SecDOAR: A Software Reference Architecture for Security Data Orchestration, Analysis and Reporting

TL;DR

This paper introduces SecDOAR, a standardized software reference architecture for security data orchestration, analysis, and reporting, facilitating integration and development of cybersecurity monitoring systems.

Contribution

It presents a comprehensive SRA for security data platforms, including design methodology, meta-models, and a prototype, advancing standardization in cybersecurity data management.

Findings

SecDOAR SRA effectively standardizes security data architecture.

Prototype demonstrates feasibility for security orchestration and analysis.

Comparison shows SecDOAR's completeness over existing solutions.

Abstract

A Software Reference Architecture (SRA) is a useful tool for standardising existing architectures in a specific domain and facilitating concrete architecture design, development and evaluation by instantiating SRA and using SRA as a benchmark for the development of new systems. In this paper, we have presented an SRA for Security Data Orchestration, Analysis and Reporting (SecDOAR) to provide standardisation of security data platforms that can facilitate the integration of security orchestration, analysis and reporting tools for security data. The SecDOAR SRA has been designed by leveraging existing scientific literature and security data standards. We have documented SecDOAR SRA in terms of design methodology, meta-models to relate to different concepts in the security data architecture, and details on different elements and components of the SRA. We have evaluated SecDOAR SRA for its effectiveness and completeness by comparing it with existing commercial solutions. We have demonstrated the feasibility of the proposed SecDOAR SRA by instantiating it as a prototype platform to support security orchestration, analysis and reporting for a selected set of tools. The proposed SecDOAR SRA consists of meta-models for security data, security events and security data management processes as well as security metrics and corresponding measurement schemes, a security data integration model, and a description of SecDOAR SRA components. The proposed SecDOAR SRA can be used by researchers and practitioners as a structured approach for designing and implementing cybersecurity monitoring, analysis and reporting systems in various domains.