Novel Architecture of Security Orchestration,Automation and Response in Internet of Blended Environment

Minkyung Lee,Julian Jang-Jaccard and Jin Kwak

1ISAA Lab,Department of Cyber Security,Ajou University,Suwon,16499,Korea

2Department of Computer Science and Information Technology,Massey University,Auckland,0745,New Zealand

3Department of Cyber Security,Ajou University,Suwon,16499,Korea

Abstract:New technologies that take advantage of the emergence of massive Internet of Things (IoT) and a hyper-connected network environment have rapidly increased in recent years.These technologies are used in diverse environments,such as smart factories,digital healthcare,and smart grids,with increased security concerns.We intend to operate Security Orchestration,Automation and Response (SOAR) in various environments through new concept definitions as the need to detect and respond automatically to rapidly increasing security incidents without the intervention of security personnel has emerged.To facilitate the understanding of the security concern involved in this newly emerging area,we offer the definition of Internet of Blended Environment (IoBE) where various convergence environments are interconnected and the data analyzed in automation.We define Blended Threat(BT)as a security threat that exploits security vulnerabilities through various attack surfaces in the IoBE.We propose a novel SOAR-CUBE architecture to respond to security incidents with minimal human intervention by automating the BT response process.The Security Orchestration,Automation,and Response (SOAR) part of our architecture is used to link heterogeneous security technologies and the threat intelligence function that collects threat data and performs a correlation analysis of the data.SOAR is operated under Collaborative Units of Blended Environment(CUBE)which facilitates dynamic exchanges of data according to the environment applied to the IoBE by distributing and deploying security technologies for each BT type and dynamically combining them according to the cyber kill chain stage to minimize the damage and respond efficiently to BT.

Keywords:Blended threat (BT);collaborative units for blended environment(CUBE);internet of blended environment (IoBE);security orchestration,automation and response(SOAR)

1 Introduction

According to the World Economic Forum,Information and Communication Technology(ICT),such as artificial intelligence,big data,and Internet of Things(IoT)in the fourth industrial revolution has advanced to convergence technology of nanotechnology,biotechnology,information technology,and cognitive science,maximizing the connectivity between various technologies[1].For example,with the emergence of massive IoT,a hyper-connected network environment has emerged which connects millions of devices at a high density.An evolution to a hyper-connected society is underway,where data generation,collection,and sharing activities occur ceaselessly for people,objects,and spaces using the Internet as a medium[2].Furthermore,various convergence environments,such as smart factories,smart buildings,and cooperative intelligent transport systems(C-ITS)have emerged.Internet technology (IT) is combined and applied in these environments to connect each other producing complex services and data[3,4].New advanced security threats exploiting various security vulnerabilities in different architecture services used in these new environments have been found[5,6].A variety of response technologies cyberattacks utilizing conventional Instruction Prevention Systems(IPS)and Security Information and Events Management(SIEM)have been offered to respond to such advanced security threats[7-12].However,the need to detect and respond automatically to these new types of cyberattacks without the intervention of security personnel has emerged by integrating various existing security technologies cyberattacks.However,the concern over the management of the various types of log data produced from heterogeneous security technologies and the operations of effective security response mechanisms on different architectures has been raised[13].This research possesses various contributions in the future environment such as IoBE:

? First,it has prepared for the blended environment by analyzing massive IoT and various convergence environments.

? Second,the variety of attack surfaces has been explored in IoBE by analyzing attack surfaces in the environment.

? Third,future environment such as IoBE has been explored by defining and analyzing the environment where various convergence environments are connected.

? Finally,countermeasure has explored how to respond to numerous security incidents in IoBE including various convergence by analyzing SOAR and proposing SOAR-CUBE.

In this paper,we propose a security orchestration,automation and,response with collaborative units of blended environment (SOAR-CUBE) architecture to respond to newly emerging security threats rapidly and efficiently.In Section 2,we analyze massive IoT,a hyper-connected network environment,and analyze SOAR that automates the response process of various security threats.In Section 3,we define a number of terms used in the new environment,namely Internet of Blended Environment(IoBE)and Blended Threat(BT).Section 4 newly proposes a SOAR-CUBE architecture that can be applied to a complex environment by integrating heterogeneous security technologies to respond to BT efficiently in IoBE,and Section 5 provides the conclusion.

2 Basic Definitions

In this section,we describe the definitions of massive IoT as millions of devices are all connected at a high density and the definitions of SOAR as automation processes of various threats to counter security incidents with minimal human intervention.They have already been defined by Gartner.

2.1 Massive IoT

Massive IoT refers to a hyper-connected network environment,in which millions of devices are all connected at a high density.The emergency of the massive IoT has been brought through the development of low-power wide-area (LPWA) network technology (e.g.,Sigfox and LoRa) that facilitates broad communication with the devices using low-power consumption which enabled a largescale IoT connected within a specific range.Tab.1 shows the key requirements for the construction of massive IoT in terms of key requirements and descriptions[14].

Table 1:Key requirements for massive IoT

Tab.2 illustrates different environments where massive IoT applications are deployed and the descriptions of how the massive IoT applications are used in each environment.

Table 2:The environment of massive IoT applications

With the recent progress and advancement in the IT,various environments have been increasingly combined,for example,smart factories integrated within a smart building.With the increasing combination of different environments for massive IoT applications—call it a convergence environment,it is expected that the architecture and platform that house the combination of massive IoT-applied environments will become complex.In addition,the number of sensors and data-processing capacity have been growing with the continuous development of IoT devices and technology.They are evolving into intelligent smart sensors as the data processing and analysis functions are combined[15].However,malicious attacks or unintended information breaches can occur while collecting and processing the data produced in various convergence environments.This is due to an increase in the processing amount of data from massive IoT devices.There is also a concern that cyberattacks will become highly advanced because of an increase in the processing capacity of IoT devices and reduction in the processing costs[16].The advancement of new types of networks(e.g.,5G,LPWA,and wireless networks)which connect to the architectures and devices of massive IoT is becoming diverse.This new style of connection in the new convergence environments is expected to massively expand the attack surfaces where the security threats can occur.

2.2 Security Orchestration,Automation and Response

In recent years,many companies have been adopting various security technologies,such as antivirus software,firewalls,and intrusion detection systems[17],and implementing SIEM to detect security threats by managing and analyzing various produced logs.However,according to the 2020 Cyber Resilient Organization report from IBM,51%of companies had no computer security incident response plan across the organization,and 53% responded that the time required for detecting and responding to cyberattacks was increasing[18].Furthermore,according to Baker Hosteller,security experts required at least 104 days for detecting,analyzing,and notifying attacks in 2020,as opposed to 87 days before that year[19].The frequency of security incidents occurring in organizations and companies as well as the time required for detecting,analyzing,and responding to security incidents are on the rise because the manpower and time are required to perform integrated management and analysis of heterogeneous solutions[18].With the requirement for automation,Gartner introduced the concept of SOAR.According to Gartner,SOAR automates response processes of various threats to respond to security incidents with minimal human intervention.It is a security automation platform that helps employees to respond to advanced security threats according to the standardized work process when an incident that requires human intervention occurs.For such automated responses to security incidents,SOAR consists of Security Orchestration and Automation (SOA),Security Incident Response Platform(SIRP),and Threat Intelligence Platform(TIP)[20],which are described as follows:

? Security Orchestration and Automation (SOA):Data generated from heterogeneous security solutions are collected and the workflows between the security solutions are automated to identify monotonous and/or repetitive tasks of the security response team and reduce the time consumed on security incident response work.

? Security Incident Response Platform (SIRP):By automating the security threat response processes,tasks are assigned and managed according to the processes predetermined by the internal security incident response policy for each incident type when a security incident occurs.

? Threat Intelligence Platform(TIP):Information on threat elements is provided in association with the company’s existing security systems or response solutions by performing correlation analysis on threat data collected in real-time from various sources to support the analysis work of the security threats occurring in the organization.This increases the proactive responsiveness of the security personnel.

Studies are underway on the need for SOAR to receive threat element information and facilitate the automation of security threat response systems through correlation analyses of data between heterogeneous security tools.However,there is a lack of studies on the development of a model for practically applying and managing the SOAR in convergence environments.Islam et al.[21]proposed a hierarchical architecture model consisting of(i)security tools,(ii)integration,(iii)data processing,(iv)semantic,(v)orchestration,and(vi)user interface layer to design a SOAR platform.They verified an automated incident response process by automatically integrating security technologies.However,they did not offer a comprehensive study conducted on TIP for collecting threat data and performing correlation analysis.Zheng et al.proposed security automation and orchestration framework for continuous monitoring and automatic patches of security of heterogeneous devices for reasons such as the complexity of patch application caused by an increase in attack surfaces of massive IoT[22].Their study requires further research in various domains,such as authentication and network security focusing on IoT system security.In addition,many companies are developing security products,as listed in Tab.3[23-26].These SOAR technologies are insufficient in that they do not provide all the key functions for SOA,SIRP,and TIP,and studies on SOAR applicable to complex environments.To fill these research gaps,we propose an architecture that can efficiently apply SOAR in various environments connected with IT.

Table 3:Analysis of key functions of related works about SOAR

3 New Definitions

In this section,weprovide the definitions of Internet of Blended Environment (IoBE) as an environment where smart factories,digital healthcare,smart grids,etc.are interconnected for efficient analysis of the complexly connected convergence environment.Blended Threat(BT)is one in which various security threats are combined throughout the vulnerable surface where security attacks can occur in IoBE.We provide a comprehensive analysis of different attack surfaces raised from each environment in IoBE along with the types of security threats raised from BT.We also define Collaborative Units of Blended Environment(CUBE)to indicate a dynamic combination of possible BT and response technologies on IoBE.

3.1 Internet of Blended Environment(IoBE)

In a convergence environment a variety of ITs,such as sensing,networking,big data,artificial intelligence(AI),and cloud are fused[27].In such a convergence environment,the threat prone attack surfaces are on the rise because of the emergence of massive IoT.Various studies have been underway to find effective responses on these attack surfaces to prevent and respond to data corruption and forgery in the processes of the data life cycle,such as data collection,processing,and storage[28,29].However,convergence environments,such as digital healthcare and smart grid,can be connected to each other.For example,the energy waste can be tracked through an energy consumption pattern analysis of an entire city.This is perfomred by analyzing the data from the energy management system that monitors the energy consumption of the smart grids and the data from the power consumption monitoring system of smart buildings.In this case,various convergence environments can become very complex as each connected environment becomes more diverse.

The convergence environments,in which IoBE can be constructed,include smart factories,smart grids,and digital healthcare,as described in Tab.4.

Table 4:Applicable area in IoBE

Table 4:Continued

Consequently,the data communication in the convergence environment is expected to become more complex for collecting,processing,and storing data.Fig.1 illustrates how IoBE can interact with various convergence environments for the process of the data lifecycle.The flow of the data in IoBE is as follows:

1.Data acquisition:It refers to the process of collecting data generated from systems,such as digital healthcare,smart factory and smart grid.In data acquisition,various types of data are collected through different domains and paths,such as Digital Imaging and Communications in Medicine (DICOM) which communicates digital images of medical devices in digital healthcare.

2.Data storage:It is the process of storing the collected data at a data center.Note that data are stored in various formats.

3.Data processing:It involves processing the stored data and includes a process of converting raw data into high-level information required by services or systems.Through a process of forming and analyzing the relationships between different data,new data that can be used by the services or systems within the IoBE are created.

4.Data archive:It is the process that facilitates quick retrieval of data through the creation of metadata to consider the long-term retention of the collected and processed data.

5.Data dissemination:It is the process of disseminating or sending data to users through user interfaces.It can be used in application services,such as medical treatment and statistical analysis.

Figure 1:IoBE as an environment where a variety of IT such as sensing,networking,big data,AI,and cloud are blended

The IoBE can create a smart city environment.Furthermore,based on the technological advancement in the future,it is expected that the connections between smart cities in the IoBE will facilitate the creation of a broader smart society and smart nation.

3.2 Blended Threat(BT)

The addition of new environments to various convergence environments constiituting an IoBE is expected to cause complex security threats that exploit security vulnerabilities existing in the numerous components of the IoBE,such as device architectures,network protocols,and platforms[2,35].Therefore,an analysis is required for the attack surfaces where security threats can be found in IoBE.Tabs.5-9 below provide comprehensive analysis of the attack surfaces that can cause security vulnerabilities in each convergence environment of IoBE.

Table 5:Examples of attack surface in smart factory

Table 5:Continued

Table 6:Examples of attack surface in smart grid

Table 6:Continued

Table 7:Examples of attack surface in digital healthcare

Table 7:Continued

Table 8:Examples of attack surface in smart building

Table 8:Continued

Table 9:Examples of attack surface in C-ITS

Table 9:Continued

As attack surfaces in each convergence environment increase,additional attack surfaces may occur.As such,the complexity of security threats that currently threaten the society may also increase.The security threats are expected to increase because various components will become even more complex as new environments are added and connected to other environments in the IoBE.Furthermore,even for the same type of security threats,such as Distributed Denial of Service(DDoS)attacks and malware infection,attacks may occur through different attack surfaces and vulnerabilities depending on the environment[71].Therefore,the BT in our context refers to the security threats that occur as various security threats are converged and combined through attack surfaces in an IoBE,as shown in Fig.2.

Attack scenarios can be caused by blending security threats that may occur because of the connection relationship between each component in the IoBE,as shown in Tab.10.

Table 10:Attack scenario using BT in IoBE

To respond to BT,a response measure is required based on the vulnerability analysis of each component,and an analysis of the attack surfaces where cyberattacks may occur is required through the analysis of the connection relationship between the components.

Figure 2:Blended threat in IoBE

3.3 Collaborative Units of Blended Environment(CUBE)

The data in IoBE are generated in complex environments and transmitted through multiple domains through different paths.Therefore,security threats are different for different components,such as the wireless LAN and edge network sections,and the security level required to respond to these threats is also different[72-74].Furthermore,because new environments are combined in IoBE,the security technologies used in various environments are diverse.Therefore,automatic detection and response to cyberattacks is required to minimize the damage casued by a BT.We define a pair of security threat and response technology for each security threat as a unit to provide distributed deployment of existing security technologies for efficient responses.Although there is no security technology corresponding to the recent intelligent security threats,mitigation method has been designed to minimize damage in the event of a security threat.It can define a pair of security threat and response technology including mitigation methods for each security threats.In addition,several such units can be dynamically combined as collaborative units to respond flexibly to different BTs.In short,CUBE can be considered as a dynamic combination of possible security threats and response technologies in IoBE.The CUBE defined to respond to BT is shown in Fig.3.

? Unit:It is a pair of security threats and mitigation technology for each security threat.For example,the response technologies include malicious mail pattern-based spam-mail blocking and unidentified-sender blocking for a security threat that disseminates e-mails such as phishing e-mails containing malicious code,for example,a worm and virus to induce the execution by users[75].

? Collaborative Units:It refers to a dynamic combination of mitigation technologies according to the cyber kill chain,which is a stage where cyber-attack occurs.The cyber kill chain stage is an attack chain,which is a path that the attacker takes to infiltrate the system to incapacitate the attacking target[76].By modeling a BT,it is possible to appropriately mitigate appropriately to the security threat at each stage based on the hierarchical structure of the complex security threats.

Figure 3:Definition of CUBE

? Collaborative Units for Blended Environment:It refers to a dynamic combination of possible security threats and mitigation technologies in IoBE.It can change dynamically according to different security policies and response systems in the IoBE,which is the attack target of a blended attack.

3.4 Security Orchestration and Response with Collaborative Units of Blended Environment

In this paper,we define SOAR-CUBE as an architecture that applies CUBE to SOAR.SOARCUBE consists of the followings components.

? Threat Intelligence Platform with Collaborative Units of Blended Environment(TIP-CUBE):This platform collects threat data based on blended attacks occurring in the IoBE and analyzes the data correlations.Therefore,the attack information such as the origin can be identified by backtracking the occurrence path of the BT through the correlations between the data.Furthermore,the cyber-attack response time can be minimized through the BT by predicting vectors that may occur based on the linkage with existing security solutions that are used in the IoBE,i.e.,the environment in which SOAR-CUBE is operated.For example,it is possible to predict BT through system connectivity within the IoBE by analyzing the components constituting the IoBE and threat intelligence to analyze security vulnerabilities that may occur in these components.In addition,a unit which comprises a pair of security threats and a mitigation technology for each security threat can be built based on the predicted BT and mitigation technologies operated by organizations or companies.

? Security Orchestration and Automation with Collaborative Units of Blended Environment(SOA-CUBE):This is the security orchestration and automation technology in CUBE.Because various security technologies corresponding to BT are dynamically combined and used in the CUBE,collaboration and linkage between various tools are required.The linkage between heterogeneous security tools is facilitated through workflow modeling that links different inputs and outputs between security tools such as security solutions and response technologies and dynamic playbook creation that informs the human intervention point based on a response system composed with a series of logics for cyber-attack response[77,78].

? Security Incident Response Platform with Collaborative Units of Blended Environment(SIRPCUBE):This component is an automation technology of the response system in the event of cyberattacks and security incidents,such as blended attacks in an IoBE.In other words,this technology automates the mitigation technology in CUBE,which is defined as a dynamic combination of security threats and mitigation technologies.The automation of response systems can be achieved through the development of BT-type classification techniques and blended attack detection and response techniques for efficient responses through minimal human intervention in millions of security incidents occurring in various manners.

4 Conceptual Architecture

Fig.4 illustrates the architecture of the SOAR-CUBE and the terms and components used in the architecture is described in Tab.11.The illustration as to how SOAR-CUBE detects and responds to different BT follows.

Table 11:Components of SOAR-CUBE architecture

Figure 4:A conceptual architecture for SOAR-CUBE

4.1 Monitoring&Anomaly Detection(Step 1)

In this step,the attacker attempts to penetrate the SOAR-CUBE architecture-applied environment through various attack surfaces in the IoBE.The anomalies are detected using the security devices designed in advance through this process.The attack patterns mainly used in cyberattacks are defined in advance to block the attacker based on these patterns.If the attacker cannot be blocked in advance(e.g.,because the blended attack bypasses the pre-defined patterns),the anomaly is detected through the analysis of data,such as security events and logs generated by security technologies constructed in the IoBE.Existing IPS/IDS or SIEM can be used in this step.

4.2 Inspection Team(Step 2)

This step is performed by the inspection team if an anomaly is detected in Step 1.The attack data produced through TIP are collected,and the threat types are classified based on the collected data.Furthermore,the attack data can be comparatively analyzed with the open threat data of the Open Source Intelligence(OSINT)to define the intrusion indicators in advance or identify the attack patterns.If the attack pattern is difficult to be identified owing to an unknown or intelligent attack,the BT attack path can be deduced through correlation analysis of the log data in the IoBE system.In addition,no BT is detected or analyzed in the CUBE,the inspection team can generate a CUBE considering the BT based on the analysis performed by other companies or organizations through threat intelligence.

4.3 Response Team(Step 3)

This step is for protecting the assets in the IoBE via the response team after the BT analysis of Step 2 performed by the inspection team.It includes SOA-CUBE and SIRP-CUBE.The process of creating the security technology’s workflow and the dynamic playbook is undergone according to the cyber-kill chain stage and attack type of the BT detected through SOA-CUBE.In SOA-CUBE,the orchestration that connects each input/output of security technology for inter-operation is required before the occurrence of the BT.Afterward,the automated response is performed according to the cyber kill chain stage via SIRP-CUBE.It includes the process of automating the simple and repetitive response according to the response system based on the dynamic playbook.Because each component environment in the IoBE is operated based on different policies,the response system can change dynamically depending on the environment applied in SIRP-CUBE.

4.4 Management Team(Step 4)

This step is for performing the maintenance and repair of SOAR-CUBE.It includes the process of recovering the damaged system and data after responding to a blended attack.In the maintenanceand-repair step,the log data generated in the SOAR-CUBE architecture are analyzed and managed to identify similar types of BT in the future.Furthermore,if the response to a blended attack is managed,it will be possible to respond more efficiently when the same attack occurs again.In this step,refactoring and geometry management are performed,including performance improvement and error correction for the existing SOAR-CUBE architecture.

5 Conclusion

Recently,various devices such as control equipment and medical devices,have been connected to networks in convergence environments.Furthermore,new platforms have been developed;this has opened up large and new attack surfaces.Different convergence environments can be interconnected to provide new services and platforms.As various convergence environments have emerged and have been connected to each other,the complexity of the attack surfaces where security threats can occur has increased.To address this security issue,we first offered the definition of IoBE as an environment in which various convergence environments are interconnected.We also defined a BT as a security threat that uses multiple security vulnerabilities through various attack surfaces in the IoBE.As the surfaces exposed to BT in the IoBE have increased,the frequency of security incidents in organizations and companies has also increased.Furthermore,manpower and time are required for integrated management and analysis of heterogeneous security solutions,thus,increasing the time consumed in detecting,analyzing,and responding to the security incidents after their occurrence.Therefore,we proposed a new concept called CUBE,which facilitates dynamic changes according to the environment applied to the IoBE by distributing and deploying security technologies for each BT type and dynamically combining them according to the cyber kill chain stage to minimize the damage and respond efficiently to a BT.

We also proposed a SOAR-CUBE architecture to respond to security incidents with minimal human intervention by automating the BT response process.It can be used to perform modeling of a workflow that links heterogeneous security technologies and threat intelligence function that collects threat data and performs a correlation analysis of the data.Furthermore,it facilitates efficient responses to complex BTs through security orchestration,automation function,and response automation function based on the dynamic playbook creation.In the future,we plan to further study the prediction of complexly-connected data-communication paths through service and system predictions in the future environment and investigate complex attack surfaces,where cyberattacks such as data corruption and forgery,can occur in the data life cycle.Furthermore,we plan to incorporate and standardize the input-output data created or used in different security technologies(for example,firewall andIPS)to interlock them.In conclusion,we will simulate our proposed architecture in IoBE and verify that it will be efficient and accurate.

Funding Statement:This work was supported by the National Research Foundation of Korea(NRF)grant funded by the Korea government(MSIT)(No.2021R1A2C2011391)and was supported by the Ajou University research fund.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.

Table 12:A list of abbreviations

Table 12:Continued