Optimizing Alert Data Management Processes at a Cyber Security Operations Center

Part of the Lecture Notes in Computer Science book series (LNCS, volume 11830)


Alert data management is one of the top functions performed by a Cyber Security Operation Centers (CSOC). This chapter is focused on the development of an integrated framework of several tasks for alert data management. The tasks and their execution are sequenced as follows: (1) determining the regular analyst staffing of different expertise level for a given alert arrival/service rate, and scheduling of analysts to minimize risk, (2) sensor clustering and dynamic reallocation of analysts-to-sensors, and (3) measuring, monitoring, and controlling the level of operational effectiveness (LOE) with the capability to bring additional analysts as needed. The chapter presents several metrics for measuring the performance of the CSOC, which in turn drives the development of various optimization strategies that optimize the execution of the above tasks for alert analysis. It is shown that the tasks are highly inter-dependent, and must be integrated and sequenced in a framework for alert data management. For each task, results from simulation studies validate the optimization model and show the effectiveness of the modeling and algorithmic strategy for efficient alert data management, which in turn contributes to optimal overall management of the CSOCs.



The authors would like to thank Dr. Cliff Wang of the Army Research Office for the many discussions which served as the inspiration for this research. This work is partially supported by the Army Research Office under grant W911NF-13-1-0421.


  1. 1.
    Ganesan, R., Jajodia, S., Cam, H.: Optimal scheduling of cybersecurity analyst for minimizing risk. ACM Trans. Intell. Syst. Technol. 8(4), 52:1–52:32 (2017)CrossRefGoogle Scholar
  2. 2.
    Gross, D., Shortle, J., Thompson, J., Harris, C.: Fundamentals of Queuing Theory. Wiley, New York (2008)zbMATHCrossRefGoogle Scholar
  3. 3.
    Ganesan, R., Jajodia, S., Shah, A., Cam, H.: Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8(1), 1–21 (2016)CrossRefGoogle Scholar
  4. 4.
    Bhatt, S., Manadhata, P.K., Zomlot, L.: The operational role of security information and event management systems. IEEE Secur. Privacy 12(5), 35–41 (2014)CrossRefGoogle Scholar
  5. 5.
    CIO: DON cyber crime handbook. Department of Navy, Washington, DC (2008)Google Scholar
  6. 6.
    Shah, A., Ganesan, R., Jajodia, S., Cam, H.: A methodology to measure and monitor level of operational effectiveness of a CSOC. Int. J. Inf. Secur. 17(2), 121–134 (2018)CrossRefGoogle Scholar
  7. 7.
    Pinedo, M.: Planning and Scheduling in Manufacturing and Services. Springer, New York (2009). Scholar
  8. 8.
    Shah, A., Ganesan, R., Jajodia, S., Cam, H.: Optimal assignment of sensors to analysts in a cybersecurity operations center. IEEE Syst. J. 13, 1060–1071 (2018)CrossRefGoogle Scholar
  9. 9.
    Shah, A., Ganesan, R., Jajodia, S., Cam, H.: Dynamic optimization of the level of operational effectiveness of a CSOC under adverse conditions. ACM Trans. Intell. Syst. Technol. 9(5), 51:1–51:20 (2018)CrossRefGoogle Scholar
  10. 10.
    D’Amico, A., Whitley, K.: The Real Work of Computer Network Defense Analysts. In: Goodall, J.R., Conti, G., Ma, K.L. (eds.) VizSEC 2007. MATHVISUAL. Springer, Heidelberg (2008). Scholar
  11. 11.
    West-Brown, M.J., Stikvoort, D., Kossakowski, K.P., Killcrece, G., Ruefle, R.: Handbook for computer security incident response teams (CSIRTs). DTIC Document CMU/SEI-2003-HB-002 (2003)Google Scholar
  12. 12.
    Bejtlich, R.: The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education Inc., Boston (2005)Google Scholar
  13. 13.
    Crothers, T.: Implementing Intrusion Detection Systems. Wiley, New York (2002)Google Scholar
  14. 14.
    Di Pietro, R., Mancini, L.V. (eds.): Intrusion Detection Systems. Advances in Information Security, vol. 38. Springer, New York (2008)Google Scholar
  15. 15.
    Northcutt, S., Novak, J.: Network Intrusion Detection, 3rd edn. New Riders Publishing, Thousand Oaks (2002)Google Scholar
  16. 16.
    Kott, A., Wang, C., Erbacher, R.F.: Cyber Defense and Situational Awareness. Springer, Cham (2014). Scholar
  17. 17.
    Altner, D.S., Rojas, A.C., Servi, L.D.: A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options. J. Sched. 21, 517–531 (2017)MathSciNetzbMATHCrossRefGoogle Scholar
  18. 18.
    Ganesan, R., Shah, A.: A strategy for effective alert analysis at a cyber security operations center. In: Samarati, P., Ray, I., Ray, I. (eds.) From Database to Cyber Security. LNCS, vol. 11170, pp. 206–226. Springer, Cham (2018). Scholar
  19. 19.
    Ganesan, R., Shah, A., Jajodia, S., Cam, H.: A novel metric for measuring operational effectiveness of a cybersecurity operations center. In: Wang, L., Jajodia, S., Singhal, A. (eds.) Network Security Metrics, pp. 177–207. Springer, Cham (2017). Scholar
  20. 20.
    Erbacher, R.F., Hutchinson, S.E.: Extending case-based reasoning to network alert reporting. In: 2012 ASE International Conference on Cyber Security, pp. 187–194 (2012)Google Scholar
  21. 21.
    Sundaramurthy, S.C., et al.: A human capital model for mitigating security analyst burnout. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), pp. 347–359. USENIX Association (2015)Google Scholar
  22. 22.
    Sundaramurthy, S.C., McHugh, J., Ou, X., Wesch, M., Bardas, A.G., Rajagopalan, S.R.: Turning contradictions into innovations or: how we learned to stop whining and improve security operations. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pp. 237–250. USENIX Association (2016)Google Scholar
  23. 23.
    Killcrece, G., Kossakowski, K.P., Ruefle, R., Zajicek, M.: State of the practice of computer security incident response teams (CSIRTs). Technical report CMU/SEI-2003-TR-001, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, table 9, p. 66 (2003)Google Scholar
  24. 24.
    Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems (IDPS). Special Publication 800-94, NIST (2007)Google Scholar
  25. 25.
    Nelson, R.T., Holloway, C.A., Mei-Lun Wong, R.: Centralized scheduling and priority implementation heuristics for a dynamic job shop model. AIIE Trans. 9(1), 95–102 (1977)CrossRefGoogle Scholar
  26. 26.
    Cleveland, B., Mayben, J.: Call Center Management on Fast Forward: Succeeding in Today’s Dynamic Inbound Environment. Call Center Press, Annapolis (1997)Google Scholar
  27. 27.
    Hur, D., Mabert, V.A., Bretthauer, K.M.: Real-time work schedule adjustment decisions: an investigation and evaluation. Prod. Oper. Manag. 13(4), 322–339 (2004)CrossRefGoogle Scholar
  28. 28.
    Love, R.R., Hoey, J.M.: Management science improves fast-food operations. Interfaces 20(2), 21–29 (1990)CrossRefGoogle Scholar
  29. 29.
    Loucks, J.S., Jacobs, F.R.: Tour scheduling and task assignment of a heterogeneous work force: a heuristic approach. Decis. Sci. 22(4), 719–738 (1991)CrossRefGoogle Scholar
  30. 30.
    Vieira, G.E., Herrmann, J.W., Lin, E.: Rescheduling manufacturing systems: a framework of strategies, policies, and methods. J. Sched. 6(1), 39–62 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  31. 31.
    O’Connor, E.J., Peters, L.H., Rudolf, C.J., Pooyan, A.: Situational constraints and employee affective reactions: a partial field replication. Group Organ. Stud. 7(4), 418–428 (1982)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA
  2. 2.Army Research LaboratoryAdelphiUSA

Personalised recommendations