SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

Abstract

In this paper we introduce SAIBERSOC, a tool and methodology enabling security researchers and operators to evaluate the performance of deployed and operational Security Operation Centers (SOCs) (or any other security monitoring infrastructure). The methodology relies on the MITRE ATT&CK Framework to define a procedure to generate and automatically inject synthetic attacks in an operational SOC to evaluate any output metric of interest (e.g., detection accuracy, time-to-investigation, etc.). To evaluate the effectiveness of the proposed methodology, we devise an experiment with n = 124 students playing the role of SOC analysts. The experiment relies on a real SOC infrastructure and assigns students to either a BADSOC or a GOODSOC experimental condition. Our results show that the proposed methodology is effective in identifying variations in SOC performance caused by (minimal) changes in SOC configuration. We release the SAIBERSOC tool implementation as free and open source software.
Original languageEnglish
Title of host publicationProceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020
Place of PublicationNew York, NY, USA
PublisherAssociation for Computing Machinery, Inc
Pages141–153
Number of pages13
ISBN (Electronic)9781450388580
ISBN (Print)9781450388580
DOIs
Publication statusPublished - 9 Dec 2020
EventAnnual Computer Security Applications Conference 2020 -
Duration: 9 Dec 202011 Dec 2020
https://www.acsac.org/2020

Publication series

NameACM International Conference Proceeding Series

Conference

ConferenceAnnual Computer Security Applications Conference 2020
Abbreviated titleACSAC 2020
Period9/12/2011/12/20
Internet address

Keywords

  • Cyber Security Operations Center
  • Evaluation
  • Performance
  • SOC

Fingerprint Dive into the research topics of 'SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers'. Together they form a unique fingerprint.

Cite this