Optimal Assignment of Sensors to Analysts in a Cybersecurity Operations Center

Abstract

A cybersecurity operations center (CSOC) analyzes a large volume of alerts generated by intrusion detection systems, which process data from a number of sensors. Sensors are assigned to analysts, and the number of sensors is much larger than the number of analysts at the CSOC. Hence, sensors are grouped into clusters, which are allocated to analysts for investigation. There are two essential properties that must be met in the above grouping and allocation process: 1) meeting the cluster's requirement for specific analyst expertise mix, complete tool coverage that allows the analysts to handle the type of alerts generated, and analyst credentials such as security clearances; and 2) minimizing and balancing the number of unanalyzed alerts among clusters at the end of the daily work shift because an imbalance or a large number of unanalyzed alerts among clusters due to factors such as lack of analyst credentials or tooling expertise in a cluster would pose a security risk to the organization. Current practice at CSOCs is to group and then to allocate, which may not meet the above properties because grouping and allocation steps are done independently that remain static for a long time despite uncertainties such as day-to-day changes in alert generation rates and analyst absenteeism. This paper meets both properties by presenting an optimization model, in which grouping of sensors to clusters and analyst allocation to clusters is achieved simultaneously . The integrated methodology produces optimal sensor grouping and analyst allocation that is adaptable to changing shift conditions.