Optimizing Alert Data Management Processes at a Cyber Security Operations Center

Alert data management is one of the top functions performed by a Cyber Security Operation Centers (CSOC). This chapter is focused on the development of an integrated framework of several tasks for alert data management. The tasks and their execution are sequenced as follows: (1) determining the regular analyst staffing of different expertise level for a given alert arrival/service rate, and scheduling of analysts to minimize risk, (2) sensor clustering and dynamic reallocation of analysts-to-sensors, and (3) measuring, monitoring, and controlling the level of operational effectiveness (LOE) with the capability to bring additional analysts as needed. The chapter presents several metrics for measuring the performance of the CSOC, which in turn drives the development of various optimization strategies that optimize the execution of the above tasks for alert analysis. It is shown that the tasks are highly inter-dependent, and must be integrated and sequenced in a framework for alert data management. For each task, results from simulation studies validate the optimization model and show the effectiveness of the modeling and algorithmic strategy for efficient alert data management, which in turn contributes to optimal overall management of the CSOCs.

[1]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[2]  John McHugh,et al.  Turning Contradictions into Innovations or: How We Learned to Stop Whining and Improve Security Operations , 2016, SOUPS.

[3]  Robert R. Love,et al.  Management Science Improves Fast-Food Operations , 1990 .

[4]  Sushil Jajodia,et al.  A Novel Metric for Measuring Operational Effectiveness of a Cybersecurity Operations Center , 2017 .

[5]  Sushil Jajodia,et al.  Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning , 2016, ACM Trans. Intell. Syst. Technol..

[6]  John McHugh,et al.  A Human Capital Model for Mitigating Security Analyst Burnout , 2015, SOUPS.

[7]  Charles A. Holloway,et al.  Centralized Scheduling and Priority Implementation Heuristics for a Dynamic Job Shop Model , 1977 .

[8]  Sushil Jajodia,et al.  Optimal Assignment of Sensors to Analysts in a Cybersecurity Operations Center , 2019, IEEE Systems Journal.

[9]  Sushil Jajodia,et al.  Dynamic Optimization of the Level of Operational Effectiveness of a CSOC Under Adverse Conditions , 2018, ACM Trans. Intell. Syst. Technol..

[10]  Sushil Jajodia,et al.  Optimal Scheduling of Cybersecurity Analysts for Minimizing Risk , 2017, ACM Trans. Intell. Syst. Technol..

[11]  Richard Bejtlich,et al.  The Tao of Network Security Monitoring: Beyond Intrusion Detection , 2004 .

[12]  Carl M. Harris,et al.  Fundamentals of Queueing Theory: Gross/Fundamentals of Queueing Theory , 2008 .

[13]  Kurt M. Bretthauer,et al.  Real-Time Work Schedule Adjustment Decisions: An Investigation and Evaluation , 2009 .

[14]  Lawrence H. Peters,et al.  Situational Constraints and Employee Affective Reactions: A Partial Field Replication , 1982 .

[15]  Leslie D. Servi,et al.  A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options , 2017, Journal of Scheduling.

[16]  Sarvapali D. Ramchurn,et al.  Algorithms for Graph-Constrained Coalition Formation in the Real World , 2017, TIST.

[17]  Sushil Jajodia,et al.  A methodology to measure and monitor level of operational effectiveness of a CSOC , 2017, International Journal of Information Security.

[18]  Alexander Kott,et al.  Cyber Defense and Situational Awareness , 2015, Advances in Information Security.

[19]  F. Robert Jacobs,et al.  Tour Scheduling and Task Assignment of a Heterogeneous Work Force: A Heuristic Approach , 1991 .

[20]  Robin M. Ruefle,et al.  State of the Practice of Computer Security Incident Response Teams (CSIRTs) , 2003 .

[21]  Ankit Shah,et al.  A Strategy for Effective Alert Analysis at a Cyber Security Operations Center , 2018, From Database to Cyber Security.

[22]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[23]  Jeffrey W. Herrmann,et al.  Rescheduling Manufacturing Systems: A Framework of Strategies, Policies, and Methods , 2003, J. Sched..

[24]  Robert F. Erbacher,et al.  Extending Case-Based Reasoning to Network Alert Reporting , 2012, 2012 International Conference on Cyber Security.

[25]  Michael Pinedo,et al.  Planning and Scheduling in Manufacturing and Services , 2008 .

[26]  Robin M. Ruefle,et al.  Handbook for Computer Security Incident Response Teams (CSIRTs) , 2003 .

[27]  Pratyusa K. Manadhata,et al.  The Operational Role of Security Information and Event Management Systems , 2014, IEEE Security & Privacy.

[28]  Brad Cleveland,et al.  Call Center Management on Fast Forward: Succeeding in Today's Dynamic Inbound Environment , 1999 .