True Attacks, Attack Attempts, or Benign Triggers? An Empirical Measurement of Network Alerts in a Security Operations Center
Limin Yang, Phuong Cao, Constantin Adam, Alexander Withers, Zbigniew Kalbarczyk
33rd USENIX Security Symposium · Day 1 · USENIX Security '24
In the increasingly complex landscape of modern cyber threats, Security Operations Centers (SOCs) serve as critical defenses, monitoring vast networks for anomalies and responding to detected incidents. However, despite their vital role, SOCs are frequently overwhelmed by an incessant deluge of security alerts, a problem that significantly hampers their effectiveness and impacts the well-being of their analysts. This talk presents a pioneering quantitative study that delves into the real-world operational challenges of an enterprise SOC, aiming to empirically differentiate between actual successful attacks, mere attack attempts, and benign network activities that trigger alerts.
AI review
This talk presents a rare, data-driven analysis of real-world SOC alerts, empirically quantifying the signal-to-noise problem. The research provides critical insights into human bottlenecks and introduces a novel 'Rarity Score' method to prioritize true attacks, making it essential for any defender.