Floragasse 7 – 5th floor, 1040 Vienna

CyberMonoLog

Cyber Security MONITORING and LOGGING Best Practice Guidance

CyberMonoLog develops best practices for cyber security monitoring and logging based on the known attack techniques (MITRE ATT&CK).

The research question is therefore, which data sources have to be analyzed with which methods in order to detect most relevant attack techniques with an economical use of resources. The results of the project should be best practice guidelines for the implementation of a monitoring strategy by SMEs and operators of critical infrastructures. The explanations will be based on the known state of the art and the applicability of the results will be ensured by cross-validation with external stakeholders as well as stakeholders and authorities and experts from CERT.at. Legal aspects (data protection, labor/service law issues) will be taken into account.

Motivation

Severe cyber attacks on companies and critical infrastructures dominate the weekly press reports.

Many recent incidents, such as the death of a German patient as a result of a ransomware attack on a university clinic in September 2020, or the extensive infiltration of infrastructures, as in the case of the SolarWinds hacks 2020, underline the serious situation.

Detecting attacks and reacting quickly to them are therefore essential skills for organizations – not only for large-scale industry, but especially for critical infrastructure providers (CI) as well as for the SME sector, which is so important in Austria.

It is impossible for an organization to detect all known attack techniques with economic means. The research question is therefore which data sources (or events emitted from them) must be analyzed with which methods (ranking) in order to detect the most relevant attack techniques with a predefined use of resources.

Therefore, the results of the project should be readily applicable best practice guidelines for the implementation of a monitoring strategy for SMEs and CIs. These guidelines will be based on the known state of the art and the applicability of the results is ensured by cross-validation with external stakeholders as well as authorities and experts from CERT.at.

Graph showing average time until detection or containment of cyber-attacks
Graph showing average time until detection or containment of cyber-attacks, sorted by sector

Further Information

CyberMonoLog has been funded by the Austrian security research programme KIRAS of the Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology (bmk)