Optimal Assignment of Sensors to Analysts in a Cybersecurity Operations Center

A cybersecurity operations center (CSOC) analyzes a large volume of alerts generated by intrusion detection systems, which process data from a number of sensors. Sensors are assigned to analysts, and the number of sensors is much larger than the number of analysts at the CSOC. Hence, sensors are grouped into clusters, which are allocated to analysts for investigation. There are two essential properties that must be met in the above grouping and allocation process: 1) meeting the cluster's requirement for specific analyst expertise mix, complete tool coverage that allows the analysts to handle the type of alerts generated, and analyst credentials such as security clearances; and 2) minimizing and balancing the number of unanalyzed alerts among clusters at the end of the daily work shift because an imbalance or a large number of unanalyzed alerts among clusters due to factors such as lack of analyst credentials or tooling expertise in a cluster would pose a security risk to the organization. Current practice at CSOCs is to group and then to allocate, which may not meet the above properties because grouping and allocation steps are done independently that remain static for a long time despite uncertainties such as day-to-day changes in alert generation rates and analyst absenteeism. This paper meets both properties by presenting an optimization model, in which grouping of sensors to clusters and analyst allocation to clusters is achieved simultaneously. The integrated methodology produces optimal sensor grouping and analyst allocation that is adaptable to changing shift conditions.

[1]  Stephen Northcutt,et al.  Network intrusion detection , 2003 .

[2]  Dong-Guen Kim,et al.  A branch and bound algorithm for determining locations of long-term care facilities , 2010, Eur. J. Oper. Res..

[3]  M. Angélica Salazar-Aguilar,et al.  A bi-objective programming model for designing compact and balanced territories in commercial districting , 2011 .

[4]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[5]  Feruza Sattarova Yusufovna,et al.  Implementing Intrusion Detection System against Insider Attacks , 2009 .

[6]  Alexander Kott,et al.  Cyber Defense and Situational Awareness , 2015, Advances in Information Security.

[7]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[8]  Andrea Scozzari,et al.  Political Districting: from classical models to recent approaches , 2013, Annals of Operations Research.

[9]  Sushil Jajodia,et al.  Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning , 2016, ACM Trans. Intell. Syst. Technol..

[10]  Leslie D. Servi,et al.  A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options , 2017, Journal of Scheduling.

[11]  Der-San Chen,et al.  Applied Integer Programming: Modeling and Solution , 2010 .

[12]  Richard Bejtlich,et al.  The Tao of Network Security Monitoring: Beyond Intrusion Detection , 2004 .

[13]  Sushil Jajodia,et al.  Optimal Scheduling of Cybersecurity Analysts for Minimizing Risk , 2017, ACM Trans. Intell. Syst. Technol..

[14]  Robert F. Erbacher,et al.  Extending Case-Based Reasoning to Network Alert Reporting , 2012, 2012 International Conference on Cyber Security.

[15]  L. Goddard,et al.  Operations Research (OR) , 2007 .

[16]  John McHugh,et al.  A Human Capital Model for Mitigating Security Analyst Burnout , 2015, SOUPS.