Security operation centers (SOCs) all over the world are tasked with reacting to cybersecurity alerts ranging in severity. Security Orchestration, Automation, and Response (SOAR) tools streamline cybersecurity alert responses by SOC operators. SOAR tool adoption is expensive both in effort and finances. Hence, it is crucial to limit adoption to those most worthwhile; yet no research evaluating or comparing SOAR tools exists. The goal of this work is to evaluate several SOAR tools using specific criteria pertaining to their usability. SOC operators were asked to first complete a survey about what SOAR tool aspects are most important. Operators were then assigned a set of SOAR tools for which they viewed demonstration and overview videos, and then operators completed a second survey wherein they were tasked with evaluating each of the tools on the aspects from the first survey. In addition, operators provided an overall rating to each of their assigned tools, and provided a ranking of their tools in order of preference. Due to time constraints on SOC operators for thorough testing, we provide a systematic method of downselecting a large pool of SOAR tools to a select few that merit next-step hands-on evaluation by SOC operators. Furthermore, the analyses conducted in this survey help to inform future development of SOAR tools to ensure that the appropriate functions are available for use in a SOC.
翻译:安全操作中心(SOCs)在世界各地的任务是对网络安全警报作出反应,其严重程度范围很广。安全操作中心(SOC)的任务是应对网络安全警报,安全操作、自动化和反应工具(SOAR)工具简化了SOC操作者对网络安全警报的反应。SOAR工具的采用在努力和财政上都是昂贵的。因此,关键是要将采用限制在最有价值的工具;然而,没有研究评估或比较SOAR工具。这项工作的目标是利用与使用性有关的具体标准对若干SOAR工具进行评估。SOC操作者被要求首先完成关于SOAR工具中哪些方面最为重要的调查。然后,为操作者分配了一套SOAR工具,用于他们观看演示和概览视频,然后完成了第二次调查,他们的任务是对第一次调查的每个工具进行评估。此外,操作者对每一个指定的工具进行了总体评级,并按其工具的优先顺序排列。由于对SOC操作者进行彻底测试的时间限制,我们提供了一种系统的方法,即从一个大型的SOAR工具库中挑选出几个值得下步的SOAR工具,以便他们观看演示和概览视频,然后将SOC操作者对SOAC工具进行适当的分析。此外,确保SOC操作者对SOC进行适当的SOAC工具进行适当的分析。
相关内容
微信扫码咨询专知VIP会员