SOTER: A Playbook for Cybersecurity Incident Management

Onwubiko, Cyril; Ouazzane, Karim

doi:10.1109/tem.2020.2979832

Cited by 28 publications

(16 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The above literature review provided context to frame our research questions when interviewing experts on the challenges facing contemporary SOCs. Studies such as Alahmadi et al (2022) and Onwubiko and Ouazzane (2022) have shown that the high rate of false positive alarms produced by security tools is an operational challenge for SOC analysts, and it is unclear how cyber deception would influence this false positive rate. Additionally, research such as Cho et al (2020) has shown that tacit knowledge plays a crucial role in the decision-making processes of SOC analysts, and that simulations and physical proximity with analysts and vendors can facilitate the transfer of this knowledge.…”

Section: Current Studymentioning

confidence: 99%

Understanding decision making in security operations centres: building the case for cyber deception technology

Reeves

Ashenden

2023

Front. Psychol.

View full text Add to dashboard Cite

IntroductionA Security Operations Centre (SOC) is a command centre where analysts monitor network activity, analyse alerts, investigate potential threats, and respond to incidents. By analysing data activities around the clock, SOC teams are crucial in ensuring the prompt detection and response to security incidents. SOC analysts work under considerable pressure to triage and respond to alerts in very short time frames. Cyber deception technology offers the promise of buying SOC analysts more time to respond by wasting the resources and time of attackers, yet such technology remains underutilised.MethodWe carried out a series of interviews with experts to uncover the barriers which prevent the effective implementation of cyber deception in SOCs.ResultsBy using thematic analysis on the data, it was clear that while cyber deception technology is promising it is hindered by a lack of use cases, limited empirical research that demonstrates the efficacy of the technology, hesitancy to embrace a more active form of cyber defence, issues surrounding the over promising of results by off-the-shelf vendors, and an aversion to interrupting the decision-making processes of SOC analysts.DiscussionTaking this last point about the decision-making processes of SOC analysts we make the case that naturalistic decision making (NDM) would help us better understand how SOC analysts make decisions and how cyber deception technology could be used to best effect.

show abstract

Section: Current Studymentioning

confidence: 99%

Understanding decision making in security operations centres: building the case for cyber deception technology

Reeves

Ashenden

2023

Front. Psychol.

View full text Add to dashboard Cite

show abstract

“…Prior to the occurrence of a significant security attack or during active cybersecurity incident investigation, having the necessary information sharing strategy in place and effectively executing such strategy is very important for ensuring that all parties are kept informed in the prior, during, and post stages of any given cybersecurity incident handling [65], [66], [67], [64], [68], [69]. "Information about threats can improve an organization's situational awareness, expand its understanding of the current threat horizon and increase its defensive agility by improving decision making" [64].…”

Section: ) Information Sharingmentioning

confidence: 99%

Threat Actors’ Tenacity to Disrupt: Examination of Major Cybersecurity Incidents

et al. 2022

View full text Add to dashboard Cite

show abstract

“…18) Prioritization: Not all incident response information must be treated equal. As there are severe and less severe security incidents the prioritization concept is relevant for incident response formats [99]. In general, prioritization expresses the urgency of incident response execution relative to other incident response procedures.…”

Section: Security Conceptsmentioning

confidence: 99%

A Comparative Study on Cyber Threat Intelligence: The Security Incident Response Perspective

Schlette

Caselli

Pernul

2021

IEEE Commun. Surv. Tutorials

View full text Add to dashboard Cite

IEEE Communications Surveys & Tutorials IEEE COMMUNICATIONS SURVEYS & TUTORIALS 2 followed by Detection & Analysis, Containment, Eradication & Recovery and concludes with Post-Incident Activity. It is worth mentioning that between the four phases feedback loops exist. Other incident handling process models (e.g., CERT/CC [24], ITIL [25], [26], [27]) are in line with the NIST incident response life cycle. Nevertheless, often incident response is narrowed down to only the Containment, Eradication & Recovery activities, whereas incident management and incident handling provide the larger reference framework [27], [21]. We follow this more precise approach and center on the pivotal activities of incident response. An elementary subarea in conjunction with incident response and its community is digital forensics. Digital forensics concerns data gathering and the detailed analysis of circumstances surrounding a security incident [26]. Within the NIST incident response life cycle, digital forensics mainly precedes the incident response action itself and can be attributed to Detection & Analysis. For our work, we separate between digital forensics and incident response and exclude the former. However, due to the nature of the analyzed data formats, there is at times overlap concerning investigative incident response activities. This situation leads to the focus of this survey described in Figure 2. The starting point of incident response and its standardization is hereby defined as trigger, alert, or event detected by an Intrusion Detection System (IDS), Security Information and Event Management (SIEM), or similar system, which then requires incident response actions. Also, CTI feeds, and structured threat reports are possible external starting points.

show abstract

SOTER: A Playbook for Cybersecurity Incident Management

Cited by 28 publications

References 13 publications

Understanding decision making in security operations centres: building the case for cyber deception technology

Understanding decision making in security operations centres: building the case for cyber deception technology

Threat Actors’ Tenacity to Disrupt: Examination of Major Cybersecurity Incidents

A Comparative Study on Cyber Threat Intelligence: The Security Incident Response Perspective

Contact Info

Product

Resources

About