Intelligent Ticket Management Assistant for Cybersecurity Operations
Estudante: Leonardo Ferreira
Curso: Programa Doutoral em Engenharia Informática
Orientador: Professor Doutor Daniel Silva
Empresa associada SONAE IM: S21SEC
Together with the increasing incidence of cyberattacks and cybercrime in general, some of
the most impactful issues affecting cybersecurity response are the lack of qualified personnel and
the need to ensure sustainable scalability, while reducing costs. Organizations currently rely on
security operations centers (SOCs) to respond to security incidents; however, in part due to the
large number of incidents and the use of non-interoperable tools, they are unable to provide a
timely response. The use of intelligent tools capable of reducing human operator’s workload and
improving incident response workflow is thus a growing necessity.
This thesis aims at developing novel methods to enhance security operators’ performance dur-
ing incident response. To develop such methods, a dataset generator was first developed, aimed
at emulating the data available at S21sec by simulating incident ticket creation, scheduling, and
response, also including information regarding team and analyst management or incident cus-
tomization, among other details. Afterwards, a recommender system analyses historical actions
and recommends, for each incident, the quickest user-action pair capable of responding to it.
Cold-start scenarios, such as new users or new types of incidents, also need to be accounted for
by such framework, as do topics such as explainable AI, to ensure that recommendations are well
received by operators.