A Strategy for Effective Alert Analysis at a Cyber Security Operations Center

Alert data management entails several tasks at a Cyber Security Operations Center such as tasks related to alert analysis, those related to threat mitigation if an alert is deemed to be significant, signature update for an intrusion detection system, and so on. This chapter presents a metric for measuring the performance of the CSOC, and develop a strategy for effective alert data management that optimizes the execution of certain tasks pertaining to alert analysis. One of the important performance metrics pertaining to alert analysis include the processing of the alerts in a timely manner to maintain a certain Level of Operational Effectiveness (LOE). Maintaining LOE requires two foremost tasks among several others: (1) the dynamic optimal scheduling of CSOC analysts to respond to the uncertainty in the day-to-day demand for alert analysis, and (2) the dynamic optimal allocation of CSOC analyst resources to the sensors that are being monitored. However, the above tasks are inter-dependent because the daily allocation task per shift requires the availability of the analysts (resource) to meet the uncertainties in the demand for alert analysis at the CSOC due to varying alert generation and/or service rates, and the resource availability must be scheduled ahead of time, despite the above uncertainty, for practical implementation in the real-world. In this chapter, an optimization modeling framework is presented that schedules the analysts using historical and predicted demand patterns for alert analysis over a 14-day work-cycle, selects additional (on-call) analysts that are required in a shift, and optimally allocates all the required analysts on a day-to-day basis per each working shift. Results from simulation studies validate the optimization modeling framework, and show the effectiveness of the strategy for alert analysis in order to maintain the LOE of the CSOC at the desired level.

[1]  W. Mackillop,et al.  The relationship between waiting time for radiotherapy and clinical outcomes: a systematic review of the literature. , 2008, Radiotherapy and oncology : journal of the European Society for Therapeutic Radiology and Oncology.

[2]  Fuqing Zhao,et al.  A Dynamic Rescheduling Model with Multi-Agent System and Its Solution Method , 2012 .

[3]  Vladimir Marianov,et al.  Location models for airline hubs behaving as M/D/c queues , 2003, Comput. Oper. Res..

[4]  Nuno J. Mamede,et al.  Multi-Agent Dynamic Scheduling and Re-Scheduling with Global Temporal Constraints , 2001, ICEIS.

[5]  Sushil Jajodia,et al.  A methodology to measure and monitor level of operational effectiveness of a CSOC , 2017, International Journal of Information Security.

[6]  Henk Tijms New and old results for the M/D/c queue , 2006 .

[7]  송왕철,et al.  IDS(Intrusion Detection System) , 2000 .

[8]  Sushil Jajodia,et al.  Optimal Scheduling of Cybersecurity Analysts for Minimizing Risk , 2017, ACM Trans. Intell. Syst. Technol..

[9]  Sushil Jajodia,et al.  Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning , 2016, ACM Trans. Intell. Syst. Technol..

[10]  F. Guerriero,et al.  Operational research in the management of the operating theatre: a survey , 2011, Health care management science.

[11]  David Lesaint,et al.  Field workforce scheduling , 2003 .

[12]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[13]  Tudor Dumitras,et al.  The Global Cyber-Vulnerability Report , 2015, Terrorism, Security, and Computation.

[14]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[15]  A. N. Zincir-Heywood,et al.  Intrusion Detection Systems , 2008 .

[16]  Michael Pinedo,et al.  Planning and Scheduling in Manufacturing and Services , 2008 .

[17]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[18]  Yves Nobert,et al.  Freight Handling Personnel Scheduling at Air Cargo Terminals , 1998, Transp. Sci..

[19]  Sushil Jajodia,et al.  Applications of Data Mining in Computer Security , 2002, Advances in Information Security.

[20]  Mark P. Van Oyen,et al.  Design and Analysis of Hospital Admission Control for Operational Effectiveness , 2011 .