Researcher will use NSF award to fortify and improve security operations centers

LAWRENCE — A prestigious Faculty Early Career Development (CAREER) Program award from the National Science Foundation will enable a researcher from the University of Kansas School of Engineering to investigate how to boost effectiveness of security operations centers (SOCs) — centralized facilities that deal with security issues and protect enterprise computer networks for private industry, academic institutions and government organizations.

“Organizations usually deploy security operations centers to manage their network operations, defend against threats in cyberspace and maintain regulatory compliance,” said Alexandru Bardas, assistant professor in KU’s Department of Electrical Engineering & Computer Science (EECS) and the Information & Telecommunication Technology Center (ITTC). “Automation and metrics play key roles in the effectiveness of security operation centers. Unfortunately, security-driven automation in these environments is often implemented in ad hoc ways and is not accurately reflected in the metrics.”

According to Bardas, current solutions don’t capture all dimensions of automation. He said enterprise networks usually have either partial technical solutions to security challenges that are both social and technical — or social frameworks that don’t fully comprehend the technical components of enterprise network security. The result, he said, is always a one-size-fits-all solution that contributes to inefficiencies in security operations centers.

“We hope to create a framework that tailors security-focused automation for operational environments, assesses the role of humans in this process and reflects the outcomes in the metrics,” Bardas said. “Instead of putting forward another set of generic automation and metrics guidelines for security operations centers, the framework’s main goal is to link technical capabilities of an organization with its social structure. This way, the landscape for security operations centers can evolve from ‘all defenses need to be successful’ to ‘all attacks need to be successful’ to maintain persistent access — turning the tables on adversaries.”

The KU researcher’s work will use an array of research approaches — from designing dynamic abstractions, models and software tools to ethnographic studies and interviews. Bardas said he hoped to account for factors such as stakeholders’ interests and strategic planning as well as provide on-the-ground analysts with ways to input local knowledge about their actual effectiveness into management and policy decisions.

“Security operations centers are sensitive environments, and getting access to these environments is understandably a complex endeavor,” Bardas said. “We’re fortunate to collaborate with external security operations centers from industry, academia and the government sector. We also have a fruitful collaboration with our KU IT Security Office, and we’re very thankful for their support.”

Part of Bardas’ research will train KU students, bringing knowledge from his experience with SOCs in the field into the classroom, to address the “dire need” for preparing the next generation of skilled security-operations-center analysts.

“This project includes research and education activities that feed into each other,” he said. “For instance, we’ll include observations we’re making in the field from working SOCs in the hands-on courses in cyber defense and cryptography that are happening on isolated and dedicated infrastructure. So, we’ll try different approaches on different types of attacks that we’re witnessing in a SOC as part of a course — along the lines of controlled experiments and projects.”

Further, Bardas plans to utilize KU’s student information-security club, known as the “Jayhackers,” to test the resilience of approaches to security operations centers.

“We’ll take the initial framework prototypes and actually use them in cyber defense competitions with the Jayhackers to defend our networks, to prioritize events, to quantify how we’re approaching things,” Bardas said. “Often, these cyber defense competitions resemble accelerated SOC environments. Of course, reality can be a little different, but a cyber defense competition would be one avenue of evaluating our framework. By doing so we’re also exposing our students to the framework and to security operations centers — so we’re preparing them for the workforce. Quite a few of our Jayhackers are interested in jobs offered by security operations centers. Through this training, they’ll be in a much better position when they hit the job market.”

In addition to the National Science Foundation, Bardas credited KU’s ITTC/IIS, EECS and engineering school, the exceptional graduate students he is working with, and his collaborators for supporting this work under the new CAREER award.

Top image: A prestigious Faculty Early Career Development Program award from the National Science Foundation will enable a researcher from the University of Kansas School of Engineering to investigate how to boost effectiveness of security operations centers. Credit: Pexels.