Towards a Framework for Measuring the Performance of a Security Operations Center Analyst

Agyepong, Enoch; Cherdantseva, Yulia; Reinecke, Philipp; Burnap, Pete

doi:10.1109/cybersecurity49315.2020.9138872

Cited by 10 publications

(8 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The 2016 Global Information Security Survey notes that SOC is available in 56% of the organizations surveyed [15]. The importance of unified, consolidated cybersecurity incident prevention, detection, and response [16] [17] will grow as more companies understand [18].…”

Section: Methodsmentioning

confidence: 99%

“…However, security organizations are increasingly aware of the importance and significance of integrating persons, methods, and technology as an integral component of SIEM. As a result, the SOC has grown to a new level of functionality, combining people, mechanisms, and technology [15], [16]. Now SOCs can manage longer and more complex initiatives, manage thousands of warnings and incidents daily, record and track violations, and transnational coordinate practices, resolving the issue of IT harmonization.…”

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Hermes Ransomware v2.1 Action Monitoring using Next Generation Security Operation Center (NGSOC) Complex Correlation Rules

Dun¹,

Razak²,

Zolkipli³

et al. 2022

International Journal on Advanced Science, Engineering and Information Technology

View full text Add to dashboard Cite

A new malware is identified every fewer than five seconds in today's threat environment, which is changing at a rapid speed. As part of cybercrime, there is a lot of malware activity that can infect the system and make it problematic. Cybercrime is a rapidly growing field, allowing cyber thieves to engage in a wide range of damaging activities. Hacking, scams, child pornography, and identity theft are all examples of cybercrime. Cybercrime victims might be single entities or groups of persons who are being targeted for harm. Cybercrime and malware become more hazardous and damaging because of these factors. Subsequent to these factors, there is a need to construct Next Generation Security Operation Centers (NGSOCs). SOC consists of human resources, processes, and technology designed to deal with security events derived from the Security Incident Event Management (SIEM) log analysis. This research examines how Next Generation Security Operation Centers (NGSOCs) respond to malicious activity. This study develops a use case to detect the latest Hermes Ransomware v2.1 malware using complex correlation rules for the SIEM anomalies engine. This study aims to analyze and detect Hermes Ransomware v2.1. As a result, NGSOC distinguishes malware activities' initial stages by halting traffic attempts to download malware. By forwarding logs to SIEM, the use case can support Threat Analyst in finding other Indicators of Compromise (IOC) to assist organizations in developing a systematic and more preemptive approach for ransomware detection.

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Methodsmentioning

confidence: 99%

Hermes Ransomware v2.1 Action Monitoring using Next Generation Security Operation Center (NGSOC) Complex Correlation Rules

Dun¹,

Razak²,

Zolkipli³

et al. 2022

International Journal on Advanced Science, Engineering and Information Technology

View full text Add to dashboard Cite

show abstract

“…The initial proposal and analysis of mathematical definitions of security indicators, such as «number of attacks», «minimum cost of attack», «maximum probability of attack» and even «attack surface» are given in [31]. The paper [32] proposes an initial framework for assessing system security by decomposing the system into security-sensitive components and assigning security ratings to each component. Summation of the scores of the components allows an assessment of system reliability.…”

Section: Literature Review and Problem Statementmentioning

confidence: 99%

Development of a concept for cybersecurity metrics classification

Yevseiev

Milov

Оpirskyy

et al. 2022

EEJET

View full text Add to dashboard Cite

The development of the IT industry and computing resources allows the formation of cyberphysical social systems (CPSS), which are the integration of wireless mobile and Internet technologies and the combination of the Internet of things with the technologies of cyberphysical systems. To build protection systems, while minimizing both computing and economic costs, various sets of security profiles are used, ensuring the continuity of critical business processes. To assess/compare the level of CPSS security, various assessment methods based on a set of metrics are generally used. Security metrics are tools for providing up-to-date information about the state of the security level, cost characteristics/parameters from both the defense and attack sides. However, the choice of such sets is not always the same/understandable to the average person. This, firstly, leads to the absence of a generally accepted and unambiguous definition, which means that one system is more secure than another. Secondly, it does not take into account the signs of synergy and hybridity of modern targeted attacks. Without this knowledge, it is impossible to show that the metric measures the security level objectively. Thirdly, there is no universal formal model for all metrics that could be used for rigorous analysis. The paper explores the possibility of defining a basic formal model (classifier) for analyzing security metrics. The proposed security assessment model takes into account not only the level of secrecy of information resources, the level of provision of security services, but also allows, based on the requirements put forward, forming the necessary set of security assessment metrics, taking into account the requirements for the continuity of business processes. The average value of the provision of security services to CPSS information resources is 0.99, with an average value of the security level of information resources of 0.8

show abstract

“…Standards & Guidelines [3], [30], [36], [60], [179] Security Audits & Maturity Assessments [2], [5], [63] Metrics [23], [30], [46], [57], [68], [81], [85], [163], [180]- [186] regulations. Additionally, the SOC team can help determine the IT risks for the company.…”

Section: Governance and Compliance Referencesmentioning

confidence: 99%

“…Historical performance metrics enable comparability between work-shifts or longer time periods [68]. Agyepong et al [85] conducted an extensive survey about performance metrics for SOCs and proposed a consecutive framework [186]. Examples: False positive rate [30], [68], average analysis time [68], readiness level [81], [181], Mean Time to Detect [185] • People metrics: To improve the performance of security analysts inside a SOC it is necessary to measure human activities and workflows [68].…”

Section: ) Metricsmentioning

confidence: 99%