Alert Alchemy: SOC Workflows and Decisions in the Management of NIDS Rules

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

16 Downloads (Pure)

Abstract

Signature-based network intrusion detection systems (NIDSs) and network intrusion prevention systems (NIPSs) remain at the heart of network defense, along with the rules that enable them to detect threats. These rules allow Security Operation Centers (SOCs) to properly defend a network, yet we know almost nothing about how rules are created, evaluated and managed from an organizational standpoint. In this work, we analyze the processes surrounding the creation, management, and acquisition of rules for network intrusion detection. To understand these processes, we conducted interviews with 17 professionals who work at Managed Security Service Providers (MSSPs) or other organizations that provide network monitoring as a service or conduct their own network monitoring internally. We discovered numerous critical factors, such as rule specificity and total number of alerts and false positives, that guide SOCs in their rule management processes. These lower-level aspects of network monitoring processes have generally been regarded as immutable by prior work, which has mainly focused on designing systems that handle the resulting alert flows by dynamically reducing the number of noisy alerts SOC analysts need to sift through. Instead, we present several recommendations that address these lower-level aspects to help improve alert quality and allow SOCs to better optimize workflows and use of available resources. These recommendations include increasing the specificity of rules, explicitly defining feedback loops from detection to rule development, and setting up organizational processes to improve the transfer of tacit knowledge.
Original languageEnglish
Title of host publicationCCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
Subtitle of host publicationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery (ACM)
Pages2770–2784
Number of pages15
ISBN (Electronic)9798400700507
ISBN (Print)979-8-4007-0050-7
DOIs
Publication statusPublished - 2023
Event2023 ACM SIGSAC Conference on Computer and Communications Security - Tivoli Congress Center, Copenhagen, Denmark
Duration: 26 Nov 202330 Nov 2023
https://www.sigsac.org/ccs/CCS2023/

Conference

Conference2023 ACM SIGSAC Conference on Computer and Communications Security
Abbreviated titleCCS '23
Country/TerritoryDenmark
CityCopenhagen
Period26/11/2330/11/23
Internet address

Keywords

  • human factors
  • interviews
  • NIDS rules
  • security operation centers
  • SOC

Fingerprint

Dive into the research topics of 'Alert Alchemy: SOC Workflows and Decisions in the Management of NIDS Rules'. Together they form a unique fingerprint.

Cite this