Matched and mismatched SOCs: A qualitative study on security operations center issues

Faris Bugra Kokulu, Yan Shoshitaishvili, Ananta Soneji, Ziming Zhao, Gail Joon Ahn, Tiffany Bao, Adam Doupé

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Organizations, such as companies and governments, created Security Operations Centers (SOCs) to defend against computer security attacks. SOCs are central defense groups that focus on security incident management with capabilities such as monitoring, preventing, responding, and reporting. They are one of the most critical defense components of a modern organization's defense. Despite their critical importance to organizations, and the high frequency of reported security incidents, only a few research studies focus on problems specific to SOCs. In this study, to understand and identify the issues of SOCs, we conducted 18 semi-structured interviews with SOC analysts and managers who work for organizations from different industry sectors. Through our analysis of the interview data, we identified technical and non-technical issues that exist in SOC. Moreover, we found inherent disagreements between SOC managers and their analysts that, if not addressed, could entail a risk to SOC efficiency and effectiveness. We distill these issues into takeaways that apply both to future academic research and to SOC management. We believe that research should focus on improving the efficiency and effectiveness of SOCs.

Original languageEnglish (US)
Title of host publicationCCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1955-1970
Number of pages16
ISBN (Electronic)9781450367479
DOIs
StatePublished - Nov 6 2019
Event26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019 - London, United Kingdom
Duration: Nov 11 2019Nov 15 2019

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Conference

Conference26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019
CountryUnited Kingdom
CityLondon
Period11/11/1911/15/19

Fingerprint

Managers
Security of data
Industry
Monitoring

Keywords

  • Human factors
  • Interviews
  • Security Operations Center

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Kokulu, F. B., Shoshitaishvili, Y., Soneji, A., Zhao, Z., Ahn, G. J., Bao, T., & Doupé, A. (2019). Matched and mismatched SOCs: A qualitative study on security operations center issues. In CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (pp. 1955-1970). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3319535.3354239

Matched and mismatched SOCs : A qualitative study on security operations center issues. / Kokulu, Faris Bugra; Shoshitaishvili, Yan; Soneji, Ananta; Zhao, Ziming; Ahn, Gail Joon; Bao, Tiffany; Doupé, Adam.

CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2019. p. 1955-1970 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kokulu, FB, Shoshitaishvili, Y, Soneji, A, Zhao, Z, Ahn, GJ, Bao, T & Doupé, A 2019, Matched and mismatched SOCs: A qualitative study on security operations center issues. in CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 1955-1970, 26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, United Kingdom, 11/11/19. https://doi.org/10.1145/3319535.3354239
Kokulu FB, Shoshitaishvili Y, Soneji A, Zhao Z, Ahn GJ, Bao T et al. Matched and mismatched SOCs: A qualitative study on security operations center issues. In CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2019. p. 1955-1970. (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/3319535.3354239
Kokulu, Faris Bugra ; Shoshitaishvili, Yan ; Soneji, Ananta ; Zhao, Ziming ; Ahn, Gail Joon ; Bao, Tiffany ; Doupé, Adam. / Matched and mismatched SOCs : A qualitative study on security operations center issues. CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2019. pp. 1955-1970 (Proceedings of the ACM Conference on Computer and Communications Security).
@inproceedings{08985a513d0d44c281e51caff92ed336,
title = "Matched and mismatched SOCs: A qualitative study on security operations center issues",
abstract = "Organizations, such as companies and governments, created Security Operations Centers (SOCs) to defend against computer security attacks. SOCs are central defense groups that focus on security incident management with capabilities such as monitoring, preventing, responding, and reporting. They are one of the most critical defense components of a modern organization's defense. Despite their critical importance to organizations, and the high frequency of reported security incidents, only a few research studies focus on problems specific to SOCs. In this study, to understand and identify the issues of SOCs, we conducted 18 semi-structured interviews with SOC analysts and managers who work for organizations from different industry sectors. Through our analysis of the interview data, we identified technical and non-technical issues that exist in SOC. Moreover, we found inherent disagreements between SOC managers and their analysts that, if not addressed, could entail a risk to SOC efficiency and effectiveness. We distill these issues into takeaways that apply both to future academic research and to SOC management. We believe that research should focus on improving the efficiency and effectiveness of SOCs.",
keywords = "Human factors, Interviews, Security Operations Center",
author = "Kokulu, {Faris Bugra} and Yan Shoshitaishvili and Ananta Soneji and Ziming Zhao and Ahn, {Gail Joon} and Tiffany Bao and Adam Doup{\'e}",
year = "2019",
month = "11",
day = "6",
doi = "10.1145/3319535.3354239",
language = "English (US)",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",
pages = "1955--1970",
booktitle = "CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - Matched and mismatched SOCs

T2 - A qualitative study on security operations center issues

AU - Kokulu, Faris Bugra

AU - Shoshitaishvili, Yan

AU - Soneji, Ananta

AU - Zhao, Ziming

AU - Ahn, Gail Joon

AU - Bao, Tiffany

AU - Doupé, Adam

PY - 2019/11/6

Y1 - 2019/11/6

N2 - Organizations, such as companies and governments, created Security Operations Centers (SOCs) to defend against computer security attacks. SOCs are central defense groups that focus on security incident management with capabilities such as monitoring, preventing, responding, and reporting. They are one of the most critical defense components of a modern organization's defense. Despite their critical importance to organizations, and the high frequency of reported security incidents, only a few research studies focus on problems specific to SOCs. In this study, to understand and identify the issues of SOCs, we conducted 18 semi-structured interviews with SOC analysts and managers who work for organizations from different industry sectors. Through our analysis of the interview data, we identified technical and non-technical issues that exist in SOC. Moreover, we found inherent disagreements between SOC managers and their analysts that, if not addressed, could entail a risk to SOC efficiency and effectiveness. We distill these issues into takeaways that apply both to future academic research and to SOC management. We believe that research should focus on improving the efficiency and effectiveness of SOCs.

AB - Organizations, such as companies and governments, created Security Operations Centers (SOCs) to defend against computer security attacks. SOCs are central defense groups that focus on security incident management with capabilities such as monitoring, preventing, responding, and reporting. They are one of the most critical defense components of a modern organization's defense. Despite their critical importance to organizations, and the high frequency of reported security incidents, only a few research studies focus on problems specific to SOCs. In this study, to understand and identify the issues of SOCs, we conducted 18 semi-structured interviews with SOC analysts and managers who work for organizations from different industry sectors. Through our analysis of the interview data, we identified technical and non-technical issues that exist in SOC. Moreover, we found inherent disagreements between SOC managers and their analysts that, if not addressed, could entail a risk to SOC efficiency and effectiveness. We distill these issues into takeaways that apply both to future academic research and to SOC management. We believe that research should focus on improving the efficiency and effectiveness of SOCs.

KW - Human factors

KW - Interviews

KW - Security Operations Center

UR - http://www.scopus.com/inward/record.url?scp=85075931021&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85075931021&partnerID=8YFLogxK

U2 - 10.1145/3319535.3354239

DO - 10.1145/3319535.3354239

M3 - Conference contribution

AN - SCOPUS:85075931021

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1955

EP - 1970

BT - CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -