Abstract
Alert data management entails several tasks at a Cyber Security Operations Center such as tasks related to alert analysis, those related to threat mitigation if an alert is deemed to be significant, signature update for an intrusion detection system, and so on. This chapter presents a metric for measuring the performance of the CSOC, and develop a strategy for effective alert data management that optimizes the execution of certain tasks pertaining to alert analysis. One of the important performance metrics pertaining to alert analysis include the processing of the alerts in a timely manner to maintain a certain Level of Operational Effectiveness (LOE). Maintaining LOE requires two foremost tasks among several others: (1) the dynamic optimal scheduling of CSOC analysts to respond to the uncertainty in the day-to-day demand for alert analysis, and (2) the dynamic optimal allocation of CSOC analyst resources to the sensors that are being monitored. However, the above tasks are inter-dependent because the daily allocation task per shift requires the availability of the analysts (resource) to meet the uncertainties in the demand for alert analysis at the CSOC due to varying alert generation and/or service rates, and the resource availability must be scheduled ahead of time, despite the above uncertainty, for practical implementation in the real-world. In this chapter, an optimization modeling framework is presented that schedules the analysts using historical and predicted demand patterns for alert analysis over a 14-day work-cycle, selects additional (on-call) analysts that are required in a shift, and optimally allocates all the required analysts on a day-to-day basis per each working shift. Results from simulation studies validate the optimization modeling framework, and show the effectiveness of the strategy for alert analysis in order to maintain the LOE of the CSOC at the desired level.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We arrived at the 1% figure based on our literature search and numerous conversations with cybersecurity analysts and Cybersecurity Operations Center (SOC) managers. Our model treats this value as a parameter that can be changed as needed.
References
Shah, A., Ganesan, R., Jajodia, S., Cam, H.: A methodology to measure and monitor level of operational effectiveness of a CSOC. Int. J. Inf. Secur. 17(2), 121–134 (2018)
Ganesan, R., Jajodia, S., Cam, H.: Optimal scheduling of cybersecurity analysts for minimizing risk. ACM Trans. Intell. Syst. Technol. 8(4), 52:1–52:32 (2017). https://doi.org/10.1145/2914795
Ganesan, R., Jajodia, S., Shah, A., Cam, H.: Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8(1), 4:1–4:21 (2016). https://doi.org/10.1145/2882969
Anderson, J.P.: Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington (1980)
Denning, D.E.: An intrusion-detection model. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, pp. 118–131, May 1986
Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)
Northcutt, S., Novak, J.: Network Intrusion Detection, 3rd edn. New Riders Publishing, Thousand Oaks (2002)
Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems. ADIS, vol. 38. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-77265-3
Subrahmanian, V.S., Ovelgönne, M., Dumitras, T., Prakash, B.A.: The Global Cyber-Vulnerability Report. TSC. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25760-0
Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 305–316, May 2010
Barbará, D., Jajodia, S. (eds.): Application of Data Mining in Computer Security. ADIS, vol. 6. Springer, Boston (2002). https://doi.org/10.1007/978-1-4615-0953-0
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)
Zimmerman, C.: The strategies of a world-class cybersecurity operations center. The MITRE Corporation, McLean (2014)
Lesaint, D., Voudouris, C., Azarmi, N., Alletson, I., Laithwaite, B.: Field workforce scheduling. BT Technol. J. 21(4), 23–26 (2003)
Nobert, Y., Roy, J.: Freight handling personnel scheduling at air cargo terminals. Transp. Sci. 32(3), 295–301 (1998)
Reis, J., Mamede, N.: Multi-Agent Dynamic Scheduling and Re-Scheduling with Global Temporal Constraints. Kluwer Academic Publishers, Dordrecht (2002)
Zhou, F., Wang, J., Wang, J., Jonrinaldi, J.: A dynamic rescheduling model with multi-agent system and its solution method. J. Mech. Eng. 58(2), 81–92 (2012)
Helm, J.E., AhmadBeygi, S., Van Oyen, M.P.: Design and analysis of hospital admission control for operational effectiveness. Prod. Oper. Manag. 20(3), 359–374 (2011)
Chen, Z., King, W., Pearcey, R., Kerba, M., Mackillop, W.J.: The relationship between waiting time for radiotherapy and clinical outcomes: a systematic review of the literature. Radiother. Oncol. 87(1), 3–16 (2008)
Guerriero, F., Guido, R.: Operational research in the management of the operating theatre: a survey. Health Care Manag. Sci. 14(1), 89–114 (2011)
Tijms, H.: New and old results for the M/D/c queue. AEU-Int. J. Electron. Commun. 60(2), 125–130 (2006)
Marianov, V., Serra, D.: Location models for airline hubs behaving as M/D/c queues. Comput. Oper. Res. 30(7), 983–1003 (2003)
DON CIO: Cyber Crime Handbook. Department of Navy, Washington, DC (2008)
Pinedo, M.L.: Planning and Scheduling in Manufacturing and Services. Springer, New York (2009). https://doi.org/10.1007/978-1-4419-0910-7
Acknowledgment
The authors would like to thank Dr. Sushil Jajodia of the Center for Secure Information Systems, Dr. Hasan Cam and Dr. Cliff Wang of the Army Research Office for the many discussions which served as the inspiration for this research. Ganesan, and Shah were partially supported by the Army Research Office under grants W911NF-13-1-0421 and W911NF-15-1-0576 and by the Office of Naval Research grant N00014-15-1-2007.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Ganesan, R., Shah, A. (2018). A Strategy for Effective Alert Analysis at a Cyber Security Operations Center. In: Samarati, P., Ray, I., Ray, I. (eds) From Database to Cyber Security. Lecture Notes in Computer Science(), vol 11170. Springer, Cham. https://doi.org/10.1007/978-3-030-04834-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-04834-1_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-04833-4
Online ISBN: 978-3-030-04834-1
eBook Packages: Computer ScienceComputer Science (R0)