Description
Security Operations Centers (SOCs) rely on standardization and improvement of their incident
response processes to increase service quality and support analysts. Manual development
of so-called playbooks for process standardization often lacks comprehensive insight into endto-
end SOC incident response processes. Cross-organizational knowledge sharing, as an
alternative, typically fails to provide individual applicability. Motivated by the potential of
process standardization to address various issues in SOCs, the research in academic literature
has explored technological support of process development using technologies, such as Large
Language Models (LLMs) or data analysis.
This thesis proposes best practices for leveraging SOC logs to gain insights into current
processes, supporting continuous improvement and standardization of incident response. The
research discusses an unprecedented approach toward the application of process mining in the
context of operational SOC environments, focusing on practical implementation and validation
within the Cloud Security Operations Center (CSOC) of glueckkanja AG.
The research explores the promising development of individual and actionable incidentspecific
process descriptions. Analysts can be assisted in process development by tools like
ProM, which enable process exploration, and the automated proposal of playbooks. Various
recommendations are provided for SOCs to enhance their services and allow data-centered
process analysis. Key best practices include logging all necessary incident response actions
for full auditability, making classifications and remediation decisions more comprehensible
through a hypothesis approach, and connecting actions to specific incidents in the log. Despite
potential inefficiencies, incorporating note-taking and commenting during the incident process
is crucial. Process mining can identify correct processes from event logs and assist analysts in
the development of process standardizations, as well as during their daily tasks. This thesis also
highlights future research areas, such as recording enhanced domain and decisional knowledge
during incident response and improving collaborative interaction with process mining tools.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching