Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

Background Context Given recent attacks on the Healthcare sector, and some noted data breaches, FauxCura Health have engaged Quantum.LogiGuardian ( Q . LG ) ,

Background Context
Given recent attacks on the Healthcare sector, and some noted data breaches, FauxCura
Health have engaged Quantum.LogiGuardian (Q.LG), a cyber security consultancy and
analytics firm.
FauxCura believes they may have had un-detected cyber security breaches within their
systems. As a caring and respectable healthcare provider, they want to examine their
historic network data to determine whether undetected breaches have occurred.
The security operations centre at FauxCura run a Security Incident and Event
Management (SIEM) platform called Splunk. This platform collects vast quantities of
log data from servers, desktop computers, routers and other network equipment and
aggregates it in the form of reports and alerts that can be viewed by security personnel
to identify incidents that require investigation.
During an initial investigation of FauxCuras data, Q.LG were able to trawl through
history data to produce an initial report that provides some top-level metrics on
incidents based on certain triggers. Incident specific data is also retained, but generally
consists of extremely large data sets.
It is hoped that the report data contains sufficient information to be able to construct an
ML model that can more accurately identify events of interest.
Data Overview
The data you are working with are records extracted from FauxCuras SIEM. The
records have already been processed and reduced to a summary of individual event
detections that were triggered by the SIEM.
The data have also been aggregated from multiple other sources and reports in the
SIEM. This means some values may be inconsistent across systems or there may be
errors in the data that need to be identified and cleaned.
Descriptions of Features:
Below is a brief explanation of the features in the data set. It is not necessary to
understand these features. It is also important to note that feature naming conventions
2| P a g e
are very subjective. Reliance on the meaning of a name may miss important data or
detail.
Alert Category (Categorical):
This feature describes what type of alert was created by Splunk. It is largely subjective
as the alert creators can identify their own alert levels for different types of events. The
levels present in the data can be approximately summarised as:
Informational:
An event that is being logged to the system for information purposes only, it is
possible these could relate to malicious activity, but this is the lowest level of alert.
Warning:
This is a higher level of alert and typically used to identify a situation that may not
be typical.
Alert:
These are typically used for specific events that represent a security concern that
requires action.
NetworkEventType (Categorical):
This is the type of event that the SIEM report believes has occurred. It can be used to
differentiate between apparently normal network traffic, to things like policy violations
and even threat detections and data exfiltration.
NormalOperation:
No specific anomalies occur in this logged event there are many reasons this
data may be logged.
PolicyViolation:
A security or business policy has been violated. This can range from attempts to
run unauthorised software on the network, to using the wrong type of webbrowser to access a database.
ThreatDetected:
A specific condition has been detected that has previously been identified as a
security thread. These could be normal operations mis-tagged, or they may
include malicious software or techniques in use.
NetworkInteractionType (Categorical):
This is another computer metric that uses an unknown 3rd party plugin to identify
network interactions that are not typical.
Regular:
These appear to be normal network traffic requests.
3| P a g e
Elevated:
Requests that are attempting to access resources that require specific
permissions. For example, a computer trying to log in to an administrative console
or a restricted device.
Suspicious:
Generally, these are elevated network events that are unexpected, have come from
an unexpected source, or have unexpected patterns of usage.
Anomalous:
Network interactions that arent typical but may not have any relation to security
events.
Critical:
A network condition that should never occur. This could be an interaction that
indicates an attack condition, or a severe equipment outage or malfunction.
Unknown:
The interaction status is unknown
DataTransferVolume (out and in)(Numeric):
Quantifies the amount of data transferred over the network. Values are given whether
they are into the network or out of the network.
TransactionsPerSession (Integer):
The number of transactions exchanged between devices and the service they are
communicating with.
NetworkAccessFrequency (Integer):
Measures how frequently network ports are accessed, with abnormal frequencies
potentially signalling unauthorized acce

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image_2

Step: 3

blur-text-image_3

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Spatial Database Systems Design Implementation And Project Management

Authors: Albert K.W. Yeung, G. Brent Hall

1st Edition

1402053932, 978-1402053931

More Books

Students also viewed these Databases questions

Question

DISCUSS the key elements of Canada's labour laws.

Answered: 1 week ago

Question

Create a Fishbone diagram with the problem being coal "mine safety

Answered: 1 week ago