Adaptive reallocation of cybersecurity analysts to sensors for balancing risk between sensors

Cyber Security Operations Center (CSOC) is a service-oriented system. Analysts work in shifts, and the goal at the end of each shift is to ensure that all alerts from each sensor (client) are analyzed. The goal is often not met because the CSOC is faced with adverse conditions such as variations in alert generation rates or in the time taken to thoroughly analyze new alerts. Current practice at many CSOCs is to pre-assign analysts to sensors based on their expertise, and the alerts from the sensors are triaged, queued, and presented to analysts. Under adverse conditions, some sensors have more number of unanalyzed alerts (backlogs) than others, which results in a major security gap for the clients if left unattended. Hence, there is a need to dynamically reallocate analysts to sensors; however, there does not exist a mechanism to ensure the following objectives: (i) balancing the number of unanalyzed alerts among sensors while maximizing the number of alerts investigated by optimally reallocating analysts to sensors in a shift, (ii) ensuring desirable properties of the CSOC: minimizing the disruption to the analyst to sensor allocation made at the beginning of the shift when analysts report to work, balancing of workload among analysts, and maximizing analyst utilization. The paper presents a technical solution to achieve the objectives and answers two important research questions: (i) detection of triggers, which determines when-to reallocate, and (ii) how to optimally reallocate analysts to sensors, which enable a CSOC manager to effectively use reallocation as a decision-making tool.

[1]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[2]  Charles A. Holloway,et al.  Centralized Scheduling and Priority Implementation Heuristics for a Dynamic Job Shop Model , 1977 .

[3]  Marko Becker Performance By Design Computer Capacity Planning By Example , 2016 .

[4]  Stephen Northcutt,et al.  Network intrusion detection , 2003 .

[5]  John McHugh,et al.  Turning Contradictions into Innovations or: How We Learned to Stop Whining and Improve Security Operations , 2016, SOUPS.

[6]  John McHugh,et al.  A Human Capital Model for Mitigating Security Analyst Burnout , 2015, SOUPS.

[7]  Jeffrey W. Herrmann,et al.  Rescheduling Manufacturing Systems: A Framework of Strategies, Policies, and Methods , 2003, J. Sched..

[8]  Avishai Mandelbaum,et al.  Queueing Models of Call Centers: An Introduction , 2002, Ann. Oper. Res..

[9]  James P. Ignizio,et al.  Generalized goal programming An overview , 1983, Comput. Oper. Res..

[10]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[11]  Robert F. Erbacher,et al.  Extending Case-Based Reasoning to Network Alert Reporting , 2012, 2012 International Conference on Cyber Security.

[12]  Lawrence H. Peters,et al.  Situational Constraints and Employee Affective Reactions: A Partial Field Replication , 1982 .

[13]  Robin M. Ruefle,et al.  State of the Practice of Computer Security Incident Response Teams (CSIRTs) , 2003 .

[14]  Sushil Jajodia,et al.  A methodology to measure and monitor level of operational effectiveness of a CSOC , 2017, International Journal of Information Security.

[15]  L. Goddard,et al.  Operations Research (OR) , 2007 .

[16]  Richard Bejtlich,et al.  The Tao of Network Security Monitoring: Beyond Intrusion Detection , 2004 .

[17]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[18]  Kurt M. Bretthauer,et al.  Real-Time Work Schedule Adjustment Decisions: An Investigation and Evaluation , 2009 .

[19]  Wayne G. Lutters,et al.  I know my network: collaboration and expertise in intrusion detection , 2004, CSCW.

[20]  A. K. Erlang The theory of probabilities and telephone conversations , 1909 .

[21]  F. Robert Jacobs,et al.  Tour Scheduling and Task Assignment of a Heterogeneous Work Force: A Heuristic Approach , 1991 .

[22]  Mohsen Kahani,et al.  Incremental Hybrid Intrusion Detection Using Ensemble of Weak Classifiers , 2008 .

[23]  Leslie D. Servi,et al.  A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options , 2017, Journal of Scheduling.

[24]  Jeffrey W. Herrmann,et al.  A Survey of Queuing Theory Applications in Healthcare , 2007 .

[25]  Pratyusa K. Manadhata,et al.  The Operational Role of Security Information and Event Management Systems , 2014, IEEE Security & Privacy.

[26]  Brad Cleveland,et al.  Call Center Management on Fast Forward: Succeeding in Today's Dynamic Inbound Environment , 1999 .

[27]  Sushil Jajodia,et al.  Optimal Scheduling of Cybersecurity Analysts for Minimizing Risk , 2017, ACM Trans. Intell. Syst. Technol..

[28]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[29]  Robert R. Love,et al.  Management Science Improves Fast-Food Operations , 1990 .

[30]  Aleksandr Alekseevich Borovkov,et al.  Stochastic processes in queueing theory , 1976 .

[31]  Sushil Jajodia,et al.  Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning , 2016, ACM Trans. Intell. Syst. Technol..

[32]  Feruza Sattarova Yusufovna,et al.  Implementing Intrusion Detection System against Insider Attacks , 2009 .

[33]  Randall P. Sadowski,et al.  Simulation with Arena , 1998 .

[34]  Sushil Jajodia,et al.  Applications of Data Mining in Computer Security , 2002, Advances in Information Security.