Data presentation in security operations centres: exploring the potential for sonification to enhance existing practice

Journal Article
Publication Abstract: 

Security practitioners working in Security Operations Centres (SOCs) are responsible for detectingand mitigating malicious computer network activity. This work requires both automated tools thatdetectand prevent attacks, and data presentation tools that can present pertinent network securitymonitoring information to practitioners in an efficient and comprehensible manner. In recent years,advances have been made in the development of visual approaches to data presentation, withsome uptake of advanced security visualization tools in SOCs. Sonification in which data are repre-sented as sound, is said to have potential as an approach that could work alongside existing visualdatapresentation approaches to address some of the unique challenges faced by SOCs. For ex-ample, sonification has been shown to enable peripheral monitoring of processes, which could aidpractitioners multitasking in busy SOCs. The perspectives of security practitioners on incorporatingsonification into their actual working environments have not yet been examined, however. The aimof this article, therefore, is to address this gap by exploring attitudes to using sonification in SOCsandby identifying the data presentation approaches currently used. We report on the results of astudy consisting of an online survey (N¼20) and interviews (N¼21) with security practitionersworking in a range of different SOCs. Our contributions are (i) a refined appreciation of the contextsin which sonification could aid in SOC working practice, (ii) an understanding of the areas in whichsonification may not be beneficial or may even be problematic, (iii) an analysis of the criticalrequirementsfor the design of sonification systems and their integration into the SOC setting and(iv) evidence of the visual data presentation techniques currently used and identification of howsonification might work alongside and address challenges to using them. Our findings clarifyinsights into the potential benefits and challenges of introducing sonification to support work inthis vital security monitoring environment. Participants saw potential value in using sonificationsystemsto aid in anomaly detection tasks in SOCs (such as retrospective hunting), as well as in sit-uations in which peripheral monitoring is desirable: while multitasking with multiple work tasks, orwhile outside of the SOC.