Leon Kersten, Tom Mulders, Emmanuele Zambon, Chris Snijders, and Luca Allodi, Eindhoven University of Technology
Current threat analysis processes followed by tier-1 (T1) analysts in a Security Operation Centers (SOC) rely mainly on tacit knowledge, and can differ greatly across analysts. The lack of structure and clear objectives to T1 analyses contributes to analyst burnout, makes operative inefficiencies hard to spot, SOC performance hard to measure (and therefore improve), and results in overall lower security for the monitored environment(s). In this work we collaborate with a commercial SOC to devise a 4-stage (network) threat analysis process to support the collection and analysis of relevant information for threat analysis. We conduct an experiment with ten T1 analysts employed in the SOC and show that analysts following the proposed process are 2.5 times more likely to produce an accurate assessment than analysts who do not. We evaluate qualitatively the effects of the process on analysts decisions, and discuss implications for practice and research.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Leon Kersten and Tom Mulders and Emmanuele Zambon and Chris Snijders and Luca Allodi},
title = {{\textquoteright}Give Me Structure{\textquoteright}: Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center},
booktitle = {Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023)},
year = {2023},
isbn = {978-1-939133-36-6},
address = {Anaheim, CA},
pages = {97--111},
url = {https://www.usenix.org/conference/soups2023/presentation/kersten},
publisher = {USENIX Association},
month = aug
}