Matched and Mismatched SOCs

Kokulu, Faris Bugra; Soneji, Ananta; Bao, Tiffany; Shoshitaishvili, Yan; Zhao, Ziming; Doupé, Adam; Ahn, Gail-Joon

doi:10.1145/3319535.3354239

Cited by 53 publications

(36 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In their survey investigating threat intelligence, Tounsi et al [7] specifically call for methods to evaluate the quality of threat intelligence. This also applies to the wider organizational security operations center (SOC) context as low-quality CTI is identified to be a pivotal issue [12]. To the best of our knowledge, there is no respective academic work addressing these open issues.…”

Section: Related Workmentioning

confidence: 99%

Measuring and visualizing cyber threat intelligence quality

Schlette

Böhm

Caselli

et al. 2020

Int. J. Inf. Secur.

View full text Add to dashboard Cite

The very raison d'être of cyber threat intelligence (CTI) is to provide meaningful knowledge about cyber security threats. The exchange and collaborative generation of CTI by the means of sharing platforms has proven to be an important aspect of practical application. It is evident to infer that inaccurate, incomplete, or outdated threat intelligence is a major problem as only high-quality CTI can be helpful to detect and defend against cyber attacks. Additionally, while the amount of available CTI is increasing it is not warranted that quality remains unaffected. In conjunction with the increasing number of available CTI, it is thus in the best interest of every stakeholder to be aware of the quality of a CTI artifact. This allows for informed decisions and permits detailed analyses. Our work makes a twofold contribution to the challenge of assessing threat intelligence quality. We first propose a series of relevant quality dimensions and configure metrics to assess the respective dimensions in the context of CTI. In a second step, we showcase the extension of an existing CTI analysis tool to make the quality assessment transparent to security analysts. Furthermore, analysts' subjective perceptions are, where necessary, included in the quality assessment concept.

show abstract

Section: Related Workmentioning

confidence: 99%

Measuring and visualizing cyber threat intelligence quality

Schlette

Böhm

Caselli

et al. 2020

Int. J. Inf. Secur.

View full text Add to dashboard Cite

show abstract

“…Tools and procedure to support security analysts in incident response and network monitoring (such as Network Intrusion Detection Systems (NIDS) and Security Information and Event Management (SIEM)) are at the core of modern security monitoring in operational settings. Security Operation Centers (SOCs) are the center of monitoring operations in medium or large organizations, either internally or outsourced to service providers [16,20]. SOCs are organized hierarchically in (generally three) tiers [20], where analysts with different skills and expertise monitor the network activity and take action against a threat.…”

Section: Security Monitoring Operationsmentioning

confidence: 99%

“…The growing importance of effective security monitoring solutions calls for appropriate measures of their effectiveness. The operation of Security Operation Centers (SOCs) is the recommended best practice to which large and medium-size enterprises rely for the detection, notification, and ultimately response to cybersecurity incidents [16,20]. Yet, the average time for detecting an attack ranges between several weeks to years [36].…”

Section: Introductionmentioning

confidence: 99%

“…Yet, the average time for detecting an attack ranges between several weeks to years [36]. In a recent study, Kokulu et al [16] interviewed security analysts and mangers, who explicitly identify the issue of measuring SOC performance as one of the main obstacles towards effective detection and response operations.…”

Section: Introductionmentioning

confidence: 99%

“…[30], it is still unclear how to obtain reliable and reproducible measures over those metrics. As incoming attacks are, by definition, unknown, a ground truth on which to base the measurements cannot be easily defined; on the other hand, performing measurements in in-vitro settings limits the representativeness of those measurements in real-world settings [16,29].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers

Rosso

Campobasso

Gankhuyag

et al. 2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

In this paper we introduce SAIBERSOC, a tool and methodology enabling security researchers and operators to evaluate the performance of deployed and operational Security Operation Centers (SOCs) (or any other security monitoring infrastructure). The methodology relies on the MITRE ATT&CK Framework to define a procedure to generate and automatically inject synthetic attacks in an operational SOC to evaluate any output metric of interest (e.g., detection accuracy, time-to-investigation, etc.). To evaluate the effectiveness of the proposed methodology, we devise an experiment with 𝑛 = 124 students playing the role of SOC analysts. The experiment relies on a real SOC infrastructure and assigns students to either a BADSOC or a GOODSOC experimental condition. Our results show that the proposed methodology is effective in identifying variations in SOC performance caused by (minimal) changes in SOC configuration. We release the SAIBERSOC tool implementation as free and open source software. CCS CONCEPTS• Security and privacy → Intrusion/anomaly detection and malware mitigation; Systems security.

show abstract

A Survey of User Experience in Usable Security and Privacy Research

Jacobs

McDaniel

2022

HCI for Cybersecurity, Privacy and Trust

View full text Add to dashboard Cite

Matched and Mismatched SOCs

Cited by 53 publications

References 30 publications

Measuring and visualizing cyber threat intelligence quality

Measuring and visualizing cyber threat intelligence quality

SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers

A Survey of User Experience in Usable Security and Privacy Research

Contact Info

Product

Resources

About