SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers

Martin Rosso; Michele Campobasso; Ganduulga Gankhuyag; Luca Allodi

doi:10.1145/3427228.3427233

SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers

Martin Rosso, Michele Campobasso, Ganduulga Gankhuyag, Luca Allodi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

Abstract

In this paper we introduce SAIBERSOC, a tool and methodology enabling security researchers and operators to evaluate the performance of deployed and operational Security Operation Centers (SOCs) (or any other security monitoring infrastructure). The methodology relies on the MITRE ATT&CK Framework to define a procedure to generate and automatically inject synthetic attacks in an operational SOC to evaluate any output metric of interest (e.g., detection accuracy, time-to-investigation, etc.). To evaluate the effectiveness of the proposed methodology, we devise an experiment with n = 124 students playing the role of SOC analysts. The experiment relies on a real SOC infrastructure and assigns students to either a BADSOC or a GOODSOC experimental condition. Our results show that the proposed methodology is effective in identifying variations in SOC performance caused by (minimal) changes in SOC configuration. We release the SAIBERSOC tool implementation as free and open source software.

Original language	English
Title of host publication	Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020
Place of Publication	New York, NY, USA
Publisher	Association for Computing Machinery, Inc
Pages	141–153
Number of pages	13
ISBN (Electronic)	9781450388580
ISBN (Print)	9781450388580
DOIs	https://doi.org/10.1145/3427228.3427233
Publication status	Published - 9 Dec 2020
Event	Annual Computer Security Applications Conference 2020 - Duration: 9 Dec 2020 → 11 Dec 2020 https://www.acsac.org/2020

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	Annual Computer Security Applications Conference 2020
Abbreviated title	ACSAC 2020
Period	9/12/20 → 11/12/20
Internet address	https://www.acsac.org/2020

Keywords

Cyber Security Operations Center
Evaluation
Performance
SOC

Access to Document

10.1145/3427228.3427233Licence: Other

Fingerprint Dive into the research topics of 'SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers'. Together they form a unique fingerprint.

Distinguished Paper with Artifacts Award
Rosso, Martin (Recipient), Campobasso, Michele (Recipient), Gankhuyag, Ganduulga (Recipient) & Allodi, Luca (Recipient), 9 Dec 2020
Prize: Other › Career, activity or publication related prizes (lifetime, best paper, poster etc.) › Scientific

Cite this

Rosso, M., Campobasso, M., Gankhuyag, G., & Allodi, L. (2020). SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers. In Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020 (pp. 141–153). [3427233] (ACM International Conference Proceeding Series). Association for Computing Machinery, Inc. https://doi.org/10.1145/3427228.3427233

Rosso, Martin ; Campobasso, Michele ; Gankhuyag, Ganduulga ; Allodi, Luca. / SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers. Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020. New York, NY, USA : Association for Computing Machinery, Inc, 2020. pp. 141–153 (ACM International Conference Proceeding Series).

@inproceedings{4ba8e2bb1a7646429f11ccb608d4f6be,

title = "SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers",

abstract = "In this paper we introduce SAIBERSOC, a tool and methodology enabling security researchers and operators to evaluate the performance of deployed and operational Security Operation Centers (SOCs) (or any other security monitoring infrastructure). The methodology relies on the MITRE ATT&CK Framework to define a procedure to generate and automatically inject synthetic attacks in an operational SOC to evaluate any output metric of interest (e.g., detection accuracy, time-to-investigation, etc.). To evaluate the effectiveness of the proposed methodology, we devise an experiment with n = 124 students playing the role of SOC analysts. The experiment relies on a real SOC infrastructure and assigns students to either a BADSOC or a GOODSOC experimental condition. Our results show that the proposed methodology is effective in identifying variations in SOC performance caused by (minimal) changes in SOC configuration. We release the SAIBERSOC tool implementation as free and open source software.",

keywords = "Cyber Security Operations Center, Evaluation, Performance, SOC",

author = "Martin Rosso and Michele Campobasso and Ganduulga Gankhuyag and Luca Allodi",

year = "2020",

month = dec,

day = "9",

doi = "10.1145/3427228.3427233",

language = "English",

isbn = "9781450388580",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery, Inc",

pages = "141–153",

booktitle = "Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020",

address = "United States",

note = "Annual Computer Security Applications Conference 2020, ACSAC 2020 ; Conference date: 09-12-2020 Through 11-12-2020",

url = "https://www.acsac.org/2020",

}

Rosso, M , Campobasso, M , Gankhuyag, G & Allodi, L 2020, SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers. in Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020., 3427233, ACM International Conference Proceeding Series, Association for Computing Machinery, Inc, New York, NY, USA, pp. 141–153, Annual Computer Security Applications Conference 2020, 9/12/20. https://doi.org/10.1145/3427228.3427233

SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers. / Rosso, Martin ; Campobasso, Michele ; Gankhuyag, Ganduulga ; Allodi, Luca.

Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020. New York, NY, USA : Association for Computing Machinery, Inc, 2020. p. 141–153 3427233 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers

AU - Rosso, Martin

AU - Campobasso, Michele

AU - Gankhuyag, Ganduulga

AU - Allodi, Luca

PY - 2020/12/9

Y1 - 2020/12/9

N2 - In this paper we introduce SAIBERSOC, a tool and methodology enabling security researchers and operators to evaluate the performance of deployed and operational Security Operation Centers (SOCs) (or any other security monitoring infrastructure). The methodology relies on the MITRE ATT&CK Framework to define a procedure to generate and automatically inject synthetic attacks in an operational SOC to evaluate any output metric of interest (e.g., detection accuracy, time-to-investigation, etc.). To evaluate the effectiveness of the proposed methodology, we devise an experiment with n = 124 students playing the role of SOC analysts. The experiment relies on a real SOC infrastructure and assigns students to either a BADSOC or a GOODSOC experimental condition. Our results show that the proposed methodology is effective in identifying variations in SOC performance caused by (minimal) changes in SOC configuration. We release the SAIBERSOC tool implementation as free and open source software.

AB - In this paper we introduce SAIBERSOC, a tool and methodology enabling security researchers and operators to evaluate the performance of deployed and operational Security Operation Centers (SOCs) (or any other security monitoring infrastructure). The methodology relies on the MITRE ATT&CK Framework to define a procedure to generate and automatically inject synthetic attacks in an operational SOC to evaluate any output metric of interest (e.g., detection accuracy, time-to-investigation, etc.). To evaluate the effectiveness of the proposed methodology, we devise an experiment with n = 124 students playing the role of SOC analysts. The experiment relies on a real SOC infrastructure and assigns students to either a BADSOC or a GOODSOC experimental condition. Our results show that the proposed methodology is effective in identifying variations in SOC performance caused by (minimal) changes in SOC configuration. We release the SAIBERSOC tool implementation as free and open source software.

KW - Cyber Security Operations Center

KW - Evaluation

KW - Performance

KW - SOC

UR - https://gitlab.tue.nl/saibersoc

UR - http://www.scopus.com/inward/record.url?scp=85098093430&partnerID=8YFLogxK

U2 - 10.1145/3427228.3427233

DO - 10.1145/3427228.3427233

M3 - Conference contribution

SN - 9781450388580

T3 - ACM International Conference Proceeding Series

SP - 141

EP - 153

BT - Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020

PB - Association for Computing Machinery, Inc

CY - New York, NY, USA

T2 - Annual Computer Security Applications Conference 2020

Y2 - 9 December 2020 through 11 December 2020

ER -

Rosso M , Campobasso M , Gankhuyag G , Allodi L. SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers. In Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020. New York, NY, USA: Association for Computing Machinery, Inc. 2020. p. 141–153. 3427233. (ACM International Conference Proceeding Series). https://doi.org/10.1145/3427228.3427233

SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers

Abstract

Publication series

Conference

Keywords

Access to Document

Distinguished Paper with Artifacts Award

Cite this