News

Get in contact

publications

SOCCRATES presented at 35th annual FIRST conference

Martin Eian (mnemonic) and Frank Fransen (TNO) presented SOCCRATES at the 35th Annual FIRST Conference, June 4-9, 2023 in Montréal, Canada. 

publications

Recording of ETIS webinar with live demonstration of SOCCRATES Platform

On December 14th 2022, ETIS organised a webinar “Results of the SOCCRATES Project – Novel Approaches to Security Automation”.  This webinar has been recorded and is now available on vimeo.

publications

Final event

We were proud to be part of Cyber Security Week Luxembourg and look back on a fantastic event. A big thank you to our participants, speakers and partners!

publications

Future needs of next generation SOCs and CSIRTs

Most SOCs and CSIRTs have a good set of capabilities. But present day SOC and CSIRT capabilities simply do not suffice to deal with the persistence and sophistication of professional threat actors, also considering the increasing complexity of ICT infrastructures and shortage of skilled staff. Therefore we need to increase the speed and effectiveness of detection of and response to ongoing attacks, and the scope, effectiveness and efficiency of proactive analysis of threats to the ICT infrastructure to enhance its cyber resilience.

Read our latest blog post on the future needs of SOCs and CSIRTs, written by Reinder Wolthuis and Frank Fransen.

publications

Automating the hunt for new DGAs and other malicious domains

Read our latest blog post on the hunt for new DGAs, written by Piotr Kijewski, CEO at The Shadowserver Foundation.

“The work in SOCCRATES has helped achieve real-world impact through the detection of new threats and large scale victim notification alerts to the Internet defender community.”
Piotr Kijewski

Go to blog post

publications

Deep dive session on the SOCCRATES platform at the ONE Conference 2022

We are proud to be part of the ONE Conference 2022. Join the deep dive session on 18 October in The Hague.

In this session, we will present our experiences of designing, implementing and evaluating the SOCCRATES security automation platform for SOC/CSIRTS. First the vision, use cases, KPIs and the components of the platform will be introduced. Next we will present the experiences of designing and implementing of the SOCCRATES Platform, and elaborate on the results of the evaluation at three pilots sites. Finally, we will conclude with lessons learned and next steps.

In this deep dive session, a detailed overview of the SOCCRATES platform will be presented accompanied by a step-by-step demonstration of how the SOCCRATES Platform provides situational and option awareness for SOC analysists and CSIRT teams during ongoing attacks. In addition, a detailed demonstration will be given on how the platform assesses the discovery of new vulnerable assets in an ICT infrastructure and how it can prepare recommendations to mitigate business risk.

Learn more

publications

Open acces paper

Wojciech Wideł, Preetam Mukherjee, and Mathias Ekstedt from our partner KTH published in IEEE Access about their work in the SOCCRATES project.

Mathias Ekstedt: ‘This paper covers the underlying algorithm that was developed for automatically suggesting courses of actions to the SOC operator. It analyzes the structure of attack graphs generated from models of the monitored ICT infrastructure and fits defense actions into a specified available budget.’

Open access
Go to the article: Security Countermeasures Selection Using the Meta Attack Language and Probabilistic Attack Graphs

publications

Blog post: From Anomalies to Actions

Agron Bajraktari, Francesca Soro, David Allison and Paul Smith from our partner AIT wrote a blog post about their work in the SOCCRATES project: ‘From Anomalies to Actions: Reasoning About the Root Cause of Anomalies to Determine Actionable Insights for Cyber-Attack Mitigation’.
Learn more

publications

SOCCRATES final event: ‘Innovation for Next Generation SOCs’

Defending against cyber-attacks has become a challenging task for most organisations. How can we innovate SOCs and CSIRTs and enhance them to be ready for current and future threats?

The SOCCRATES research project aims to take control of the growing cyberthreats by developing and implementing a security automation and decision support platform. At the SOCCRATES final event, you will get an insight into the world of security automation. We will demonstrate the SOCCRATES platform, share project learnings and explore future developments. Hands-on demos will provide you with insights into how SOCCRATES innovations improve the effectiveness of the cybersecurity workforce.

Programme highlights
• Keynote speech by Christine Bejerasco, CTO WithSecure: ‘Threat Landscape & A New Security Mindset’
• SOCCRATES vision & results
• Use case demos: SOCCRATES use cases and infrastructure, infrastructure modelling, the SOCCRATES platform
• Pilot learnings
• SOCCRATES results in commercial and Open Source products
• Presentation of the SOCCRATES vision paper
We will conclude the presentations with an informal networking reception.

‘Threat Landscape & A New Security Mindset‘, keynote speech by Christine Bejerasco
From taking a peek at the most effective cyber threats and their evolution, to prioritizing areas to protect in a world of increasing technology sprawl, Bejerasco will show that threat actors adapt swiftly to changes in technologies and human behavior. Bejerasco also shares a method for prioritization based on the desired outcomes of the organization.

Vision Paper
The SOCCRATES Vision Paper provides a vision and concrete next steps on innovative security automation and answers questions such as ‘Why should we invest in automated security and how do you start?’, ‘What does the Next Generation SOC look like?’ and ‘How can we integrate automation into our way of working?’. After the event you will receive a copy of the SOCCRATES vision paper.

Practical information
Wednesday, 19 October 2022
13:30/17.30
Luxexpo The Box
10, Circuit de la Foire Internationale
L-1347 Luxembourg-Kirchberg

Registration
Your registration is free of charge, but mandatory.

Registration form SOCCRATES final event

Registration form SOCCRATES final event

Name
Name
First
Last

Cybersecurity Week Luxembourg

The SOCCRATES final event is organised in collaboration with the Cybersecurity Week Luxembourg (CSWL) (18-20 October 2022). If you want to register for the programme of the CSWL, you can do so separately via the event website. On this page you only register for the SOCCRATES final event.

publications

Download SOCCRATES Vision Paper

Vision, Roadmap & Guidance for SOC

Organisations face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing and there is a shortage of qualified cybersecurity experts. To deal with these challenges, many organisations have increased their efforts in security monitoring and incident response and established (internal) SOCs and CSIRTs (or outsourced these tasks to a MSSP). But even with these increased defence efforts, the levels of cyberthreat exposure cannot be sufficiently reduced.

Continuous innovation and investment in automation is needed in SOCs and CSIRTs to stay ahead of the threats. The SOCCRATES Vision Paper provides a vision and concrete next steps on innovative security automation and answers questions such as ‘Why should we invest in automated security and how do you start?’, ‘What does the Next Generation SOC looks like?’ and ‘How can we integrate automation into our way of working?’.

Download SOCCRATES Vision Paper

To receive a printed copy of the SOCCRATES vision paper, please send an email including your email address and postal address to: info@soccrates.eu.

SOCCRATES final event
In autumn 2022 there will be the SOCCRATES final event, where we will demonstrate the SOCCRATES platform, share project learnings and explore future developments. You are cordially invited! Stay tuned to our website for details.

publications

4th International Workshop on Next Generation Security Operations Centers (NG-SOC 2022)

We are proud to announce the 4th International Workshop on Next Generation Security Operations Centers (NG-SOC 2022) to be held in conjunction with the 17th International Conference on Availability, Reliability and Security (ARES). This workshop is jointly organized by SOCCRATES, SAPPAN and CyberSEAS Project.

𝗣𝗿𝗼𝗺𝗶𝘀𝗶𝗻𝗴 𝘀𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀
The aim of this workshop is to create a forum for researchers and practitioners to discuss the challenges associated with SOC operations and focus on research contributions that can be applied to address these challenges. Through cooperation among European projects, the workshop intends to provide a more comprehensive overview of the promising research-based solutions that enable timely response to emerging threats and support different aspects of the security analysis and recovery process.
Learn more

publications

2nd Joint Workshop – Dynamic Countering of Cyber-attacks | Achievements and Standardisation

Following the success of the first edition of the workshop back in 2021, SOCCRATES announces the participation in the 2nd Joint Workshop – Dynamic countering of cyber-attacks, which will take place virtually between 9:00 and 16:00CET on the 8th of February 2022.

Organised by the CyberSANE project, and this time supported by the FIWARE Foundation, the workshop aims at gathering the projects from the SU-ICT-01-2018 H2020 call, whose main topic is Dynamic countering of cyber-attacks, to share the main progress of the project, create synergies and set a common ground for standardisation activities. Moreover, experts representing each project will discuss the different approaches to the common problem of attack detection and situational awareness in different environments.

Attending this event
More information about the agenda and speakers can be found on the registration page. Attending this event is free of charge, however, registration is required.

The participating projects are: SOCCRATES, C4IIoT, CARAMEL, GUARD, SAPPAN and SIMARGL.

SOCCRATES
SOCCRATES aims to develop and implement a new security platform for Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs) of individual organisations and offered by Managed Security Service Providers (MSSP). They will significantly improve their capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks by using this platform. The platform contains innovative solutions to automated infrastructure modelling, improve attack detection, Cyber Threat Intelligence utilization, AI and machine learning based threat trend prediction, and automation using Attack Defence Graphs (ADG) and business impact modelling to aid human analysis and decision making on the best course of action, enabling the execution of defensive actions at machine-speed.
CyberSANE
CyberSANE enhances the security and resilience of Critical Information Infrastructures (CIIs) by providing a dynamic collaborative, warning and response system supporting and guiding security officers and operators to recognise, identify, dynamically analyse, forecast, treat and respond to advanced persistent threats (APTs) and handle their daily cyber incidents using structured and unstructured data such as logs, network traffic, or data coming from social networks.
CyberSANE introduces a holistic and privacy-aware approach in handling security incidents, addressing the complexity of these nets consisting of cyber assets hosted in cross-border, heterogeneous CIIs from the Energy, Maritime Transportation and Healthcare sectors. CyberSANE System, is an innovative, knowledge-based, collaborative security and response dynamic system, capable of implementing all phases of the Cyber incident handling life cycle for increasing the agility of the security professionals and encourage continuous learning.
Follow CyberSANE on Twitter and LinkedIn
C4IIoT
C4IIoT will design, build and demonstrate a novel and unified Cybersecurity 4.0 framework that implements an innovative IoT architecture paradigm to provide an end-to-end holistic and disruptive security-enabling solution for minimizing the attack surfaces in Industrial IoT systems. C4IIoT bridges cyber assurance and protection, machine (deep) learning (ML/DL), edge/cloud computing, blockchain and Big Data technologies to provide a viable scheme for enabling security and accountability, preserving privacy, enabling reliability and assuring trustworthiness within evolving IIoT applications and processes (e.g. automotive). C4IIoT novel cybersecurity mechanisms are carefully orchestrated across all infrastructure elements involved within an IIoT system (e.g., IIoT devices, field gateways, cloud resources) and is based upon analysis of various data flows (e.g., IIoT device data, encrypted network flows).
CARAMEL
CARAMEL is a project that aims to introduce an innovative anti-hacking intrusion detection/prevention system for the European automotive industry. Their goal is to proactively address modern vehicle cybersecurity challenges applying advanced Artificial Intelligence (AI) and Machine Learning (ML) techniques and also to continuously seek methods to mitigate associated safety risks.
In order to address cybersecurity considerations for the already here autonomous and connected vehicles, well-established methodologies coming from the ICT sector will be adopted, allowing to assess vulnerabilities and potential cyberattack impacts. Although past initiatives and cybersecurity projects related to the automotive industry have reached to security assurance frameworks for networked vehicles, several newly introduced technological dimensions like 5G, autopilots, and smart charging of Electric Vehicles (EVs) introduce cybersecurity gaps, not addressed satisfactorily yet. Considering the entire supply chain of automotive operations, CARAMEL targets to reach commercial anti-hacking IDS/IPS products for the European automotive cybersecurity and to demonstrate their value through extensive attack and penetration scenarios.
GUARD
GUARD is a cybersecurity framework to Guarantee Reliability and trust for Digital service chains. They aim to design a holistic framework for advanced end-to-end assurance and protection of business service chains. GUARD also aims to improve the detection of attacks and identification of new threats as well as develop fine-grained, programmable and low-overhead monitoring, inspection and enforcement systems. Further to improving awareness and reactions to incidents, GUARD aims to elaborate new business models for commercial exploitation after the project lifetime.
SAPPAN
SAPPAN aims to develop a platform for sharing and automation to enable privacy preserving and efficient response and recovery utilizing advanced data analysis and machine learning. They will provide a cyber threat intelligence system that decreases the effort required by a security analyst to find optimal responses to and ways to recover from an attack. This will be enabled within a single organization as well as across organisations through novel models for privacy-preserving data processing and sharing. SAPPAN will also enable a European level perspective on advanced cyber security threats detection, response, and recovery making four key contributions that go beyond existing approaches: (1) privacy-preserving aggregation and data analytics including advanced client-side abstractions; (2) federated threat detection based on sharing of anonymised data and sharing of trained machine learning models; (3) standardisation of knowledge in the context of incident response and recovery to enable reuse and sharing; (4) visual, interactive support for Security Operation Center operators. SAPPAN aims to provide solutions for public international institutions and multinational companies who want to enrich their Situational Awareness by sharing cyber security intelligence as well as solutions for small and midsize companies enabling them to outsource intrusion detection.
SIMARGL
SIMARGL is a project co-funded by the European Commission under Horizon 2020 programme, to combat the pressing problem of malware. It aims to tackle the new challenges in the cybersecurity field, including information hiding methods, network anomalies, stegomalware, ransomware and mobile malware. SIMARGL will offer an integrated and validated toolkit improving European cybersecurity. The cutting-edge of the proposed solution stems from the development of a more general approach, one that has the ability to counteract the new, complex malware. SIMARGL will use breakthrough methods and algorithms to analyze the data from networks, such as: concept drift detectors, advanced signal processing and transformations, lifelong learning intelligent systems (LLIS) approach, hybrid classifiers, and deep learning, just to mention some techniques.
publications

SOCCRATES is now listed as a contributor to MITRE ATT&CK

The SOCCRATES work by mnemonic on Adversary Emulation Planner (AEP) has resulted in contributions to MITRE ATT&CK. As a result, SOCCRATES has been listed as a contributor to MITRE ATT&CK. The list of MITRE ATT&CK can be found here.

publications

SOCCRATES presentation ONE conference now online!

Martin Eian from mnemonic has given a presentation at the ONE conference, that took place on Tuesday 28 and Wednesday 29 September 2021 in the Netherlands. The presentation with the title SOCCRATES Project – Automating Threat Intelligence and Adversary Emulation is now online and can be viewed here

publications

Second series of SOCCRATES webinars

SOCCRATES will organise the second series of webinars that will run until June of 2022 and address results achieved at the (Mnemonic, Vattenfall and Shadowserver) pilot sites. SOCCRATES webinars is free of charge but subject to registration. An overview of the planned webinars can be found here.

The second series of SOCCRATES webinars starts with a theme session (28 September 2021, 15.30-17.00 CET) on Detecting DGA related threats in collaboration with the EU research projects SAPPAN. More information on this webinar can be found here.

publications

Best paper award at IEEE CSR 2021 conference!

The paper “Mapping cyber threat intelligence to probabilistic attack graphs” by A. Gylling, M. Ekstedt, Z. Afzal, and P. Eliasson, partly financed by SOCCRATES, received best research paper award at the 2021 IEEE International Conference on Cyber Security and Resilience (IEEE CSR), July 26th – 28th.

publications

Agenda of the NG-SOC 2021 workshop, August 17th is now available

The agenda for the jointly organize the NG-SOC 2021 workshop, to be held in conjunction with the 16th International Conference on Availability, Reliability and Security (https://www.ares-conference.eu/conference-2021/detailed-program/) is now available: https://www.ares-conference.eu/workshops-eu-symposium/ng-soc-2021/

To attend the workshop, a registration for ARES conference in amount of 60€ + 20% VAT (Regular Attendee). Registration can be done here: https://www.ares-conference.eu/registration-all-digital-conference/

publications

SOCCRATES submissions accepted for annual FIRST conference

We’ve done two SOCCRATES submissions to the 33rd Annual FIRST Conference: “Crossing Uncertain Times,” to be held virtually on June 7-9, 2021.
And they were both accepted!
* Martin Eian (mnemonic) will present the topic: ‘Adversary Emulation – Generating MITRE ATT&CK Technique Sequences’, which will be a prerecorded session

* Erik Ringdahl (foreseeti) and Frank Fransen (TNO) will present the topic: ‘Attack Defense Graph Analysis for Supporting SOC and CSIRT Operations’, which will be a Live Presentation on Wednesday June 9th, 2021.

This acceptance by the prestigious FIRST annual conference is a great appreciation for the work we do in SOCCRATES!

https://www.first.org/conference/2021/

publications

Deadline extended for Workshop on Next Generation Security Operations Centers (NG-SOC 2021)

The deadline for submissions for the NG SOC worshop, jointly organized by SAPPAN and SOCCRATES in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021 – http://www.ares-conference.eu) has been extended to Ma14th!

The important dates are:

– Submission Deadline May 14th, 2021
– Author Notification May 31, 2021
– Proceedings Version June 13, 2021
– ARES EU Symposium August 17, 2021
– Conference August 17 – August 20, 2021

The call for papers can also be found here: ARES Conference » NG-SOC 2021 (ares-conference.eu). The submission guidelines valid for the workshop are the same as for the ARES conference. They can be found at https://www.ares-conference.eu/conference/submission/.

publications

Positive SOCCRATES mid term review

SOCCRATES already is halfway its project lifetime, so we had our mid-term review  on Wednesday April 14th. We prepared for a day of presentations and demos and had very good questions from and discussions with our EU Project Officer (PO) and the three expert reviewers. They also provided us with some very useful suggestions. We received their first feedback at the end of the day (formal feedback report will follow). Although there were some attention points, overall feedback was that our PO and the reviewers were very happy with the progress we’ve made in the project. In particular the newly developed Adversary Emulation Plan tool, presented by Martin Eian (mnemonic), was considered to be really cool. It will be shared as Open Source soon. Our PO also requested us to share our vision on future SOC/CSIRT developments as early as possible, so this can serve as input on upcoming SOC/CSIRT initiatives at EU level. Of course we will gladly fulfill this honorable request.     

publications

3rd International Workshop on Next Generation Security Operations Centers (NG-SOC 2021)

Two H2020 projects: SOCCRATES (https://www.soccrates.eu/) and SAPPAN (https://sappan-project.eu/) jointly organize the NG-SOC 2021 workshop, to be held in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021 – http://www.ares-conference.eu)
August 17 – August 20, 2021, Vienna, Austria

Important Dates
– Submission Deadline April 30, 2021
– Author Notification May 31, 2021
– Proceedings Version June 13, 2021
– ARES EU Symposium August 17, 2021
– Conference August 17 – August 20, 2021

Submission Guidelines
Th call for papers can also be found here: ARES Conference » NG-SOC 2021 (ares-conference.eu). The submission guidelines valid for the workshop are the same as for the ARES conference. They can be found at https://www.ares-conference.eu/conference/submission/.

Workshop Description
Organisations in Europe face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing (e.g. by the introduction of new technologies) and there is a shortage of qualified cybersecurity experts. There is a great need to drastically reduce the time to detect and respond to cyber-attacks. A key means for organizations to stay ahead of the threat is through the establishment of a Security Operations Center (SOC). The primary purpose of a SOC is to monitor, assess and defend the information assets of an enterprise, both on a technical and organizational level.
The aim of this workshop is to create a forum for researchers and practitioners to discuss the challenges associated with SOC operations and focus on research contributions that can be applied to address these challenges. Through cooperation among H2020 European projects, the workshop intends to provide a more comprehensive overview of the promising research-based solutions that enable timely response to emerging threats and support different aspects of the security analysis and recovery process.

Topics of interest include, but are not limited to:
• Collaborative Incident Response and Recovery
• Machine Learning for Security and Privacy
• Intrusion Detection
• Network Security
• Standardization and Sharing of Cybersecurity Knowledge
• Endpoint Security
• Privacy Aspects of Sharing in Cybersecurity
• Cyber Threat Intelligence Utilization
• Situation Awareness and Decision Support Tools for SOC
• Novel Visualization Tools and Approaches for SOC
• Security of Machine Learning
• Attacks against Deep Learning (e.g. Adversarial Examples)
• Malware Identification and Analysis
• Vulnerability Discovery
• Digital Forensics and Attack Attribution
• Natural Language Processing (NLP) for Security
• Threat Trend Modelling and Prediction
• Attack and Defence Modelling
• Host Behaviour Profiling
• User Behaviour Analytics (UBA)
• Advanced Persistent Threat Detection and Analysis
• Security Event Fusion, Correlation and Severity Analysis

Workshop Chairs
Irina Chiscop, TNO, Netherlands
Tomas Jirsik, Masaryk University, Brno, Czech Republic
Avikarsha Mandal, Fraunhofer FIT, Aachen, Germany
Ewa Piatkowska, AIT Austrian Institute of Technology, Austria

Program Committee
Ville Alkkiomäki, F-Secure, Finland
Manos Athanatos, FORTH-ICS, Greece
Mathias Ekstedt, KTH, Sweden
Muriel Figueredo Franco, University of Zurich UZH, Switzerland
Frank Fransen, TNO, The Netherlands
Leandros Maglaras, De Montfort University, Leicester, UK
Preetam Mukherjee, KTH, Sweden
Dimitrios Serpanos, Industrial Systems Institute, Greece
Edward Staddon, INRIA, France
Daniel Tovarnak, Masaryk University, Czech Republic
Ruben Trapero, ATOS, Spain
Petr Velan, Masaryk University, Czech Republic
Daniel Weber, LRZ, Germany
Markus Wurzenberger, AIT Austrian Institute of Technology, Austria
Martin Zadnik, CESNET, Czech Republic

publications

Joint Standardisation Workshop of Dynamic countering of cyber-attacks projects

On January 22nd 2021 all projects that are funded in the H2020 call SU-ICT-01-2018 will have a joint workshop to exchange knowledge and to develop plans for collaborative standardisation and dissemination activities. We intend to utilise intra-project synergies to increase the overall impact of the projects and consequently increase the resilience of the EU community against cyber-attacks.

publications

SOCCRATES PRESENTED AT ERICSSON BY SHADOWSERVER

At the Ericsson Internal Network Security Seminar on September 22nd 2020, The Shadowserver Foundation was invited to give a presentation. The presentation was Titled “Large Scale Internet Garbage Collection and sharing”.

Abstract:

The Shadowserver Foundation has been collecting network threat information on a big-data scale for many years with a mission to make the Internet a more secure environment for all. The collected data is shared with 112+ National CSIRTs and 5900+ network owners worldwide via the Shadowserver free daily remediation feeds and used to support various law enforcement investigations. Data collection and management on such a scale is a big challenge – the talk will give an overview of how Shadowserver operates, what data it collects and what threat information can be inferred from it, how the information is being shared and how Shadowserver has supported various malware botnet takedowns and disruptions.

publications

D4.2 Threat Identification and Threat Trend Prediction – Initial Prototype

This deliverable provides an overview of the initial threat identification and trend prediction toolset prototyping carried out as part of Task 4.2 in WP4: Threat Identification and Threat Trend Prediction. A set of Dockerized tools utilizing ML and string similarity algorithms has been developed for the purpose of identifying and classifying DGA-based domains in large domain datasets derived from The Shadowserver Foundation’s malware sandbox.

publications

SOC Automation 101: Let’s Make the SOC Great (-er) Again!

Wednesday August 26, 2020 4:00 PM – 5:10 PM CEST

SOCCRATES and the SECO institute jointly organize a webinar on August 26th (4 PM-5.10 PM CEST) about SOC automation. During this webinar we’ll evaluate automation as one of the solutions to overcoming major challenges that Security Operations Centers face today. We’ll evaluate time consuming tasks that could be automated to increase the efficiency of a SOC and help the Security Analyst to evolve from a fire-fighter to a more proactive response expert.

Rob van Os (SOC Manager at de Volksbank and member of the SOCCRATES stakeholder group) explains why and how a SOC should embrace automation to deal with ‘alert overkill’; manage security tools that generate a lot of data; increase SOC efficiency and outputs; and make the Security Analyst job ‘Great Again’. Erik Ringdahl and Frank Fransen from SOCCRATES deliver a short presentation and a demo of the Attack Defence Graph Analyser, that automatically and continuously generates models of IT architectures in a SOC to perform automated attack simulations and threat modelling, predict how attacks might propagate and suggest mitigations.

Participation is free upon timely registration:
https://register.gotowebinar.com/register/6946483974829535502


publications

SOCCRATES and SAPPAN organise International Workshop on NG SOC in conjunction with ARES, August 25, 2020

Overview

Organisations in Europe face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing (e.g. by introduction of new technologies) and there is a shortage of qualified cybersecurity experts. There is a great need to drastically reduce the time to detect and respond to cyber-attacks. A key means for organizations to stay ahead of the threat is through the establishment of a Security Operations Center (SOC). The primary purpose of a SOC is to monitor, assess and defend the information assets of an enterprise, both on a technical and organizational level.

The aim of the NG-SOC 2020 workshop is to create a forum for researchers and practitioners to discuss the challenges associated with SOC operations and focus on research contributions that can be applied to address these challenges. The workshop will draw on expertise from two EU-funded H2020 projects: SAPPAN (https://sappan-project.eu/) and SOCCRATES (https://www.soccrates.eu/). Selected members of the projects’ consortia will present their research activities. The workshop will include a panel session to foster discussion on the major operational challenges that enterprises and SOC operators face and provide insights into promising research-based solutions

Project abstract

The workshop is jointly organized by two H2020 projects that are funded by the European Commission:

SOCCRATES project (https://www.soccrates.eu/) will develop and implement a new security platform for Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs), that will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks. The SOCCRATES Platform consists of an orchestrating function and a set of innovative components for automated infrastructure modelling, attack detection, cyber threat intelligence utilization, threat trend prediction, and automated analysis using attack defence graphs and business impact modelling to aid human analysis and decision making on response actions, and enable the execution of defensive actions at machine-speed. The SOCCRATES Platform aims to enable organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the SOC. The outcomes of the project will contribute to a more secure cyberspace and strengthen competitiveness in the EU digital single market.

SAPPAN project (https://sappan-project.eu/) aims to enable efficient protection of modern ICT infrastructures via advanced data acquisition, threat analysis, and privacy-aware sharing and distribution of threat intelligence aimed to dynamically support human operators in response and recovery actions. The SAPPAN project will develop a collaborative, federated, and scalable attack detection to support response activities and allow for timely responses to newly emerging threats supporting different privacy-levels. We plan to identify a standard for the interoperable and machine-readable description of incident response reports and recovery solutions. The risk assessment, privacy, and security will be addressed in the standard design. Results of both attack detection and recovery and response processes will be shared on a global level to achieve an advanced response and recovery via knowledge sharing and federated learning. We develop a mechanism for sharing information on threat intelligence, which implements a combination of encryption and anonymization to achieve GDPR compliance. Novel visualization techniques will be developed to assist security and IT personnel and provide an enhanced content of context of the response and recovery, and improved visual presentation of the process.

Topics of interest include, but are not limited to:

Security Operation Center (SOC)

Anomaly Detection

Network Intrusion Detection Systems

Domain Generation Algorithms

Cyber Threat Intelligence Utilization

Privacy-aware Threat Intelligence Sharing

Business Impact Modelling
Attack Analysis with Attack Defence Graphs (ADGs)

Visual Presentation to Support Response and Recovery Actions

Workshop Agenda (Tuesday, 25th of August 2020 | 9:00 – 17:45)

TimeTalkDuration [min]
Session 1 (Ewa Piatkowska)90
09:0009:05Welcome Ewa Piatkowska5
09:059:25The SOCCRATES Project: Overview and Objectives Frank Fransen (TNO)20
9:259:45The SAPPAN Project: Overview and Objectives Avikarsha Mandal (Fraunhofer FIT)20
9:4510:30Keynote: Semi-Automated Cyber Threat Intelligence (ACT) Martin Eian (Mnemonic)45
 
10:3011:00Coffee break30
 
Session 2 (Tomas Jirsik)100
11:0011:20Monitoring Malicious Infrastructures to Produce Threat Intelligence Piotr Kijewski (Shadowserver)20
11:2011:40Pipeline development for Automatically Generated Domain detection Irina Chiscop (TNO)20
11:4012:00Leveraging Machine Learning for DGA Detection Arthur Drichel (RWTH Aachen University)20
12:0012:20Knowledge Management and Anonymization Techniques in Cyber-Threat Intelligence Lasse Nitz, Mehdi Akbari Gurabi (Fraunhofer FIT)20
12:2012:40Reputation Management Techniques for IP addresses, domains, and mail Mischa Obrecht (DreamLab) 20
 
12:4013:45Lunch break65
 
Session 3 (Avikarsha Mandal)80
13:4514:05Host and Application Behaviour Modelling Tomas Jirsik (Masaryk University) and Sebastian Schaefer (RWTH Aachen University)20
14:0514:25L-ADS: Live Anomaly Detection System Alejandro Garcia Bedoya (ATOS)20
14:2514:45Adversarial Examples against Intrusion Detection Systems Ewa Piatkowska (AIT)20
14:4515:05Fast and Scalable Cybersecurity Data Processing Josef Niedermeier, Gabriela Aumayr (HPE)20
 
15:0515:30Coffee break25
 
Session 4 (Irina Chiscop)80
15:3015:50Attack Analysis with Attack Defence Graphs Erik Ringdahl (Foreseeti)20
15:5016:10Attack Graph-based Courses of Action for Defense Wojciech Widel (KTH)20
16:1016:30Visual Analytics for Cyber Security Data Christoph Müller and Franziska Becker (University of Stuttgart)20
16:3016:50Endpoint Protection Paolo Palumbo (FSecure)20
 
16:5017:05Coffee break15
 
Panel Session45
17:0517:35Discussion on Future Challenges for SOC Speakers: Pavel Kacha (CESNET) Sarka Pekarova (DreamLab) Paul Smith (AIT) Panel chair: Tomas Jirsik (Masaryk University)30
 
17:3517:45Wrap up Ewa Piatkowska (AIT)10

Workshop Website

Venue and Registration

NG-SOC 2020 workshop is organised in conjunction with the ARES 2020 conference, which this year will be held all-digital. Registration for the workshop is required and costs 40€ (Regular Attendee) or 20€ (Student attendee). The registration fee includes the entrance to all ARES & CD-MAKE conference and workshop sessions. If you want to attend, please register at https://www.ares-conference.eu/registration-all-digital-conference .

publications

First SOCCRATES video released

We are very proud to release the first SOCCRATES video. It introduces the project and its goals and shows the underlying concepts in a way that is easy understandable.

publications

Frank Fransen presents SOCCRATES on the market day cyber security at TNO

TNO organized a market day cyber security on March 12th 2020 at the Hague Security Delta in the Hague. For this event, people from cyber security industry and end users of cyber security solutions were invited. Maarten Tossings, member of the board of TNO opened the day on which results of recent TNO cyber security projects were highlighted with presentations, demo’s and posters. Frank Fransen, technical coordinator of SOCCRATES presented the SOCCRATES project, its vision and first results. SOCCRATES was very well received by the visitors of the event. For more information on cybersecurity at TNO, visit the TNO cybersecurity page.

publications

SOCCRATES presented on Symposium on Power System Cyber Security at TU Delft March 11th 2020

Frank Fransen, technical coordinator of SOCCRATES, will present SOCCRATES on the Symposium on Power System Cyber Security at TU Delft on March 11th 2020. In the program, Frank will replace Dr. Anurag K Srivastava who is unable to attend. See for more information: https://www.tudelft.nl/powerweb-institute/newsevents/symposium-power-system-cyber-security/

publications

SOCCRATES second meeting in Helsinki

SOCCRATES team at F-Secure

On January 21st and 22nd, SOCCRATES had its second consortium meeting, hosted by F-Secure. It was a very fruitful meeting, in which besides the overall progress discussion, each Work Package had their own meeting. Good progress was made on several relevant subjects. In particular we had good discussions on the infrastructure modelling module, which resulted in a shared view.

We also had a joint session with the SAPPAN project (funded in the same call as SOCCRATES (H2020 SU-ICT-01-2018) in which F-Secure also participates. We agreed to jointly organize a workshop, look into forming a liaison beweteen the projects and investigate potential synergies and areas of cooperation between the projects.

publications

SOCCRATES delivers first results

On December 1st 2019, the first batch of SOCCRATES results was delivered on time. One of the results is the external website, which is now fully functional and on-line. Part of the deliverables are internal deliverables. This includes cooperation tools for project members, information platform for stakeholder group and advisory board and a project handbook. But there also two important external deliverables that can be found under the results page of the website:

  • D2.1 – SOCCRATES use cases definition & pilot sites requirements           
  • D8.2 – SOCCRATES dissemination plan

We are very happy that we are now up to speed and are very satisfied with these first deliverables. We look forward to the interesting activities and deliverables that will follow in the coming years.

publications

SOCCRATES has started

In 2018, the SOCCRATEs consortium submitted a proposal to work on security automation in H2020. This proposal was rewarded in December 2018 and after preparations have been completed, SOCCCRATES started on September 1st, 2019. SOCCRATES had its kick off meeting in the Hague on September 2nd and 3rd, where all partners assembled and the activities were started. The ‘vibe’ was already very good and all partners look forward to cooperate in this exciting venture, that will last three years until August 31st, 2022.

publications

ARES conference Canterbury 2019

International Workshop on Next Generation Security Operations Centers (NG-SOC 2019)

in conjunction with 14th International Conference on Availability, Reliability and Security (ARES 2019)
August 26 – August 29, 2019, University of Kent, Canterbury, UK

Overview

The first SOCCRATES project workshop was organized within the ARES EU Project Symposium held in conjunction with the 14th International Conference on Availability, Reliability and Security (ARES 2019). It took place on Monday, 26th of August 2019 at the University of Kent, Canterbury, UK.

The workshop introduced the newly-awarded SOCCRATES project which aims to enable organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the Security Operation Centres (SOCs). SOCCRATES will develop and implement a new security platform for SOC, which will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks. 

The goal of this workshop was to create a forum for researchers and practitioners to discuss the challenges associated with operations of the SOCs and focus on research contributions that can be applied to address these challenges. Selected members of the SOCCRATES consortium presented their past and proposed project activities. The workshop was concluded with the open discussion on the major operational challenges that enterprises and SOC operators face and insights into promising research-based solutions.

Workshop Programme

The following presentations were given at the workshop:

  • The SOCCRATES Project: Motivation and Aims Reinder Wolthuis (TNO)
  • ACT: Cyber Threat Intelligence Platform Siri Bromander (Mnemonic)
  • Threat modelling and attack simulations with MAL and securiCAD Per Eliasson (Foreseeti)
  • Automated Response based on SecuriCAD recommendations Frank Fransen (TNO)
  • Anomaly Detection (DNS Ninja & ABC tool) Irina Chiscop (TNO)
  • Adversarial Machine Learning Ewa Piatkowska (AIT)

We concluded with the open discussion about future challenges for SOCs, moderated by Frank Fransen (TNO).

Copyright 2023 Soccrates
Developed by Convident