Abstract
Alert data management is one of the top functions performed by a Cyber Security Operation Centers (CSOC). This chapter is focused on the development of an integrated framework of several tasks for alert data management. The tasks and their execution are sequenced as follows: (1) determining the regular analyst staffing of different expertise level for a given alert arrival/service rate, and scheduling of analysts to minimize risk, (2) sensor clustering and dynamic reallocation of analysts-to-sensors, and (3) measuring, monitoring, and controlling the level of operational effectiveness (LOE) with the capability to bring additional analysts as needed. The chapter presents several metrics for measuring the performance of the CSOC, which in turn drives the development of various optimization strategies that optimize the execution of the above tasks for alert analysis. It is shown that the tasks are highly inter-dependent, and must be integrated and sequenced in a framework for alert data management. For each task, results from simulation studies validate the optimization model and show the effectiveness of the modeling and algorithmic strategy for efficient alert data management, which in turn contributes to optimal overall management of the CSOCs.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We arrived at the 1% figure based on our literature search and numerous conversations with cybersecurity analysts and Cybersecurity Operations Center (SOC) managers. Our model treats this value as a parameter that can be changed as needed.
References
Ganesan, R., Jajodia, S., Cam, H.: Optimal scheduling of cybersecurity analyst for minimizing risk. ACM Trans. Intell. Syst. Technol. 8(4), 52:1–52:32 (2017)
Gross, D., Shortle, J., Thompson, J., Harris, C.: Fundamentals of Queuing Theory. Wiley, New York (2008)
Ganesan, R., Jajodia, S., Shah, A., Cam, H.: Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8(1), 1–21 (2016)
Bhatt, S., Manadhata, P.K., Zomlot, L.: The operational role of security information and event management systems. IEEE Secur. Privacy 12(5), 35–41 (2014)
CIO: DON cyber crime handbook. Department of Navy, Washington, DC (2008)
Shah, A., Ganesan, R., Jajodia, S., Cam, H.: A methodology to measure and monitor level of operational effectiveness of a CSOC. Int. J. Inf. Secur. 17(2), 121–134 (2018)
Pinedo, M.: Planning and Scheduling in Manufacturing and Services. Springer, New York (2009). https://doi.org/10.1007/978-1-4419-0910-7
Shah, A., Ganesan, R., Jajodia, S., Cam, H.: Optimal assignment of sensors to analysts in a cybersecurity operations center. IEEE Syst. J. 13, 1060–1071 (2018)
Shah, A., Ganesan, R., Jajodia, S., Cam, H.: Dynamic optimization of the level of operational effectiveness of a CSOC under adverse conditions. ACM Trans. Intell. Syst. Technol. 9(5), 51:1–51:20 (2018)
D’Amico, A., Whitley, K.: The Real Work of Computer Network Defense Analysts. In: Goodall, J.R., Conti, G., Ma, K.L. (eds.) VizSEC 2007. MATHVISUAL. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78243-8_2
West-Brown, M.J., Stikvoort, D., Kossakowski, K.P., Killcrece, G., Ruefle, R.: Handbook for computer security incident response teams (CSIRTs). DTIC Document CMU/SEI-2003-HB-002 (2003)
Bejtlich, R.: The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education Inc., Boston (2005)
Crothers, T.: Implementing Intrusion Detection Systems. Wiley, New York (2002)
Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems. Advances in Information Security, vol. 38. Springer, New York (2008)
Northcutt, S., Novak, J.: Network Intrusion Detection, 3rd edn. New Riders Publishing, Thousand Oaks (2002)
Kott, A., Wang, C., Erbacher, R.F.: Cyber Defense and Situational Awareness. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11391-3
Altner, D.S., Rojas, A.C., Servi, L.D.: A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options. J. Sched. 21, 517–531 (2017)
Ganesan, R., Shah, A.: A strategy for effective alert analysis at a cyber security operations center. In: Samarati, P., Ray, I., Ray, I. (eds.) From Database to Cyber Security. LNCS, vol. 11170, pp. 206–226. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04834-1_11
Ganesan, R., Shah, A., Jajodia, S., Cam, H.: A novel metric for measuring operational effectiveness of a cybersecurity operations center. In: Wang, L., Jajodia, S., Singhal, A. (eds.) Network Security Metrics, pp. 177–207. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66505-4_8D
Erbacher, R.F., Hutchinson, S.E.: Extending case-based reasoning to network alert reporting. In: 2012 ASE International Conference on Cyber Security, pp. 187–194 (2012)
Sundaramurthy, S.C., et al.: A human capital model for mitigating security analyst burnout. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), pp. 347–359. USENIX Association (2015)
Sundaramurthy, S.C., McHugh, J., Ou, X., Wesch, M., Bardas, A.G., Rajagopalan, S.R.: Turning contradictions into innovations or: how we learned to stop whining and improve security operations. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pp. 237–250. USENIX Association (2016)
Killcrece, G., Kossakowski, K.P., Ruefle, R., Zajicek, M.: State of the practice of computer security incident response teams (CSIRTs). Technical report CMU/SEI-2003-TR-001, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, table 9, p. 66 (2003)
Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems (IDPS). Special Publication 800-94, NIST (2007)
Nelson, R.T., Holloway, C.A., Mei-Lun Wong, R.: Centralized scheduling and priority implementation heuristics for a dynamic job shop model. AIIE Trans. 9(1), 95–102 (1977)
Cleveland, B., Mayben, J.: Call Center Management on Fast Forward: Succeeding in Today’s Dynamic Inbound Environment. Call Center Press, Annapolis (1997)
Hur, D., Mabert, V.A., Bretthauer, K.M.: Real-time work schedule adjustment decisions: an investigation and evaluation. Prod. Oper. Manag. 13(4), 322–339 (2004)
Love, R.R., Hoey, J.M.: Management science improves fast-food operations. Interfaces 20(2), 21–29 (1990)
Loucks, J.S., Jacobs, F.R.: Tour scheduling and task assignment of a heterogeneous work force: a heuristic approach. Decis. Sci. 22(4), 719–738 (1991)
Vieira, G.E., Herrmann, J.W., Lin, E.: Rescheduling manufacturing systems: a framework of strategies, policies, and methods. J. Sched. 6(1), 39–62 (2003)
O’Connor, E.J., Peters, L.H., Rudolf, C.J., Pooyan, A.: Situational constraints and employee affective reactions: a partial field replication. Group Organ. Stud. 7(4), 418–428 (1982)
Acknowledgment
The authors would like to thank Dr. Cliff Wang of the Army Research Office for the many discussions which served as the inspiration for this research. This work is partially supported by the Army Research Office under grant W911NF-13-1-0421.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Ganesan, R., Shah, A., Jajodia, S., Cam, H. (2019). Optimizing Alert Data Management Processes at a Cyber Security Operations Center. In: Jajodia, S., Cybenko, G., Liu, P., Wang, C., Wellman, M. (eds) Adversarial and Uncertain Reasoning for Adaptive Cyber Defense. Lecture Notes in Computer Science(), vol 11830. Springer, Cham. https://doi.org/10.1007/978-3-030-30719-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-30719-6_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-30718-9
Online ISBN: 978-3-030-30719-6
eBook Packages: Computer ScienceComputer Science (R0)