CAREER: SATC: Bridging the Gap Between Research and Practice: Automation and Metrics in Security Operation Centers


CAREER: SATC: Bridging the Gap Between Research and Practice: Automation and Metrics in Security Operation Centers


Primary Investigator:
Alexandru "Alex" Bardas
Funding:
$524322.00
Sponsor:
NATIONAL SCIENCE FOUNDATION
Sponsor Type:
Federal
Beginning Fiscal Year:
2022
Award Type:
Grant

Abstract

Security Operation Centers (SOCs) are pivotal entities of modern enterprise networks in industry, academia, and the government sector. Organizations usually deploy SOCs to manage their network operations, defend against threats in the cyber space, and maintain regulatory compliance. Automation and metrics play key roles in the effectiveness of SOC environments. Unfortunately, security-driven automation in SOCs is often implemented in ad-hoc ways and is not accurately reflected in the metrics. Even though SOC environments are dealing with constantly changing threats, IT systems on their enterprise networks and SOC procedures are fairly static. Current SOC metrics tend to focus on straight-forward quantitative measurements (e.g., number of closed tickets) while the role of human analysts in the automation process is not accurately assessed. This project's novelties include the creation of a SOC framework that enables tailored security-focused automation for operational environments, assesses the role of humans in this process, and reflects the outcomes in the metrics. The project's broader significance and importance are focused on triggering a major change in the current attacker mode of operation and shift the SOC landscape from all defenses need to be successful, to all attacks need to be successful to maintain persistent access -- "turning the tables" on adversaries. Moreover, this project provides opportunities for curriculum enhancements via integrating research results in cybersecurity courses, affords an opportunity for students to participate in research on security operations, and thereby supports careers in cybersecurity research or professions.



On the technical side, this project explores the integration of the feature-rich DevOps/DevSecOps approaches in dynamic operational environments to establish security baselines. In this context DevOps and DevSecOps are sets of practices that combine software development and IT operations in cybersecurity-related setups. On the human capital side, the research team adopts a sociotechnical approach to study organizational environments by analyzing people and technological artifacts as interacting components. In place of partial, social or technical approaches, the project integrates research and education outcomes so they feed into each other. The project includes an ethnographic SOC fieldwork component, designing multi-segment abstractions for enabling security baselines, an analysis component of the SOC analyst to infrastructure programmer transition, and an evaluation effort of the SOC framework components across different environments. Results are broadly disseminated via publications, presentations/tutorials, and online resources. Overall, the outcomes of this project will evolve the means available to SOCs to significantly increase the burden on attackers and lower their capabilities to compromise enterprise networks.