Testing SOAR Tools in Use

Modern security operation centers (SOCs) rely on operators and a tapestry of logging and alerting tools with large scale collection and query abilities. SOC investigations are tedious as they rely on manual efforts to query diverse data sources, overlay related logs, and correlate the data into information and then document results in a ticketing system. Security orchestration, automation, and response (SOAR) tools are a new technology that promise to collect, filter, and display needed data; automate common tasks that require SOC analysts' time; facilitate SOC collaboration; and, improve both efficiency and consistency of SOCs. SOAR tools have never been tested in practice to evaluate their effect and understand them in use. In this paper, we design and administer the first hands-on user study of SOAR tools, involving 24 participants and 6 commercial SOAR tools. Our contributions include the experimental design, itemizing six characteristics of SOAR tools and a methodology for testing them. We describe configuration of the test environment in a cyber range, including network, user, and threat emulation; a full SOC tool suite; and creation of artifacts allowing multiple representative investigation scenarios to permit testing. We present the first research results on SOAR tools. We found that SOAR configuration is critical, as it involves creative design for data display and automation. We found that SOAR tools increased efficiency and reduced context switching during investigations, although ticket accuracy and completeness (indicating investigation quality) decreased with SOAR use. Our findings indicated that user preferences are slightly negatively correlated with their performance with the tool; overautomation was a concern of senior analysts, and SOAR tools that balanced automation with assisting a user to make decisions were preferred

Characterization of Nitrifying, Denitrifying, and Overall Bacterial Communities in Permeable Marine Sediments of the Northeastern Gulf of Mexico ▿ †

Sandy or permeable sediment deposits cover the majority of the shallow ocean seafloor, and yet the associated bacterial communities remain poorly described. The objective of this study was to expand the characterization of bacterial community diversity in permeable sediment impacted by advective pore water exchange and to assess effects of spatial, temporal, hydrodynamic, and geochemical gradients. Terminal restriction fragment length polymorphism (TRFLP) was used to analyze nearly 100 sediment samples collected from two northeastern Gulf of Mexico subtidal sites that primarily differed in their hydrodynamic conditions. Communities were described across multiple taxonomic levels using universal bacterial small subunit (SSU) rRNA targets (RNA- and DNA-based) and functional markers for nitrification (amoA) and denitrification (nosZ). Clonal analysis of SSU rRNA targets identified several taxa not previously detected in sandy sediments (i.e., Acidobacteria, Actinobacteria, Chloroflexi, Cyanobacteria, and Firmicutes). Sequence diversity was high among the overall bacterial and denitrifying communities, with members of the Alphaproteobacteria predominant in both. Diversity of bacterial nitrifiers (amoA) remained comparatively low and did not covary with the other gene targets. TRFLP fingerprinting revealed changes in sequence diversity from the family to species level across sediment depth and study site. The high diversity of facultative denitrifiers was consistent with the high permeability, deeper oxygen penetration, and high rates of aerobic respiration determined in these sediments. The high relative abundance of Gammaproteobacteria in RNA clone libraries suggests that this group may be poised to respond to short-term periodic pulses of growth substrates, and this observation warrants further investigation