Understanding Tradeoffs Between Throughput, Quality, and Cost of Alert Analysis in a CSOC

Intrusion detection systems (IDSs) analyze data that are collected by sensors, which monitor the network traffic. Any alert generated by the IDS is transmitted to a cybersecurity operations center (CSOC), which performs the important task of analyzing the alerts. In order to deliver a strong security against threats, an efficient CSOC requires the following characteristics: 1) all alerts must be analyzed in a timely manner; 2) there must be an ideal mix of analyst expertise levels in the organization because the quality of analysis performed depends on the mix; and 3) there must be adequate operating budget to hire the required number of analyst personnel. However, it is non-trivial for a CSOC manager to establish the parameter settings for the above characteristics for a desired CSOC efficiency, and current literature lacks a thorough analysis of the tradeoffs between them. This void is filled by this paper whose research objective is to develop an optimized tradeoff study model of the CSOC that studies and quantifies the interactions between the above characteristics, and to use the knowledge gained from the above study to provide the foundation principles to establish and operate an efficient CSOC. A constraint-optimization tradeoff study model is built to drive the decisions that optimize the above characteristics of the CSOC, which is then tested via several simulation runs of the alert arrival and service processes at the CSOC. The paper serves as the first step toward a unified tradeoff study model that integrates the throughput performance, the quality of analysis, and the cost metrics to design and establish an efficient CSOC. Results from the above optimization-simulation tests capture several valuable insights along with parameter settings of the metrics that explain how to operate an efficient CSOC, and quantifies the economic impact of scaling-up the CSOC operation.

[1]  Stephen Northcutt,et al.  Network intrusion detection , 2003 .

[2]  Fabio Persia,et al.  Discovering the Top-k Unexplained Sequences in Time-Stamped Observation Data , 2014, IEEE Transactions on Knowledge and Data Engineering.

[3]  Leo Liberti,et al.  Branching and bounds tighteningtechniques for non-convex MINLP , 2009, Optim. Methods Softw..

[4]  Michael R. Bussieck,et al.  MINLP Solver Software , 2011 .

[5]  Sushil Jajodia,et al.  Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning , 2016, ACM Trans. Intell. Syst. Technol..

[6]  Sushil Jajodia,et al.  Dynamic Optimization of the Level of Operational Effectiveness of a CSOC Under Adverse Conditions , 2018, ACM Trans. Intell. Syst. Technol..

[7]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[8]  Richard Bejtlich,et al.  The Tao of Network Security Monitoring: Beyond Intrusion Detection , 2004 .

[9]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[10]  Mark D. Treleven A Review of the Dual Resource Constrained System Research , 1989 .

[11]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[12]  Sushil Jajodia,et al.  A methodology to measure and monitor level of operational effectiveness of a CSOC , 2017, International Journal of Information Security.

[13]  John McHugh,et al.  A Human Capital Model for Mitigating Security Analyst Burnout , 2015, SOUPS.

[14]  Xiaohu You,et al.  Energy Efficiency and Spectral Efficiency Tradeoff in Downlink Distributed Antenna Systems , 2012, IEEE Wireless Communications Letters.

[15]  Sushil Jajodia,et al.  Optimal Scheduling of Cybersecurity Analysts for Minimizing Risk , 2017, ACM Trans. Intell. Syst. Technol..

[16]  John McHugh,et al.  Turning Contradictions into Innovations or: How We Learned to Stop Whining and Improve Security Operations , 2016, SOUPS.

[17]  Patrick T. Harker,et al.  Capacity sizing in the presence of a common shared resource: Dimensioning an inbound call center , 2003, Eur. J. Oper. Res..

[18]  Clyde L. Monma,et al.  On the Computational Complexity of Integer Programming Problems , 1978 .

[19]  Dimitri P. Bertsekas,et al.  Constrained Optimization and Lagrange Multiplier Methods , 1982 .

[20]  Robert F. Erbacher,et al.  Improving Intrusion Analysis Effectiveness , .

[21]  Feruza Sattarova Yusufovna,et al.  Implementing Intrusion Detection System against Insider Attacks , 2009 .

[22]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[23]  I. Borosh,et al.  Bounds on positive integral solutions of linear Diophantine equations , 1976 .

[24]  Vincent A. Mabert Staffing and equipment decisions for services: An experimental analysis , 1986 .

[25]  Leslie D. Servi,et al.  A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options , 2017, Journal of Scheduling.

[26]  George P. Tadda,et al.  Overview of Cyber Situation Awareness , 2010, Cyber Situational Awareness.

[27]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[28]  Hervé Debar,et al.  New Types of Alert Correlation for Security Information and Event Management Systems , 2016, 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS).

[29]  Pratyusa K. Manadhata,et al.  The Operational Role of Security Information and Event Management Systems , 2014, IEEE Security & Privacy.