2023 Research Review
Building an SOC Knowledge Base
Security operations centers (SOCs) are a critical tool for ensuring cybersecurity and information security across the Department of Defense (DoD) enterprise. Because each such in-house SOC must be unique—accounting for the distinct mission, goals, and needs of the constituency or organization it serves—deployment requires a time-consuming and expensive process necessitating an expert or expert team. Fully deploying an SOC can take years and cost the DoD millions of dollars in expert guidance, above and beyond the cost of facilities and equipment for the SOC.
Our project seeks to significantly reduce the time and cost of deploying SOC capabilities by capturing expert knowledge in an expert system that can be deployed by any SOC developer. This expert knowledge will support a process that begins with an assessment and ends with recommendations about the people, processes, and technologies needed to develop a new SOC capability. As part of this project, we will develop
- an SOC capability building knowledge base
- a data-driven SOC capability assessment
- an expert system for SOC capability development with integrated user input and inference engine facilities
This research will develop a first-of-its-kind ontology and a knowledge base of SOC capability-building facts and rules.
Dr. Justin NovakSenior Cybersecurity Operations Researcher
The DoD wants to increase the availability and quality of cybersecurity services and capabilities across the enterprise. The current environment is replete with tools that aim to help automate the operation of SOCs and cybersecurity operations. However, there remains a lack of tools designed to automate or facilitate the process of standing up a SOC capability. Improving the cybersecurity capacity of these organizations requires codifying the expert knowledge needed to build such capabilities.
This research will develop a first-of-its-kind ontology and a knowledge base of SOC capability-building facts and rules. Our system will provide the expertise needed to operationalize effective SOC capabilities. Any DoD agency or partner will be able to use the refined knowledge of the SOC capability-building process resulting from this research project to provide insights for ensuring effective capabilities. The resulting reduction in time and cost to deploy will enable a significantly wider range of DoD organizations to stand up SOC capabilities.
In Context: This FY2023-24 Project
- is a collaborative effort utilizing researchers from the CMU SEI, Northeastern University, and Carnegie Mellon University
- builds on the CMU SEI’s cybersecurity expertise and experience in capacity and capability building for SOCs
- aligns with the CMU SEI technical objective to be trustworthy in construction and implementation and resilient in the face of operational uncertainties, including known and yet-unseen adversary capabilities
- aligns with the OUSD(R&E) critical technology priority of developing integrated sensing and cyber technology to counter advanced threats
Principal Investigator
Dr. Justin Novak
Senior Cybersecurity Operations Researcher
SEI Collaborators
Dr. Angel Hueca
Senior Cybersecurity Operations Researcher
Chris Rodman
Senior Cybersecurity Operations Researcher
Justin Valdengo
Senior Engineer
Vanessa Rodriguez
Assistant Cybersecurity Operations Researcher
Sam Perl
Senior Cyber Security Analyst
CMU Collaborators
Dr. Travis Breaux
Director of MSE Programs; Associate Professor, Carnegie Mellon University Institute for Software Research
Watch the Recording
Have a Question?
Reach out to us at info@sei.cmu.edu.