Skip to main content
SpringerLink
Log in
Book cover

From Database to Cyber Security pp 206–226Cite as

A Strategy for Effective Alert Analysis at a Cyber Security Operations Center

  • Chapter
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11170))

Abstract

Alert data management entails several tasks at a Cyber Security Operations Center such as tasks related to alert analysis, those related to threat mitigation if an alert is deemed to be significant, signature update for an intrusion detection system, and so on. This chapter presents a metric for measuring the performance of the CSOC, and develop a strategy for effective alert data management that optimizes the execution of certain tasks pertaining to alert analysis. One of the important performance metrics pertaining to alert analysis include the processing of the alerts in a timely manner to maintain a certain Level of Operational Effectiveness (LOE). Maintaining LOE requires two foremost tasks among several others: (1) the dynamic optimal scheduling of CSOC analysts to respond to the uncertainty in the day-to-day demand for alert analysis, and (2) the dynamic optimal allocation of CSOC analyst resources to the sensors that are being monitored. However, the above tasks are inter-dependent because the daily allocation task per shift requires the availability of the analysts (resource) to meet the uncertainties in the demand for alert analysis at the CSOC due to varying alert generation and/or service rates, and the resource availability must be scheduled ahead of time, despite the above uncertainty, for practical implementation in the real-world. In this chapter, an optimization modeling framework is presented that schedules the analysts using historical and predicted demand patterns for alert analysis over a 14-day work-cycle, selects additional (on-call) analysts that are required in a shift, and optimally allocates all the required analysts on a day-to-day basis per each working shift. Results from simulation studies validate the optimization modeling framework, and show the effectiveness of the strategy for alert analysis in order to maintain the LOE of the CSOC at the desired level.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    We arrived at the 1% figure based on our literature search and numerous conversations with cybersecurity analysts and Cybersecurity Operations Center (SOC) managers. Our model treats this value as a parameter that can be changed as needed.

References

  1. Shah, A., Ganesan, R., Jajodia, S., Cam, H.: A methodology to measure and monitor level of operational effectiveness of a CSOC. Int. J. Inf. Secur. 17(2), 121–134 (2018)

    Article  Google Scholar 

  2. Ganesan, R., Jajodia, S., Cam, H.: Optimal scheduling of cybersecurity analysts for minimizing risk. ACM Trans. Intell. Syst. Technol. 8(4), 52:1–52:32 (2017). https://doi.org/10.1145/2914795

    Article  Google Scholar 

  3. Ganesan, R., Jajodia, S., Shah, A., Cam, H.: Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8(1), 4:1–4:21 (2016). https://doi.org/10.1145/2882969

    Article  Google Scholar 

  4. Anderson, J.P.: Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington (1980)

    Google Scholar 

  5. Denning, D.E.: An intrusion-detection model. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, pp. 118–131, May 1986

    Google Scholar 

  6. Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)

    Article  Google Scholar 

  7. Northcutt, S., Novak, J.: Network Intrusion Detection, 3rd edn. New Riders Publishing, Thousand Oaks (2002)

    Google Scholar 

  8. Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems. ADIS, vol. 38. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-77265-3

    Book  Google Scholar 

  9. Subrahmanian, V.S., Ovelgönne, M., Dumitras, T., Prakash, B.A.: The Global Cyber-Vulnerability Report. TSC. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25760-0

    Book  Google Scholar 

  10. Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 305–316, May 2010

    Google Scholar 

  11. Barbará, D., Jajodia, S. (eds.): Application of Data Mining in Computer Security. ADIS, vol. 6. Springer, Boston (2002). https://doi.org/10.1007/978-1-4615-0953-0

    Book  MATH  Google Scholar 

  12. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)

    Article  Google Scholar 

  13. Zimmerman, C.: The strategies of a world-class cybersecurity operations center. The MITRE Corporation, McLean (2014)

    Google Scholar 

  14. Lesaint, D., Voudouris, C., Azarmi, N., Alletson, I., Laithwaite, B.: Field workforce scheduling. BT Technol. J. 21(4), 23–26 (2003)

    Article  Google Scholar 

  15. Nobert, Y., Roy, J.: Freight handling personnel scheduling at air cargo terminals. Transp. Sci. 32(3), 295–301 (1998)

    Article  Google Scholar 

  16. Reis, J., Mamede, N.: Multi-Agent Dynamic Scheduling and Re-Scheduling with Global Temporal Constraints. Kluwer Academic Publishers, Dordrecht (2002)

    Google Scholar 

  17. Zhou, F., Wang, J., Wang, J., Jonrinaldi, J.: A dynamic rescheduling model with multi-agent system and its solution method. J. Mech. Eng. 58(2), 81–92 (2012)

    Article  Google Scholar 

  18. Helm, J.E., AhmadBeygi, S., Van Oyen, M.P.: Design and analysis of hospital admission control for operational effectiveness. Prod. Oper. Manag. 20(3), 359–374 (2011)

    Article  Google Scholar 

  19. Chen, Z., King, W., Pearcey, R., Kerba, M., Mackillop, W.J.: The relationship between waiting time for radiotherapy and clinical outcomes: a systematic review of the literature. Radiother. Oncol. 87(1), 3–16 (2008)

    Article  Google Scholar 

  20. Guerriero, F., Guido, R.: Operational research in the management of the operating theatre: a survey. Health Care Manag. Sci. 14(1), 89–114 (2011)

    Article  Google Scholar 

  21. Tijms, H.: New and old results for the M/D/c queue. AEU-Int. J. Electron. Commun. 60(2), 125–130 (2006)

    Article  MathSciNet  Google Scholar 

  22. Marianov, V., Serra, D.: Location models for airline hubs behaving as M/D/c queues. Comput. Oper. Res. 30(7), 983–1003 (2003)

    Article  Google Scholar 

  23. DON CIO: Cyber Crime Handbook. Department of Navy, Washington, DC (2008)

    Google Scholar 

  24. Pinedo, M.L.: Planning and Scheduling in Manufacturing and Services. Springer, New York (2009). https://doi.org/10.1007/978-1-4419-0910-7

    Book  MATH  Google Scholar 

Download references

Acknowledgment

The authors would like to thank Dr. Sushil Jajodia of the Center for Secure Information Systems, Dr. Hasan Cam and Dr. Cliff Wang of the Army Research Office for the many discussions which served as the inspiration for this research. Ganesan, and Shah were partially supported by the Army Research Office under grants W911NF-13-1-0421 and W911NF-15-1-0576 and by the Office of Naval Research grant N00014-15-1-2007.

Author information

Authors and Affiliations

  1. George Mason University, Fairfax, VA, 22030, USA

    Rajesh Ganesan & Ankit Shah

Authors
  1. Rajesh Ganesan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ankit Shah
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rajesh Ganesan .

Editor information

Editors and Affiliations

  1. Università degli Studi di Milano, Milano, Italy

    Pierangela Samarati

  2. Colorado State University, Fort Collins, CO, USA

    Indrajit Ray

  3. Colorado State University, Fort Collins, CO, USA

    Indrakshi Ray

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Ganesan, R., Shah, A. (2018). A Strategy for Effective Alert Analysis at a Cyber Security Operations Center. In: Samarati, P., Ray, I., Ray, I. (eds) From Database to Cyber Security. Lecture Notes in Computer Science(), vol 11170. Springer, Cham. https://doi.org/10.1007/978-3-030-04834-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-04834-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-04833-4

  • Online ISBN: 978-3-030-04834-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation