SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers

TL;DR

SAIBERSOC is a methodology and tool that uses synthetic attack injection based on the MITRE ATT&CK Framework to evaluate and benchmark the performance of Security Operation Centers, revealing how configuration changes impact effectiveness.

Contribution

The paper introduces SAIBERSOC, a novel open-source tool and methodology for benchmarking SOC performance through synthetic attack injection and evaluation.

Findings

Effective in detecting performance variations due to SOC configuration changes

Validated with 124 students using real SOC infrastructure

Open source implementation available for community use

Abstract

In this paper we introduce SAIBERSOC, a tool and methodology enabling security researchers and operators to evaluate the performance of deployed and operational Security Operation Centers (SOCs) (or any other security monitoring infrastructure). The methodology relies on the MITRE ATT&CK Framework to define a procedure to generate and automatically inject synthetic attacks in an operational SOC to evaluate any output metric of interest (e.g., detection accuracy, time-to-investigation, etc.). To evaluate the effectiveness of the proposed methodology, we devise an experiment with $n=124$ students playing the role of SOC analysts. The experiment relies on a real SOC infrastructure and assigns students to either a BADSOC or a GOODSOC experimental condition. Our results show that the proposed methodology is effective in identifying variations in SOC performance caused by (minimal) changes in SOC configuration. We release the SAIBERSOC tool implementation as free and open source software.