A Security Alert Investigation Tool Supporting Tier 1 Analysts in Contextualizing and Understanding Network Security Events

Leon Kersten; Santiago Darré; Tom Mulders; Emmanuele Zambon; Marco Caselli; Chris C.P. Snijders; Luca Allodi

doi:10.1109/ACSAC63791.2024.00076

A Security Alert Investigation Tool Supporting Tier 1 Analysts in Contextualizing and Understanding Network Security Events

Leon Kersten, Santiago Darré, Tom Mulders, Emmanuele Zambon, Marco Caselli, Chris C.P. Snijders, Luca Allodi

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/Congresprocedure › Conferentiebijdrage › Academic › peer review

247 Downloads (Pure)

Samenvatting

The investigations run by tier 1 (T1) analysts in a Security Operation Center are critical to the SOC operations as they represent the first gateway to alert escalation and incident response. Critically, they demand an accurate and as-complete-as-possible understanding of the events surrounding the investigated alert. This is a complex task inexperienced T1 analysts can easily lose track of. In this work, we collaborate with a commercial SOC to develop an alert investigation support tool to help inexperienced analysts identify and collect all the information relevant to the investigation of an alert. We evaluate the prototype tool with two qualitative studies. The first study employs T1 analysts from the SOC to evaluate the conformity of the tool to the underpinning analysis process. The second study employs 57 students, recruited from the same pool where the SOC acquires its junior analysts from, to evaluate whether it helps inexperienced analysts develop a complete understanding of events surrounding security alert data. Our findings suggest that employing the tool helps inexperienced analysts form a more accurate understanding of attacks, at no time cost. We discuss the wider implications for research and practice.

Originele taal-2	Engels
Titel	2024 Annual Computer Security Applications Conference, ACSAC 2024
Uitgeverij	Institute of Electrical and Electronics Engineers
Pagina's	890-905
Aantal pagina's	16
ISBN van elektronische versie	979-8-3315-2088-5
DOI's	https://doi.org/10.1109/ACSAC63791.2024.00076
Status	Gepubliceerd - 18 mrt. 2025
Evenement	40th Annual Computer Security Applications Conference, ACSAC 2024 - Honolulu, Verenigde Staten van Amerika Duur: 9 dec. 2024 → 13 dec. 2024

Congres

Congres	40th Annual Computer Security Applications Conference, ACSAC 2024
Verkorte titel	ACSAC 2024
Land/Regio	Verenigde Staten van Amerika
Stad	Honolulu
Periode	9/12/24 → 13/12/24

Financiering

This work is supported by the SeReNity project, Grant No. cs.010, funded by Netherlands Organisation for Scientific Research (NWO), by the INTERSECT project, Grant No. NWA.1162.18.301, funded by NWO and by the CATRIN project, Grant No. NWA.1215.18.003. The authors also thank the Eindhoven security hub SOC for its collaboration in this work.

Financiers	Financiernummer
NWO	NWA.1215.18.003
NWO	CS.010
NWO	NWA.1162.18.301

Toegang tot document

10.1109/ACSAC63791.2024.00076

AISS_ACSAC24Licentie: CC BY

Andere bestanden en links

Link naar publicatie in Scopus

Document onder embargo

pdf
Definitieve gepubliceerde versie, 963 KB
Licentie: TAVERNE
Embargo eindigt: 18/09/25

Citeer dit

Kersten, L., Darré, S., Mulders, T., Zambon, E., Caselli, M., Snijders, C. C. P., & Allodi, L. (2025). A Security Alert Investigation Tool Supporting Tier 1 Analysts in Contextualizing and Understanding Network Security Events. In 2024 Annual Computer Security Applications Conference, ACSAC 2024 (blz. 890-905). Artikel 10917883 Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/ACSAC63791.2024.00076

@inproceedings{cf3d99ab51604facb6d4f358475e6890,

title = "A Security Alert Investigation Tool Supporting Tier 1 Analysts in Contextualizing and Understanding Network Security Events",

abstract = "The investigations run by tier 1 (T1) analysts in a Security Operation Center are critical to the SOC operations as they represent the first gateway to alert escalation and incident response. Critically, they demand an accurate and as-complete-as-possible understanding of the events surrounding the investigated alert. This is a complex task inexperienced T1 analysts can easily lose track of. In this work, we collaborate with a commercial SOC to develop an alert investigation support tool to help inexperienced analysts identify and collect all the information relevant to the investigation of an alert. We evaluate the prototype tool with two qualitative studies. The first study employs T1 analysts from the SOC to evaluate the conformity of the tool to the underpinning analysis process. The second study employs 57 students, recruited from the same pool where the SOC acquires its junior analysts from, to evaluate whether it helps inexperienced analysts develop a complete understanding of events surrounding security alert data. Our findings suggest that employing the tool helps inexperienced analysts form a more accurate understanding of attacks, at no time cost. We discuss the wider implications for research and practice.",

keywords = "alert analysis, incident investigation, security analysts, security operation center",

author = "Leon Kersten and Santiago Darr{\'e} and Tom Mulders and Emmanuele Zambon and Marco Caselli and Snijders, {Chris C.P.} and Luca Allodi",

year = "2025",

month = mar,

day = "18",

doi = "10.1109/ACSAC63791.2024.00076",

language = "English",

pages = "890--905",

booktitle = "2024 Annual Computer Security Applications Conference, ACSAC 2024",

publisher = "Institute of Electrical and Electronics Engineers",

address = "United States",

note = "40th Annual Computer Security Applications Conference, ACSAC 2024, ACSAC 2024 ; Conference date: 09-12-2024 Through 13-12-2024",

}

Kersten, L, Darré, S, Mulders, T , Zambon, E, Caselli, M, Snijders, CCP & Allodi, L 2025, A Security Alert Investigation Tool Supporting Tier 1 Analysts in Contextualizing and Understanding Network Security Events. in 2024 Annual Computer Security Applications Conference, ACSAC 2024., 10917883, Institute of Electrical and Electronics Engineers, blz. 890-905, 40th Annual Computer Security Applications Conference, ACSAC 2024, Honolulu, Hawaï, Verenigde Staten van Amerika, 9/12/24. https://doi.org/10.1109/ACSAC63791.2024.00076

A Security Alert Investigation Tool Supporting Tier 1 Analysts in Contextualizing and Understanding Network Security Events. / Kersten, Leon; Darré, Santiago; Mulders, Tom et al.
2024 Annual Computer Security Applications Conference, ACSAC 2024. Institute of Electrical and Electronics Engineers, 2025. blz. 890-905 10917883.

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/Congresprocedure › Conferentiebijdrage › Academic › peer review

TY - GEN

T1 - A Security Alert Investigation Tool Supporting Tier 1 Analysts in Contextualizing and Understanding Network Security Events

AU - Kersten, Leon

AU - Darré, Santiago

AU - Mulders, Tom

AU - Zambon, Emmanuele

AU - Caselli, Marco

AU - Snijders, Chris C.P.

AU - Allodi, Luca

PY - 2025/3/18

Y1 - 2025/3/18

N2 - The investigations run by tier 1 (T1) analysts in a Security Operation Center are critical to the SOC operations as they represent the first gateway to alert escalation and incident response. Critically, they demand an accurate and as-complete-as-possible understanding of the events surrounding the investigated alert. This is a complex task inexperienced T1 analysts can easily lose track of. In this work, we collaborate with a commercial SOC to develop an alert investigation support tool to help inexperienced analysts identify and collect all the information relevant to the investigation of an alert. We evaluate the prototype tool with two qualitative studies. The first study employs T1 analysts from the SOC to evaluate the conformity of the tool to the underpinning analysis process. The second study employs 57 students, recruited from the same pool where the SOC acquires its junior analysts from, to evaluate whether it helps inexperienced analysts develop a complete understanding of events surrounding security alert data. Our findings suggest that employing the tool helps inexperienced analysts form a more accurate understanding of attacks, at no time cost. We discuss the wider implications for research and practice.

AB - The investigations run by tier 1 (T1) analysts in a Security Operation Center are critical to the SOC operations as they represent the first gateway to alert escalation and incident response. Critically, they demand an accurate and as-complete-as-possible understanding of the events surrounding the investigated alert. This is a complex task inexperienced T1 analysts can easily lose track of. In this work, we collaborate with a commercial SOC to develop an alert investigation support tool to help inexperienced analysts identify and collect all the information relevant to the investigation of an alert. We evaluate the prototype tool with two qualitative studies. The first study employs T1 analysts from the SOC to evaluate the conformity of the tool to the underpinning analysis process. The second study employs 57 students, recruited from the same pool where the SOC acquires its junior analysts from, to evaluate whether it helps inexperienced analysts develop a complete understanding of events surrounding security alert data. Our findings suggest that employing the tool helps inexperienced analysts form a more accurate understanding of attacks, at no time cost. We discuss the wider implications for research and practice.

KW - alert analysis

KW - incident investigation

KW - security analysts

KW - security operation center

UR - http://www.scopus.com/inward/record.url?scp=105001405286&partnerID=8YFLogxK

U2 - 10.1109/ACSAC63791.2024.00076

DO - 10.1109/ACSAC63791.2024.00076

M3 - Conference contribution

SP - 890

EP - 905

BT - 2024 Annual Computer Security Applications Conference, ACSAC 2024

PB - Institute of Electrical and Electronics Engineers

T2 - 40th Annual Computer Security Applications Conference, ACSAC 2024

Y2 - 9 December 2024 through 13 December 2024

ER -

Kersten L, Darré S, Mulders T , Zambon E, Caselli M, Snijders CCP et al. A Security Alert Investigation Tool Supporting Tier 1 Analysts in Contextualizing and Understanding Network Security Events. In 2024 Annual Computer Security Applications Conference, ACSAC 2024. Institute of Electrical and Electronics Engineers. 2025. blz. 890-905. 10917883 doi: 10.1109/ACSAC63791.2024.00076

A Security Alert Investigation Tool Supporting Tier 1 Analysts in Contextualizing and Understanding Network Security Events

Samenvatting

Congres

Financiering

Toegang tot document

Andere bestanden en links

Document onder embargo

Vingerafdruk

Citeer dit