A Two-Step Approach to Optimal Selection of Alerts for Investigation in a CSOC

Abstract

A Cyber Security Operations Center (CSOC) is responsible for investigating all the alerts generated from the intrusion detection systems to identify suspicious activities in a timely manner. There exists a critical gap between the time needed (demand) and the time available (limited analyst resource) for alert investigation at a CSOC. Hence, alert prioritization is important, for which CSOCs employ ad-hoc filtering methods to prune and triage the alerts that are presented to the analysts for investigation. One of the major drawbacks of the ad-hoc methods is that they do not comprehensively take into consideration the organization-specific factors such as mission and asset criticality, CSOC resource availability, demand variations, and the desired CSOC performance metrics. Hence, an ad-hoc triaging (or prioritization) method is insufficient, and an intelligent method for optimal selection of alerts that considers the above-mentioned organization-specific factors must be developed, which is described as a two-step process in this paper. First, a composite risk score of each alert is determined using a quantitative value function hierarchy process, which takes into account several organization-specific factors. Second, an optimization model selects a list of alerts for investigation that optimizes the CSOC performance metrics for a given demand subject to its resource constraints. Experimental results show that the alerts that pertain to mission criticalities are handled in a timelier manner as compared to current practices at the CSOCs. The average persistence time of an alert in the CSOC system is also shown to significantly reduce with this new approach, which is a paradigm shift in providing a stronger cyber-defense system by protecting the critical constituents of an organization.