skip to main content
research-article
Public Access

An Outsourcing Model for Alert Analysis in a Cybersecurity Operations Center

Published:09 January 2020Publication History
Skip Abstract Section

Abstract

A typical Cybersecurity Operations Center (CSOC) is a service organization. It hires and trains analysts, whose task is to perform analysis of alerts that were generated while monitoring the client’s networks. Due to ever-increasing financial and infrastructure burden on a CSOC driven by the rapidly growing demand for security services, it would become prohibitively expensive to continually expand the size of a CSOC to meet the demands in the future. An alternative solution is to outsource the alert analysis process to on-demand analysts, to provide scalable CSOC service to its clients with features, such as (1) higher throughput, (2) higher quality, and (3) more economical service than the current in-house service. The current outsourcing model is not cost effective and an exact optimization model is computationally inefficient. This article presents a novel two-step sequential mixed integer programming optimization method that is used in the development of a new decision-support business model for outsourcing the alert analysis process. It is demonstrated that through this model, a CSOC can effectively deliver its alert management services with the above-mentioned features. Results indicate that the model is scalable, computationally viable, real-time implementable, and can deliver CSOC services that meet the service-level agreement (SLA) between the CSOC and its client. In addition, the article provides valuable insights into the cost of operating the new business process outsourcing model for cybersecurity services.

References

  1. Fahad F. Alruwaili and T. A. Gulliver. 2014. SOCaaS: Security operations center as a service for cloud computing environments. Int. J. Cloud Comput. Serv. Sci. 3, 2 (2014), 87--96.Google ScholarGoogle Scholar
  2. Douglas S. Altner, Anthony C. Rojas, and Leslie D. Servi. 2018. A two-stage stochastic program for multi-shift, multi-analyst, workforce optimization with multiple on-call options. J. Schedul. 21, 5 (2018), 517--531. DOI:https://doi.org/10.1007/s10951-017-0554-9Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Daniel Barbará and Sushil Jajodia (Eds.). 2002. Application of Data Mining in Computer Security. Advances in Information Security, Vol. 6. Springer.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Massoud Bazargan. 2016. Airline maintenance strategies—in-house vs. outsourced—an optimization approach. J. Qual. Maint. Eng. 22, 2 (2016), 114--129.Google ScholarGoogle ScholarCross RefCross Ref
  5. Richard Bejtlich. 2005. The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education Inc.Google ScholarGoogle Scholar
  6. Sivadon Chaisiri, Ryan K. L. Ko, and Dusit Niyato. 2015. A joint optimization approach to security-as-a-service allocation and cyber insurance management. In Proceedings of the IEEE Trustcom/BigDataSE/ISPA, Vol. 1. 426--433. DOI:https://doi.org/10.1109/Trustcom.2015.403Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Der-San Chen, Robert Batson, and Yu Dang. 2010. Applied Integer Programming. Wiley, New York, NY.Google ScholarGoogle Scholar
  8. CIO. 2008. DON Cyber Crime Handbook. Dept. of Navy, Washington, DC.Google ScholarGoogle Scholar
  9. Tim Crothers. 2002. Implementing Intrusion Detection Systems. Wiley Publishing Inc.Google ScholarGoogle Scholar
  10. Anita D’Amico and Kirsten Whitley. 2008. In Proceedings of the Workshop on Visualization for Computer Security (VizSEC’07). Springer, Berlin.Google ScholarGoogle Scholar
  11. Rajesh Ganesan, Sushil Jajodia, and Hasan Cam. 2017. Optimal scheduling of cybersecurity analyst for minimizing risk. ACM Trans. Intell. Syst. Technol. 8, 4 (Feb. 2017).Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Rajesh Ganesan, Sushil Jajodia, Ankit Shah, and Hasan Cam. 2016. Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8, 1, (July 2016). DOI:https://doi.org/10.1145/2882969Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Wenbin Hu, Cunlian Fan, Jiajia Luo, Chao Peng, and Bo Du. 2015. An on-demand data broadcasting scheduling algorithm based on dynamic index strategy. Wireless Commun. Mobile Comput. 15, 5 (2015), 947--965.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Yaşar Levent Koçağa, Mor Armony, and Amy R. Ward. 2015. Staffing call centers with uncertain arrival rates and co-sourcing. Product. Oper. Manage. 24, 7 (2015), 1101--1117.Google ScholarGoogle ScholarCross RefCross Ref
  15. Yihua Li, Xiubin Wang, and Teresa M. Adams. 2009. Ride service outsourcing for profit maximization. Transport. Res. Part E: Logist. Transport. Rev. 45, 1 (2009), 138--148. DOI:https://doi.org/10.1016/j.tre.2008.02.006Google ScholarGoogle ScholarCross RefCross Ref
  16. Che-Wei Liu, Peng Huang, and Henry Lucas. 2017. IT centralization, security outsourcing, and cybersecurity breaches: Evidence from the U.S. higher education. Retrieved from https://aisel.aisnet.org/icis2017/Security/Presentations/1.Google ScholarGoogle Scholar
  17. Prabina Pattanayaka and Preetam Kumar. 2019. An efficient scheduling scheme for MIMO-OFDM broadcast networks. AEU Int. J. Electron. Commun. 101 (2019), 15--26.Google ScholarGoogle ScholarCross RefCross Ref
  18. Michael Pinedo. 2009. Planning and Scheduling in Manufacturing and Services. Springer, New York, NY.Google ScholarGoogle Scholar
  19. Zhenyu Qiu, Wenbin Hu, and Bo Du. 2018. RPPM: A request pre-processing method for real-time on-demand data broadcast scheduling. IEEE Trans. Mobile Comput. 17, 11 (2018), 2619--2631.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Amin Rasoulifard, Abbas Ghaemi Bafghi, and Mohsen Kahani. 2008. Incremental hybrid intrusion detection using ensemble of weak classifiers. In Advances in Computer Science and Engineering. Springer, 577--584.Google ScholarGoogle Scholar
  21. Sancho Salcedo-Sanz, Carlos Bousoño-Calzón, and Aníbal R. Figueiras-Vidal. 2003. A mixed neural-genetic algorithm for the broadcast scheduling problem. IEEE Trans. Wireless Commun. 2, 2 (2003), 277--283.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Karen Scarfone and Peter Mell. 2007. Guide to Intrusion Detection and Prevention Systems (IDPS). Special Publication 800-94. NIST.Google ScholarGoogle Scholar
  23. Ankit Shah, Rajesh Ganesan, Sushil Jajodia, and Hasan Cam. 2018. Dynamic optimization of the level of operational effectiveness of a CSOC under adverse conditions. ACM Trans. Intell. Syst. Technol. 9, 5, Article 51 (Apr. 2018), 20 pages. DOI:https://doi.org/10.1145/3173457Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Robin Sommer and Vern Paxson. 2010. Outside the closed world: On using machine learning for network intrusion detection. In Proceedings of IEEE Symposium on Security and Privacy. 305--316.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Chi-Jiun Su, Leandros Tassiulas, and Vassilis J. Tsotras. 1999. Broadcast scheduling for information distribution. Wireless Netw. 5, 2 (1999), 137--147.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Sathya Chandran Sundaramurthy, Alexandru G. Bardas, Jacob Case, Xinming Ou, Michael Wesch, John McHugh, and S. Raj Rajagopalan. 2015. A human capital model for mitigating security analyst burnout. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS’15). USENIX Association, 347--359.Google ScholarGoogle Scholar
  27. Nitin H. Vaidya and Sohail Hameed. 1999. Scheduling data broadcast in asymmetric communication environments. Wireless Netw. 5, 3 (1999), 171--182.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Wang Gangsheng and Ansari Nirwan. 1997. Optimal broadcast scheduling in packet radio networks using mean field annealing. IEEE J. Select. Areas Commun. 15, 2 (1997), 250--260.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Jaehyun Yeo, Heesoo Lee, and Sehun Kim. 2002. An efficient broadcast scheduling algorithm for TDMA ad-hoc networks. Comput. Operat. Res. 29, 13 (2002), 1793--1806.Google ScholarGoogle ScholarCross RefCross Ref
  30. Xiaowei Zhu. 2016. Managing the risks of outsourcing: Time, quality, and correlated costs. Transport. Res. Part E: Logist. Transport. Rev. 90 (2016), 121--133. DOI:https://doi.org/10.1016/j.tre.2015.06.005 Risk Management of Logistics Systems.Google ScholarGoogle ScholarCross RefCross Ref
  31. Carson Zimmerman. 2014. The Strategies of a World-class Cybersecurity Operations Center. The MITRE Corporation, McLean, VA.Google ScholarGoogle Scholar

Index Terms

  1. An Outsourcing Model for Alert Analysis in a Cybersecurity Operations Center

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on the Web
        ACM Transactions on the Web  Volume 14, Issue 1
        February 2020
        133 pages
        ISSN:1559-1131
        EISSN:1559-114X
        DOI:10.1145/3378674
        Issue’s Table of Contents

        Copyright © 2020 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 9 January 2020
        • Accepted: 1 November 2019
        • Revised: 1 July 2019
        • Received: 1 October 2018
        Published in tweb Volume 14, Issue 1

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!