(ii) Then, as shown on the right of the figure, during a shift, security products generate alerts. Because each “true alert” must be examined by an analyst, PCAM tries to ensure that this schedule minimizes the expected number of “uncovered” true alerts. (i) As seen on the left side of Figure 1, before a shift starts, PCAM uses historical statistics to compute a schedule of work specifying the analysts’ lunch and other breaks. We propose Probabilistic Cyber-Alert Management ( PCAM ), a framework that uses statistics to manage this flood of alerts, while satisfying workplace requirements within a given work shift. For instance, while speaking about the Sony breach in 2015, Reference says that “while the tools were able to identify the malicious activity, those alerts were lost in a sea of 40,000 other alerts that same month.” Other sources state that “the security operations center (SOC) is drowning in cybersecurity alerts” 1 they go on to state that banks see over 100,000 alerts per day. Most Cyber Security Operations Centers (CSOCs) are flooded by alerts. Skip 1INTRODUCTION Section 1 INTRODUCTION Moreover, we show experimentally that PCAM is robust to various kinds of errors in the statistics used. We tested PCAM’s proposed schedule (from statistics on 44 days) on a further 6 days of data, using an off-the-shelf false alarm classifier to predict which alerts are real and which ones are false. We are also able to identify the optimal mix of junior, senior, and principal analysts needed during both day and night shifts given a budget, outperforming some reasonable baselines. Using statistics derived from 44 days of real-world alert data, we are able to minimize the expected number of true alerts that are not manually examined by a team consisting of junior, senior, and principal analysts. PCAM achieves this by formulating the problem as a bi-level non-linear optimization problem and then shows how to linearize and solve this complex problem. Before a shift, PCAM analyzes data about all past alerts and true alerts during the shift time-frame to schedule a given set of analysts in accordance with workplace constraints so that the expected number of “uncovered” true alerts (i.e., true alerts not shown to an analyst) is minimized. Workers in Cyber Security Operation Centers usually work in 8- or 12-hour shifts. We propose PCAM, a Probabilistic Cyber-Alert Management framework, that enables chief information security officers to better manage cyber-alerts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |