A Strategy for Effective Alert Analysis at a Cyber Security Operations Center
- 745 Downloads
Alert data management entails several tasks at a Cyber Security Operations Center such as tasks related to alert analysis, those related to threat mitigation if an alert is deemed to be significant, signature update for an intrusion detection system, and so on. This chapter presents a metric for measuring the performance of the CSOC, and develop a strategy for effective alert data management that optimizes the execution of certain tasks pertaining to alert analysis. One of the important performance metrics pertaining to alert analysis include the processing of the alerts in a timely manner to maintain a certain Level of Operational Effectiveness (LOE). Maintaining LOE requires two foremost tasks among several others: (1) the dynamic optimal scheduling of CSOC analysts to respond to the uncertainty in the day-to-day demand for alert analysis, and (2) the dynamic optimal allocation of CSOC analyst resources to the sensors that are being monitored. However, the above tasks are inter-dependent because the daily allocation task per shift requires the availability of the analysts (resource) to meet the uncertainties in the demand for alert analysis at the CSOC due to varying alert generation and/or service rates, and the resource availability must be scheduled ahead of time, despite the above uncertainty, for practical implementation in the real-world. In this chapter, an optimization modeling framework is presented that schedules the analysts using historical and predicted demand patterns for alert analysis over a 14-day work-cycle, selects additional (on-call) analysts that are required in a shift, and optimally allocates all the required analysts on a day-to-day basis per each working shift. Results from simulation studies validate the optimization modeling framework, and show the effectiveness of the strategy for alert analysis in order to maintain the LOE of the CSOC at the desired level.
The authors would like to thank Dr. Sushil Jajodia of the Center for Secure Information Systems, Dr. Hasan Cam and Dr. Cliff Wang of the Army Research Office for the many discussions which served as the inspiration for this research. Ganesan, and Shah were partially supported by the Army Research Office under grants W911NF-13-1-0421 and W911NF-15-1-0576 and by the Office of Naval Research grant N00014-15-1-2007.
- 4.Anderson, J.P.: Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington (1980)Google Scholar
- 5.Denning, D.E.: An intrusion-detection model. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, pp. 118–131, May 1986Google Scholar
- 7.Northcutt, S., Novak, J.: Network Intrusion Detection, 3rd edn. New Riders Publishing, Thousand Oaks (2002)Google Scholar
- 10.Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 305–316, May 2010Google Scholar
- 13.Zimmerman, C.: The strategies of a world-class cybersecurity operations center. The MITRE Corporation, McLean (2014)Google Scholar
- 16.Reis, J., Mamede, N.: Multi-Agent Dynamic Scheduling and Re-Scheduling with Global Temporal Constraints. Kluwer Academic Publishers, Dordrecht (2002)Google Scholar
- 23.DON CIO: Cyber Crime Handbook. Department of Navy, Washington, DC (2008)Google Scholar