Cyber security operations center characterization model and analysis

Abstract

While cyberspace knows no borders, there are commercial, regional, national and international interests that seek to assure the trust, availability and dependability of cyberspace for their specific needs. Cyber Security Operations is the term used to describe activities that span (a) securing a portion of cyberspace, (b) monitoring and analyzing threats and incidents, and (c) responsively and proactively managing incidents. These operations centers stand a better chance at securing and defending their portion of cyberspace if they adopt a collaborative and coordinated operations approach. In order to establish a strong analytical foundation required for developing collaborative cyber security operations tradecraft, an operations center characterization model is necessary to provide the common underlying framework for collaboration discussions. We have developed an analytical model to capture common and significant aspects of cyber security operations centers. The model addresses seven foundational areas or dimensions: scope, activities, process management, facilities, organizational dynamics, external interactions, and environment. We developed a simple, yet effective, operations center questionnaire based on the model, and used it to collect actual operations center data from a dozen diverse cyber security operations centers. In this paper we describe the operations center characterization model and discuss information gleaned from four of the cyber security centers. We demonstrate that the operations center characterization model's rapid data collection and visual analysis lends itself to aiding the cyber security community to (a) identify areas of collaboration, (b) customize information sharing, and (c) improve efficiency and effectiveness of a center's operations by learning from similar centers in the community