Gustavo Gonzalez Granadillo

Gustavo Gonzalez Granadillo
Atos S.A. | ATOS · Cybersecurity Laboratory

PhD in Informatics

About

52
Publications
18,231
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
466
Citations
Introduction
Gustavo Gonzalez Granadillo currently works at the Cybersecurity Lab, Atos Spain. Gustavo does research in Risk Management and Insurance, Information Systems (Business Informatics) and Information Science. Their most recent publication is 'Selection of Pareto-efficient response plans based on financial and operational assessments.'
Additional affiliations
October 2010 - February 2017
Institut Mines-Télécom
Position
  • Engineer

Publications

Publications (52)
Article
Full-text available
Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition,...
Article
Full-text available
Point-of-care systems are generally used in healthcare to respond rapidly and prevent critical health conditions. Hence, POC systems often handle personal health information; and consequently, their cybersecurity and privacy requirements are of crucial importance. While, assessing these requirements is a significant task. In this work, we propose a...
Article
Full-text available
Security Information and Event Management (SIEM) systems have been widely deployed as a powerful tool to prevent, detect, and react against cyber-attacks. SIEM solutions have evolved to become comprehensive systems that provide a wide visibility to identify areas of high risks and proactively focus on mitigation strategies aiming at reducing costs...
Article
Full-text available
Water CIs are exposed to a wide number of IT challenges that go from the cooperation and alignment between physical and cyber security teams to the proliferation of new vulnerabilities and complex cyber-attacks with potential disastrous consequences. Although novel and powerful solutions are proposed in the literature, most of them lack appropriate...
Article
Open Source Intelligence (OSINT) data is collected by publicly available sources to be used by intelligence contexts among which Threat Intelligence Platforms (TIPs) are the main consumers. These platforms help organizations aggregate, correlate, and analyze threat data from multiple sources in real-time to support defensive actions. However, consi...
Article
Cost-sensitive metrics have been widely used during the past years as financial metrics that quantify the monetary costs and benefits of security investments, assess risks, and select countermeasures accordingly. However, due to the complexity of current attacks, and the level of dynamicity required in the estimation of the parameters composing the...
Article
Cost-sensitive metrics have been widely used during the past years as financial metrics that quantify the monetary costs and benefits of security investments, assess risks, and select countermeasures accordingly. However, due to the complexity of current attacks, and the level of dynamicity required in the estimation of the parameters composing the...
Article
Full-text available
As the confidentiality and integrity of modern health infrastructures is threatened by intrusions and real-time attacks related to privacy and cyber-security, there is a need for proposing novel methodologies to predict future incidents and identify new threat patterns. The main scope of this article is to propose an advanced extension to current I...
Conference Paper
Full-text available
Network anomaly detection using NetFlow has been widely studied during the last decade. NetFlow provides the ability to collect network traffic attributes (e.g., IP source, IP destination, source port, destination port, protocol) and allows the use of association rule mining to extract the flows that have caused a malicious event. Despite of all th...
Conference Paper
Full-text available
One of the weakest points in actual security detection and monitoring systems is the data retrieval from Open Source Intelligence (OSINT), as well as how this kind of information should be processed and normalized, considering their unstructured nature. This cybersecurity related information (e.g., Indicator of Compromise -IoC) is obtained from div...
Conference Paper
Full-text available
Health sector is becoming more and more dependent on digital information every day. This fact can be exploited by cyber criminals who may obtain very lucrative benefits from stolen data. Moreover, a breach of integrity of health data can have terrible consequences for the patients. CUREX project aims to protect the confidentiality of health data an...
Conference Paper
Full-text available
ollecting and processing Open Source Intelligence (OSINT) data is becoming a fundamental approach for obtaining cybersecurity threat information and awareness. Different types of useful information and Indicators of Compromise (IoCs) are obtained from OSINT sources, which keep security analysts updated about new and possible threats against the IT...
Conference Paper
This paper presents a geometrical model that projects malicious and benign events (e.g., attacks, security countermeasures) as pyramidal instances in a multidimensional coordinate system. The approach considers internal event data related to the target system (e.g., users, physical, and logical resources, IP addresses, port numbers, etc.), and exte...
Conference Paper
We present in this paper a Cross-Layer Security Information and Event Management tool (herein after denoted as XL-SIEM) as an enhanced security data analytics platform with added high-performance correlation engine able to raise alarms from a business perspective considering different events collected at different layers. The platform is composed o...
Article
We extend a mitigation model that evaluates individual and combined countermeasures against multi-step cyber-attack scenarios. The goal is to anticipate the actions of an attacker that wants to disrupt a given system (e.g., an information system). The process is driven by a hypergraph formalism, enforced with a stateful return on response investmen...
Chapter
Full-text available
We propose a mitigation model that evaluates individual and combined countermeasures against multi-step cyber-attack scenarios. The goal is to anticipate the actions of an attacker that wants to disrupt a given system (e.g., an information system). The process is driven by an attack graph formalism, enforced with a stateful return on response inves...
Conference Paper
Full-text available
We propose a mitigation model that evaluates individual and combined countermeasures against multi-step cyber-attack scenarios. The goal is to anticipate the actions of an attacker that wants to disrupt a given system (e.g., an information system). The process is driven by an attack graph formalism, enforced with a stateful return on response inve...
Conference Paper
The information required to build appropriate impact models depends directly on the nature of the system. The information dealt by health care systems, for instance, is particularly different from the information obtained by energy, telecommunication, transportation, or water supply systems. It is therefore important to properly classify the data o...
Conference Paper
This paper aims at finding an optimal visualization model for representation and analysis of security related data, for example, security metrics, security incidents and cyber attack countermeasures. The classification of the most important security metrics and their characteristics that are important for their visualization are considered. The pap...
Article
Full-text available
Visualization and simulation models used for the evaluation and selection of security countermeasures need accurate data to compute the impact of cyber events (e.g., malicious and benign actions). The information required to build appropriate impact models depends directly on the nature of the system. The information dealt by water supply systems,...
Conference Paper
Full-text available
This paper aims at finding optimal visualization models for representation and analysis of security related data, for example, security metrics, security incidents and cyber attack countermeasures. The classification of the most important security metrics and their characteristics that are important for their visualization are considered. The paper...
Article
Full-text available
Finding adequate responses to ongoing attacks on ICT systems is a pertinacious problem and requires assessments from different perpendicular viewpoints. However, current research focuses on reducing the impact of an attack irregardless of side effects caused by responses. In order to achieve a comprehensive yet accurate response to possible and ong...
Article
Full-text available
Appropriate response strategies against new and ongoing cyber attacks must be able to reduce risks down to acceptable levels, without sacrificing a mission for security. Existing approaches either evaluate impacts without considering missions' negative-side effects, or are manually based on traditional risk assessments, leaving aside technical diff...
Conference Paper
Current Security Information and Event Management systems (SIEMs) constitute the central platform of modern security operations centers. They gather events from multiple sensors (intrusion detection systems, anti-virus, firewalls, etc.), correlate these events, and deliver synthetic views of the alerts for threat handling and security reporting. Ho...
Conference Paper
Full-text available
Achieving a fully automated and dynamic system in critical infrastructure scenarios is an open issue in ongoing research. Generally, decisions in SCADA systems require a manual intervention, that in most of the cases is performed by highly experienced operators. In this paper we propose a framework consisting of a proactive management software that...
Conference Paper
Full-text available
This paper presents a model to represent graphically the impact of cyber events (e.g., attacks, countermeasures) in a polygonal systems of n-sides. The approach considers information about all entities composing an information system (e.g., users, IP addresses, communication protocols, physical and logical resources, etc.). Every axis is composed o...
Conference Paper
Full-text available
Finding adequate responses to ongoing attacks on ICT systems is a pertinacious problem and requires assessments from different perpendicular viewpoints. However, current research focuses on reducing the impact of an attack irregardless of side-effects caused by responses. In order to achieve a comprehensive yet accurate response to possible and ong...
Conference Paper
We propose a model to represent graphically the impact of cyber events (e.g., attacks, countermeasures) as a prismatic instance of n-sides. The approach considers information about all entities composing an information system (e.g., users, IP addresses, resources, etc.), as well as information about the attacker's knowledge, motivation and capabili...
Article
Full-text available
This paper provides a method to calculate the impact of cyber attacks and security countermeasures in a multi-dimensional coordinate system. The method considers the simulation of services, attacks and countermeasures in at least one dimensional coordinate system, the projection of which originates geometrical instances (e.g., lines, squares, recta...
Conference Paper
Full-text available
The selection of security countermeasures against current cyber attacks does not generally perform appropriate assessments of the attack and countermeasure impact over the system. In addition, the methodologies used to evaluate and select countermeasures are generally based on assumptions, estimations, and expert knowledge. A great level of subject...
Article
The impact quantification of attacks and security countermeasures is an active research in the information and communications technology domain. Supporters of the Return on Investment (ROI), and all its variants, propose quantitative models that estimate their parameters based on expert knowledge, statistical data, simulation and risk assessment to...
Conference Paper
Full-text available
The selection of security countermeasures against current cyber attacks does not generally perform appropriate assessments of the attack and countermeasure impact over the system. In addition, the methodologies used to evaluate and select countermeasures are generally based on assumptions, estimations, and expert knowledge. A great level of subject...
Conference Paper
Full-text available
This paper presents a model to evaluate and select security countermeasures from a pool of candidates. The model performs industrial evaluation and simulations of the financial and technical impact associated to security countermeasures. The financial impact approach uses the Return On Response Investment (RORI) index to compare the expected impact...
Conference Paper
The sophistication and e�fficiency of current attacks makes the detection and mitigation process a very di�fficult task for security analysts. Research in information security has always focused on the eff�ects of a given attack over a particular target and the methodologies to evaluate and select countermeasures accordingly. Multiple attack scenar...
Article
Full-text available
Research in information security has generally focused on providing a comprehensive interpretation of threats, vulnerabilities, and attacks, in particular to evaluate their danger and prioritize responses accordingly. Most of the current approaches propose advanced techniques to detect intrusions and complex attacks but few of these approaches prop...
Article
Full-text available
Attacks against information systems have grown in sophistication and complexity, making the detection and reaction process a challenging task for security administrators. In reaction to these attacks, the definition of security policies is an effective way to protect information systems from further damages, but it requires a great expertise and kn...
Article
Full-text available
Current Security Information and Event Management systems (SIEMs) constitute the central platform of modern security operating centers. They gather events from various sensors (intrusion detection systems, anti-virus, firewalls, etc.), correlate these events, and deliver synthetic views for threat handling and security reporting. Research in SIEM t...
Conference Paper
Full-text available
As the number of attacks, and thus the number of alerts received by Security Information and Event Management Systems (SIEMs) increases, the need for appropriate treatment of these alerts has become essential. The new generation of SIEMs focuses on the response ability to automate the process of selecting and deploying countermeasures. However, cur...
Conference Paper
As new and more sophisticated computer attacks appear across the Internet, sometimes with unknown dimensions and criticality, the implementation of individual security solutions become less effective and in some cases useless. Instead, a combined approach is required to guarantee an appropriate and cost-effective mitigation of such attacks. Most of...
Article
The management of security events, from the risk analysis to the selection of appropriate countermeasures, has become a major concern for security analysts and IT administrators. Furthermore, the fact that network and system devices are heterogeneous, increases the difficulty of these administrative tasks. This paper introduces an ontology-driven a...
Chapter
The management of security events, from the analysis of attacks and risk to the selection of appropriate countermeasures, has become a major concern for security analysts and IT administrators. Furthermore, network and system devices are designed to be heterogeneous, with different characteristics and functionalities that increase the difficulty of...
Conference Paper
Full-text available
Phishing attacks are a major concern for preserving Internet users privacy, especially when most of them lead to financial data theft by combining both social engineering and spoofing techniques. As blacklists are not the most effective in detecting phishing sites because of their short lifetime, heuristics appears as a privileged way at time 0. Se...
Article
Full-text available
The new threat of the Internet, but little known to the 'general public' is constituted by botnets. Botnets are networks of infected computers, which are headed by a pirate called also 'Attacker' or 'Master'. The botnets are nowadays mainly responsible for large- scale coordinated attacks. The attacker can ask the infected computers called 'Agents'...
Conference Paper
Full-text available
Pharming attacks - a sophisticated version of phishing attacks - aim to steal users' credentials by redirecting them to a fraudulent website using DNS-based techniques. Pharming attacks can be performed at the client-side or into the Internet, using complex and well designed techniques that make the attack often imperceptible to the user. With the...

Network

Cited By

Projects

Projects (4)
Archived project
Project
Project
Security Information and Event Management (SIEM) systems are a fundamental component of the ubiquitous ICT infrastructures that form the backbone of our digital society. These systems are mostly used to monitor infrastructures using many types of sensors and tools and correlate the obtained events to discover possible threats (attacks, vulnerabilities, etc.) to the organization. The DiSIEM project aims to enhance existing SIEM systems with diversity-related technology. More specifically, we want to (1) enhance the quality of events collected using a diverse set of sensors and novel anomaly detectors, (2) add support for collecting infrastructure-related information from open-source intelligence data available on diverse sources from the internet, (3) create new ways for visualising the information collected in the SIEM and provide high- level security metrics and models for improving security-related decision project, and (4) allow the use of multiple storage clouds for secure long-term archival of the raw events feed to the SIEM. Given the high costs of deployment SIEM infrastructures, all these enhancements will be developed in a SIEM-independent way, as extensions to currently available systems, and will be validated in three large-scale production environments.