Systém pro sledování a reakci na bezpečnostní incidenty

Abstract

The target of this thesis is designing and implement centralized monitoring of antivirus alerts for Tieto Company with automation support for incident response. The system is designed as modular architecture with extensibility support. Export and import of data are implemented as Windows services which loads appropriate plugins for target systems. Transfer layer is interchangeable, implemented as plugins, primary as custom MessageBus or SMTP. The GUI is written as a WPF desktop application on top of PRISM framework and DI Unity. The first automation layer reduces duplicate or similar alerts with grouping or loss compression. A machine learning based classifier separates alerts for escalation. Second automation layer is built on top of rule-system with a custom grammar, templating engine and integration with external systems. It generates instructions how to solve the problem, search contacts and escalate to responsible persons. The system can be adjusted to align with actual business processes, external systems and network infrastructure. It provides very efficient cost-saving solution with increase of quality of provided services.