Leon Kersten (Eindhoven University of Technology), Kim Beelen (Eindhoven University of Technology), Emmanuele Zambon (Eindhoven University of Technology), Chris Snijders (Eindhoven University of Technology), Luca Allodi (Eindhoven University of Technology)

The alert investigation processes junior (Tier-1) analysts follow are critical to attack detection and communication in Security Operation Centers (SOCs). Yet little is known on how analysts conduct alert investigations, which information they consider, and when. In this work, we collaborate with a commercial SOC and employ two think-aloud experiments. The first is to evaluate the alert investigation process followed by professional T1 analysts, and identify criticalities within. For the second experiment, we develop an alert investigation support system (AISS), integrate it into the SOC environment, and evaluate its effect on alert investigations with another cohort of T1 analysts. The experiments observe five and four analysts, respectively, conducting 400 and 36 investigations, respectively. Our results show that the analysts’ natural analysis process differs between analysts and types of alerts and that the AISS aids the analyst in gathering more relevant information while performing fewer actions for critical security alerts.

View More Papers

CASPR: Context-Aware Security Policy Recommendation

Lifang Xiao (Institute of Information Engineering, Chinese Academy of Sciences), Hanyu Wang (Institute of Information Engineering, Chinese Academy of Sciences), Aimin Yu (Institute of Information Engineering, Chinese Academy of Sciences), Lixin Zhao (Institute of Information Engineering, Chinese Academy of Sciences), Dan Meng (Institute of Information Engineering, Chinese Academy of Sciences)

Read More

Securing BGP ASAP: ASPA and other Post-ROV Defenses

Justin Furuness (University of Connecticut), Cameron Morris (University of Connecticut), Reynaldo Morillo (University of Connecticut), Arvind Kasiliya (University of Connecticut), Bing Wang (University of Connecticut), Amir Herzberg (University of Connecticut)

Read More

User Comprehension and Comfort with Eye-Tracking and Hand-Tracking Permissions...

Kaiming Cheng (University of Washington), Mattea Sim (Indiana University), Tadayoshi Kohno (University of Washington), Franziska Roesner (University of Washington)

Read More

YuraScanner: Leveraging LLMs for Task-driven Web App Scanning

Aleksei Stafeev (CISPA Helmholtz Center for Information Security), Tim Recktenwald (CISPA Helmholtz Center for Information Security), Gianluca De Stefano (CISPA Helmholtz Center for Information Security), Soheil Khodayari (CISPA Helmholtz Center for Information Security), Giancarlo Pellegrino (CISPA Helmholtz Center for Information Security)

Read More