Authentication-Event Processing for Enhanced SOC Investigations

Seth Hasings (University of Tulsa)

Security Operations Centers (SOCs) receive thousands of security alerts each day, and analysts are responsible for evaluating each alert and initiating corrective action when necessary. Many of these alerts require consulting user authentication logs, which are notoriously messy and designed for machine use rather than human interpretability. We apply a novel methodology for processing raw logs into interpretable user authentication events in a university SOC dashboard tool. We review steps for data processing and describe views designed for analysts. To illustrate its value, we utilized the dashboard on a 90-day sample of alert logs from a university SOC. We present two representative alerts from the sample as case studies to motivate and demonstrate the generalized workflows. We show that enhanced data from the dashboard could be utilized to completely investigate over 84% of alerts in the sample without additional context or tools, and a further 13% could be partially investigated.

Paper

View More Papers

Translating C To Rust: Lessons from a User Study

Ruishi Li (National University of Singapore), Bo Wang (National University of Singapore), Tianyu Li (National University of Singapore), Prateek Saxena (National University of Singapore), Ashish Kundu (Cisco Research)

NodeMedic-FINE: Automatic Detection and Exploit Synthesis for Node.js Vulnerabilities

Darion Cassel (Carnegie Mellon University), Nuno Sabino (IST & CMU), Min-Chien Hsu (Carnegie Mellon University), Ruben Martins (Carnegie Mellon University), Limin Jia (Carnegie Mellon University)

Revisiting EM-based Estimation for Locally Differentially Private Protocols

Yutong Ye (Institute of software, Chinese Academy of Sciences & Zhongguancun Laboratory, Beijing, PR.China.), Tianhao Wang (University of Virginia), Min Zhang (Institute of Software, Chinese Academy of Sciences), Dengguo Feng (Institute of Software, Chinese Academy of Sciences)