policy.
Example :
- A successful authentication might not be considered as an incident but can be an event of interest. If this authentication happens in the middle of the night, and in particular if it’s an authentication on a critical application, it might be necessary to verify that it’s not a criminal intrusion. Thus operators need to be alerted.
Incident
An incident is an event that compromises or has a significant probability of compromising at least one of the organization’s security criteria such as Confidentiality, Integrity or Availability. An incident may affect a production tool, personnel, etc. It may be logical, physical or organizational in nature. Last but not least, an incident may be caused on purpose or by accident.
Manager
The central console toward which all analysers send their alerts. The manager stores and display the alerts to the operators.
Example :
- A SIEM (Security Information & Event Management) or a Log Manager
- A PSIM (Physical Security Information Management)
NMS : Network Management System
Network management Sysem is a generic term to define tools are used to monitor and control IT systems. In the IDMEFv2 environment it designates essentially tools monitoring availability and performance of hardware and software
IODEF : Incident Object Definition Exchange Format
The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents.
IoT : Internet of Things
The Internet of things (IoT) describes physical objects (or groups of such objects) with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communications networks (e.g. LAN)
Example :
- camera, badger, drone,
IIoT : Industrial Internet of Things
The industrial (IIoT) refers to the extension and use of the internet of things (IoT) in industrial sectors and applications. The IIoT encompasses industrial applications, including robotics, medical devices, and software-defined production processes.
Operator
The operator is the first person being notified of an alert. Usually he works in front of the manager GUI but can also receive the alert through mail or sms. The role of the operator is to identify if the alert needs an action, if this action is already known and documented or if there is a need for further analysis through possible escalation toward the analyst team. Operators are often called “First Level Support”.
The operator is in direct contact with the IDMEFv2 alert and will mostly use the information contained in the alert to take it’s decision. But the operator has also access to other informations , like raw logs for example. Thus IDMEFv2 alerts should not try to include all the information available but enough “pointers”/”indications” for the operator to go get this additional information.
PTI : Physical Threat Intelligence
(Physical) Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.
PTI can concern human (e.g. activist, thief, intruder,โฆ), human activities (e.g. attack, sabotage, bombing, polution,โฆ) as well as natural hazard (e.g. storm, heat wave, flood, wildfire, โฆ)
PSIM : Physical Security Information Management
A category of software that provides a platform and applications designed to integrate multiple unconnected security applications and devices and control them through one comprehensive user interface. It collects and correlates events from existing disparate security devices and information systems (video, access control, sensors, analytics, networks, building systems, etc.) to empower personnel to identify and proactively resolve situations.
PSIM for short, is a solution that helps organizations detect, analyze, and respond to (physical) security threats before they harm business operations.
PSIMs are “physical” equivalent of SIEMs
SIEM : Security Information & Event Management
Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM provide real-time analysis of security alerts generated by applications and network hardware. Thus SIEM are cyber-security oriented. These products are also used to log security data and generate reports for compliance purposes and possibly for incident management.
SIEM for short, is a solution that helps organizations detect, analyze, and respond to (cyber) security threats before they harm business operations.
Security policy
A security policy is a document that states in writing how an organisation plans to protect its physical and information technology (IT) assets. Security policies are living documents that are continuously updated and changing as technologies, vulnerabilities and security requirements change. The basic purpose of a security policy is to protect people and information, set the rules for expected behaviors by users, define, and authorize the consequences of violation.
Concerning Incident Detection, the security policy should define what should be considered as an incident for the organisation and what action should be taken to solve it.
Sensor
The Sensor class describes the module that captured the data before sending it to an analyzer. The Sensor may be a subpart of the Analyzer.
Example : A set of external IP CCTV capturing pictures and sending the pictures to a central management console which analyse the pictures to recognise human activity for example.
Threat
Threat : A threat is anything that has the potential to cause an incident. It can be a person, a server, an object, the weather, etc.
