Fighting Botnets with Cyber-Security Analytics: Dealing with Heterogeneous Cyber-Security Information in New Generation SIEMs

One of the cyber-threats with the highest impact nowadays, in terms of number of compromised systems and the impact they can have on the Internet at large, is commonly known as the botnet. In the ACDC (Advanced Cyber Defence Centre) project, partners from 14 European countries, including public administrations, private sector organizations and academia, are trying to achieve a sustainable victory over botnets. This paper presents how a new generation SIEM is being used in the ACDC project to leverage its scalability and enhanced analytic capabilities and produce advance cyber-intelligence from the heterogeneous and massive streams of data continuously produced in the cyber-security context, in combination with traditional security events and system logs. The paper describes a case study where this approach is being tested. In the case study, the SIEM has been adapted to cope, not only with traditional security events and system logs, but also with pre-analyzed information about cyber-threats and incidents reported by the tools of some of the ACDC partner organizations. The case study also tests the adoption of the standard XML-based format called STIX, developed by the Mitre Corporation in the USA, and its suitability as a common specification for exchanging cybersecurity information between a subset of ACDC tools, the Atos SL SIEM and the ACDC´s centralized data clearing house (CCH).