See you in Rennes – C&ESAR 2014
Detection and reaction to cyber-attacks
Nov. 24-26, 2014
This year, C&ESAR will focus on cyber attacks, covering both the problems related to detection and to mitigation. Detection of cyber-attacks, known as “Intrusion Detection”, is an active research domain since the early 80s, and intrusion detection sensors are widely and operationally deployed in modern IT systems since the late 90s. They today are a full part of the set of tools of security practitioners. IDS sensors have led to the development of security information and event management (SIEM) platforms, followed by security operating centers (SOC) that externalize detection and reaction. A research activity has also developed around the automation of reaction and mitigation strategies. This operational experience leads to the following conclusions:
1. Intrusion detection sensors do indeed detect cyber-attacks, but there always remains a part of cyber attacks which are not detected, and these cyber-attacks are perceived as the most dangerous.
2. Even when these cyber-attacks are detected by sensors, they may result in compromised IT systems because alerts are not treated in a timely or appropriate manner.
3. Operation centers remain very reluctant to automate attack reaction and mitigation, while at the same time being overwhelmed by alerts.
It thus appears useful to survey the current state of the art of existing technologies and tools to detect and react to cyber-attacks, and to propose new uses and new developments to improve them.