Abstract

Security Operation Centers (SOC) play a key role in protecting organizations from many cybersecurity threats, such as system intrusion or information breaches. A major challenge in improving SOC operations is the adequacy of the data used to identify such threats. Detection tools employed by SOCs are largely based on observable telemetry indicators (e.g., network traffic patterns or system logs and activities collected from user devices). However, the use of such telemetry data without understanding human behaviors in-depth can lead to increasing false-positive alerts. Prior work shows that it can even be a more significant problem when analysts largely ignore alerts if they are overwhelmingly false-positive. These false positive alerts raise SOC analysts’ cognitive workload, diminish conscious cognitive processing, and decrease their trust in future alerts.

Share

COinS