SAIBERSOC: A Methodology and Tool for Experimenting with Security Operation Centers

2Citations
Citations of this article
25Readers
Mendeley users who have this article in their library.

Abstract

In this article, we introduce SAIBERSOC (Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers), a tool and methodology enabling security researchers and operators to evaluate the performance of deployed and operational Security Operation Centers (SOC)-or any other security monitoring infrastructure. The methodology relies on the MITRE ATT&CK Framework to define a procedure to generate and automatically inject synthetic attacks in an operational SOC to evaluate any output metric of interest (e.g., detection accuracy, time-to-investigation). To evaluate the effectiveness of the proposed methodology, we devise an experiment with students playing the role of SOC analysts. The experiment relies on a real SOC infrastructure and assigns students to either a BADSOC or a GOODSOC experimental condition. Our results show that the proposed methodology is effective in identifying variations in SOC performance caused by (minimal) changes in SOC configuration. We release the SAIBERSOC tool implementation as free and open source software.

Cite

CITATION STYLE

APA

Rosso, M., Campobasso, M., Gankhuyag, G., & Allodi, L. (2022). SAIBERSOC: A Methodology and Tool for Experimenting with Security Operation Centers. In Digital Threats: Research and Practice (Vol. 3). Association for Computing Machinery. https://doi.org/10.1145/3491266

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free