
Gustavo Gonzalez GranadilloAtos S.A. | ATOS · Cybersecurity Laboratory
Gustavo Gonzalez Granadillo
PhD in Informatics
About
56
Publications
40,352
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
914
Citations
Introduction
Gustavo Gonzalez Granadillo currently works at the Cybersecurity Lab, Atos Spain. Gustavo does research in Risk Management and Insurance, Information Systems (Business Informatics) and Information Science. Their most recent publication is 'Selection of Pareto-efficient response plans based on financial and operational assessments.'
Skills and Expertise
Additional affiliations
October 2010 - February 2017
Publications
Publications (56)
Point-of-care systems are extensively used in healthcare to react quickly and prevent critical health issues. As a result, POC systems frequently process large amounts of personal health information. Therefore, their cybersecurity and privacy requirements are crucial, while evaluating those requirements is an important task. In this work, we aim at...
This paper presents an original Intelligent and Secure Asset Discovery Tool (ISADT) that uses artificial intelligence and TPM-based technologies to: (i) detect the network assets, and (ii) detect suspicious pattern in the use of the network. The architecture has specifically been designed to discover the assets of medium and large size companies an...
Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition,...
Point-of-care systems are generally used in healthcare to respond rapidly and prevent critical health conditions. Hence, POC systems often handle personal health information; and consequently, their cybersecurity and privacy requirements are of crucial importance. While, assessing these requirements is a significant task. In this work, we propose a...
Security Information and Event Management (SIEM) systems have been widely deployed as a powerful tool to prevent, detect, and react against cyber-attacks. SIEM solutions have evolved to become comprehensive systems that provide a wide visibility to identify areas of high risks and proactively focus on mitigation strategies aiming at reducing costs...
Water CIs are exposed to a wide number of IT challenges that go from the cooperation and alignment between physical and cyber security teams to the proliferation of new vulnerabilities and complex cyber-attacks with potential disastrous consequences. Although novel and powerful solutions are proposed in the literature, most of them lack appropriate...
Open Source Intelligence (OSINT) data is collected by publicly available sources to be used by intelligence contexts among which Threat Intelligence Platforms (TIPs) are the main consumers. These platforms help organizations aggregate, correlate, and analyze threat data from multiple sources in real-time to support defensive actions. However, consi...
Cost-sensitive metrics have been widely used during the past years as financial metrics that quantify the monetary costs and benefits of security investments, assess risks, and select countermeasures accordingly. However, due to the complexity of current attacks, and the level of dynamicity required in the estimation of the parameters composing the...
Cost-sensitive metrics have been widely used during the past years as financial metrics that quantify the monetary costs and benefits of security investments, assess risks, and select countermeasures accordingly. However, due to the complexity of current attacks, and the level of dynamicity required in the estimation of the parameters composing the...
As the confidentiality and integrity of modern health infrastructures is threatened by intrusions and real-time attacks related to privacy and cyber-security, there is a need for proposing novel methodologies to predict future incidents and identify new threat patterns. The main scope of this article is to propose an advanced extension to current I...
Network anomaly detection using NetFlow has been widely studied during the last decade. NetFlow provides the ability to collect network traffic attributes (e.g., IP source, IP destination, source port, destination port, protocol) and allows the use of association rule mining to extract the flows that have caused a malicious event.
Despite of all th...
One of the weakest points in actual security detection and monitoring systems is the data retrieval from Open Source Intelligence (OSINT), as well as how this kind of information should be processed and normalized, considering their unstructured nature. This cybersecurity related information (e.g., Indicator of Compromise -IoC) is obtained from div...
Health sector is becoming more and more dependent on digital information every day. This fact can be exploited by cyber criminals who may obtain very lucrative benefits from stolen data. Moreover, a breach of integrity of health data can have terrible consequences for the patients. CUREX project aims to protect the confidentiality of health data an...
ollecting and processing Open Source Intelligence (OSINT) data is becoming a fundamental approach for obtaining cybersecurity threat information and awareness. Different types of useful information and Indicators of Compromise (IoCs) are obtained from OSINT sources, which keep security analysts updated about new and possible threats against the IT...
This paper presents a geometrical model that projects malicious and benign events (e.g., attacks, security countermeasures) as pyramidal instances in a multidimensional coordinate system. The approach considers internal event data related to the target system (e.g., users, physical, and logical resources, IP addresses, port numbers, etc.),
and exte...
We present in this paper a Cross-Layer Security Information and Event Management tool (herein after denoted as XL-SIEM) as an enhanced security data analytics platform with added high-performance correlation engine able to raise alarms from a business perspective considering different events collected at different layers. The platform is composed o...
We extend a mitigation model that evaluates individual and combined countermeasures against multi-step cyber-attack scenarios. The goal is to anticipate the actions of an attacker that wants to disrupt a given system (e.g., an information system). The process is driven by a hypergraph formalism, enforced with a stateful return on response investmen...
We propose a mitigation model that evaluates individual and combined countermeasures against multi-step cyber-attack scenarios. The goal is to anticipate the actions of an attacker that wants to disrupt a given system (e.g., an information system). The process is driven by an attack graph formalism, enforced with a stateful return on response inves...
We propose a mitigation model that evaluates individual and
combined countermeasures against multi-step cyber-attack scenarios. The goal
is to anticipate the actions of an attacker that wants to disrupt a given
system (e.g., an information system). The process is driven by
an attack graph formalism, enforced with a stateful return on response
inve...
The information required to build appropriate impact models depends directly on the nature of the system. The information dealt by health care systems, for instance, is particularly different from the information obtained by energy, telecommunication, transportation, or water supply systems. It is therefore important to properly classify the data o...
This paper aims at finding an optimal visualization model for representation
and analysis of security related data, for example, security metrics, security
incidents and cyber attack countermeasures. The classification of the
most important security metrics and their characteristics that are important for
their visualization are considered. The pap...
Visualization and simulation models used for the evaluation and selection of security countermeasures need accurate data to compute the impact of cyber events (e.g., malicious and benign actions). The information required to build appropriate impact models depends directly on the nature of the system. The information dealt by water supply systems,...
This paper aims at finding optimal visualization models for representation and analysis of security related data, for example, security metrics, security incidents and cyber attack countermeasures. The classification of the most important security metrics and their characteristics that are important for their visualization are considered. The paper...
Finding adequate responses to ongoing attacks on ICT systems is a pertinacious problem and requires assessments from different perpendicular viewpoints. However, current research focuses on reducing the impact of an attack irregardless of side effects caused by responses. In order to achieve a comprehensive yet accurate response to possible and ong...
Appropriate response strategies against new and ongoing cyber attacks must be able to reduce risks down to acceptable levels, without sacrificing a mission for security. Existing approaches either evaluate impacts without considering missions' negative-side effects, or are manually based on traditional risk assessments, leaving aside technical diff...
Current Security Information and Event Management systems (SIEMs) constitute the central platform of modern security operations centers. They gather events from multiple sensors (intrusion detection systems, anti-virus, firewalls, etc.), correlate these events, and deliver synthetic views of the alerts for threat handling and security reporting. Ho...
Achieving a fully automated and dynamic system in critical infrastructure scenarios is an open issue in ongoing research. Generally, decisions in SCADA systems require a manual intervention, that in most of the cases is performed by highly experienced operators. In this paper we propose a framework consisting of a proactive management software that...
This paper presents a model to represent graphically the impact of cyber events (e.g., attacks, countermeasures) in a polygonal systems of n-sides. The approach considers information about all entities composing an information system (e.g., users, IP addresses, communication protocols, physical and logical resources, etc.). Every axis is composed o...
Finding adequate responses to ongoing attacks on ICT systems is a pertinacious problem and requires assessments from different perpendicular viewpoints. However, current research focuses on reducing the impact of an attack irregardless of side-effects caused by responses. In order to achieve a comprehensive yet accurate response to possible and ong...
We propose a model to represent graphically the impact of cyber events (e.g., attacks, countermeasures) as a prismatic instance of n-sides. The approach considers information about all entities composing an information system (e.g., users, IP addresses, resources, etc.), as well as information about the attacker's knowledge, motivation and capabili...
This paper provides a method to calculate the impact of cyber attacks and security countermeasures in a multi-dimensional coordinate system. The method considers the simulation of services, attacks and countermeasures in at least one dimensional coordinate system, the projection of which originates geometrical instances (e.g., lines, squares, recta...
The selection of security countermeasures against current cyber attacks does not generally perform appropriate assessments of the attack and countermeasure impact over the system. In addition, the methodologies used to evaluate and select countermeasures are generally based on assumptions, estimations, and expert knowledge. A great level of subject...
The impact quantification of attacks and security countermeasures is an active research in the information and communications technology domain. Supporters of the Return on Investment (ROI), and all its variants, propose quantitative models that estimate their parameters based on expert knowledge, statistical data, simulation and risk assessment to...
The selection of security countermeasures against current cyber attacks does not generally perform appropriate assessments of the attack and countermeasure impact over the system. In addition, the methodologies used to evaluate and select countermeasures are generally based on assumptions, estimations, and expert knowledge. A great level of subject...
This paper presents a model to evaluate and select security countermeasures from a pool of candidates. The model performs industrial evaluation and simulations of the financial and technical impact associated to security countermeasures. The financial impact approach uses the Return On Response Investment (RORI) index to compare the expected impact...
The sophistication and e�fficiency of current attacks makes the detection and mitigation process a very di�fficult task for security analysts. Research in information security has always focused on the eff�ects of a given attack over a particular target and the methodologies to evaluate and select countermeasures accordingly. Multiple attack scenar...
Research in information security has generally focused on providing a
comprehensive interpretation of threats, vulnerabilities, and attacks, in
particular to evaluate their danger and prioritize responses accordingly. Most
of the current approaches propose advanced techniques to detect intrusions and
complex attacks but few of these approaches prop...
Attacks against information systems have grown in sophistication and complexity, making the detection and reaction process a challenging task for security administrators. In reaction to these attacks, the definition of security policies is an effective way to protect information systems from further damages, but it requires a great expertise and kn...
Current Security Information and Event Management systems (SIEMs) constitute the central platform of modern security operating centers. They gather events from various sensors (intrusion detection systems, anti-virus, firewalls, etc.), correlate these events, and deliver synthetic views for threat handling and security reporting. Research in SIEM t...
As the number of attacks, and thus the number of alerts received by Security Information and Event Management Systems (SIEMs) increases, the need for appropriate treatment of these alerts has become essential. The new generation of SIEMs focuses on the response ability to automate the process of selecting and deploying countermeasures. However, cur...
As new and more sophisticated computer attacks appear across the Internet, sometimes with unknown dimensions and criticality, the implementation of individual security solutions become less effective and in some cases useless. Instead, a combined approach is required to guarantee an appropriate and cost-effective mitigation of such attacks. Most of...
The management of security events, from the risk analysis to the selection of appropriate countermeasures, has become a major concern for security analysts and IT administrators. Furthermore, the fact that network and system devices are heterogeneous, increases the difficulty of these administrative tasks. This paper introduces an ontology-driven a...
The management of security events, from the analysis of attacks and risk to the selection of appropriate countermeasures, has become a major concern for security analysts and IT administrators. Furthermore, network and system devices are designed to be heterogeneous, with different characteristics and functionalities that increase the difficulty of...
Phishing attacks are a major concern for preserving Internet users privacy, especially when most of them lead to financial data theft by combining both social engineering and spoofing techniques. As blacklists are not the most effective in detecting phishing sites because of their short lifetime, heuristics appears as a privileged way at time 0. Se...
The new threat of the Internet, but little known to the 'general public' is constituted by botnets. Botnets are networks of infected computers, which are headed by a pirate called also 'Attacker' or 'Master'. The botnets are nowadays mainly responsible for large- scale coordinated attacks. The attacker can ask the infected computers called 'Agents'...
Pharming attacks - a sophisticated version of phishing attacks - aim to steal users' credentials by redirecting them to a fraudulent website using DNS-based techniques. Pharming attacks can be performed at the client-side or into the Internet, using complex and well designed techniques that make the attack often imperceptible to the user. With the...