A Mathematical Framework for Evaluation of SOAR Tools with Limited Survey Data

Savannah Norem, Ashley E. Rice, Samantha Erwin, Robert A. Bridges, Sean Oesch, Brian Weber

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

2 Scopus citations

Abstract

Security operation centers (SOCs) all over the world are tasked with reacting to cybersecurity alerts ranging in severity. Security Orchestration, Automation, and Response (SOAR) tools streamline cybersecurity alert responses by SOC operators. SOAR tool adoption is expensive both in effort and finances. Hence, it is crucial to limit adoption to those most worthwhile; yet no research evaluating or comparing SOAR tools exists. The goal of this work is to evaluate several SOAR tools using specific criteria pertaining to their usability. SOC operators were asked to first complete a survey about what SOAR tool aspects are most important. Operators were then assigned a set of SOAR tools for which they viewed demonstration and overview videos, and then operators completed a second survey wherein they were tasked with evaluating each of the tools on the aspects from the first survey. In addition, operators provided an overall rating to each of their assigned tools, and provided a ranking of their tools in order of preference. Due to time constraints on SOC operators for thorough testing, we provide a systematic method of downselecting a large pool of SOAR tools to a select few that merit next-step hands-on evaluation by SOC operators. Furthermore, the analyses conducted in this survey help to inform future development of SOAR tools to ensure that the appropriate functions are available for use in a SOC.

Original languageEnglish
Title of host publicationComputer Security. ESORICS 2021 International Workshops - CyberICPS, SECPRE, ADIoT, SPOSE, CPS4CIP, and CDT and SECOMANE, 2021
EditorsSokratis Katsikas, Costas Lambrinoudakis, Nora Cuppens, John Mylopoulos, Christos Kalloniatis, Weizhi Meng, Steven Furnell, Frank Pallas, Jörg Pohle, M. Angela Sasse, Habtamu Abie, Silvio Ranise, Luca Verderame, Enrico Cambiaso, Jorge Maestre Vidal, Marco Antonio Sotelo Monge
PublisherSpringer Science and Business Media Deutschland GmbH
Pages557-575
Number of pages19
ISBN (Print)9783030954833
DOIs
StatePublished - 2022
Event7th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems, CyberICPS 2021, 5th International Workshop on Security and Privacy Requirements Engineering, SECPRE 2021, 4th International Workshop on Attacks and Defenses for Internet-of-Things, ADIoT 2021, 3rd Workshop on Security, Privacy, Organizations, and Systems Engineering, SPOSE 2021, 2nd Cyber-Physical Security for Critical Infrastructures Protection, CPS4CIP 2021 and 1st International Workshop on Cyber Defence Technologies and Secure Communications at the Network Edge, CDT and SECOMANE 2021 held in conjunction with 26th European Symposium on Research in Computer Security, ESORICS 2021 - Virtual, Online
Duration: Oct 4 2021Oct 8 2021

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13106 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference7th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems, CyberICPS 2021, 5th International Workshop on Security and Privacy Requirements Engineering, SECPRE 2021, 4th International Workshop on Attacks and Defenses for Internet-of-Things, ADIoT 2021, 3rd Workshop on Security, Privacy, Organizations, and Systems Engineering, SPOSE 2021, 2nd Cyber-Physical Security for Critical Infrastructures Protection, CPS4CIP 2021 and 1st International Workshop on Cyber Defence Technologies and Secure Communications at the Network Edge, CDT and SECOMANE 2021 held in conjunction with 26th European Symposium on Research in Computer Security, ESORICS 2021
CityVirtual, Online
Period10/4/2110/8/21

Funding

This manuscript has been co-authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the US Department of Energy (DOE). The US government retains and the publisher, by accepting the article for publication, acknowledges that the US government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for US government purposes. DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy. gov/downloads/doe-public-access-plan). Acknowledgements. Special thanks to Jeff Meredith for assisting with the website. The research is based upon work supported by the Department of Defense (DOD), Naval Information Warfare Systems Command (NAVWAR), via the Department of Energy (DOE) under contract DE-AC05-00OR22725. The views and conclusions contained herein are those of the authors and should not be interpreted as representing the official policies or endorsements, either expressed or implied, of the DOD, NAVWAR, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. This manuscript has been co-authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the US Department of Energy (DOE). The US government retains and the publisher, by accepting the article for publication, acknowledges that the US government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for US government purposes. DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy. gov/downloads/doe-public-access-plan).. Acknowledgements. Special thanks to Jeff Meredith for assisting with the website. The research is based upon work supported by the Department of Defense (DOD), Naval Information Warfare Systems Command (NAVWAR), via the Department of Energy (DOE) under contract DE-AC05-00OR22725. The views and conclusions contained herein are those of the authors and should not be interpreted as representing the official policies or endorsements, either expressed or implied, of the DOD, NAVWAR, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon.

FundersFunder number
DOE Public Access Plan
U.S. Department of Defense
U.S. Department of EnergyDE-AC05-00OR22725
Naval Information Warfare Systems Command

    Keywords

    • Cybersecurity
    • SOAR tools
    • User study

    Fingerprint

    Dive into the research topics of 'A Mathematical Framework for Evaluation of SOAR Tools with Limited Survey Data'. Together they form a unique fingerprint.

    Cite this