Optimal Cyber Security Staffing PlanOR/SYST 699 Project Proposal

Jennifer Krajic, Kendrick van Doorn, Thomas Lepp

Table of Contents1. Project Summary.................................................................................................................................3

2. Introduction.........................................................................................................................................3

2.1. Background..................................................................................................................................3

2.2. Problem Statement & Definition.................................................................................................4

2.3. Problem Scope.............................................................................................................................4

2.3.1. Past Research.......................................................................................................................4

2.3.2. Primary Problem Requirements...........................................................................................4

2.3.3. Initial Assumptions...............................................................................................................5

3. Technical Approach.............................................................................................................................5

4. Expected Results..................................................................................................................................6

4.1. In Scope.......................................................................................................................................6

4.2. Out of Scope................................................................................................................................6

5. Project Plan..........................................................................................................................................6

5.1. Methodology...............................................................................................................................6

5.2. Resources....................................................................................................................................7

5.3. Schedule......................................................................................................................................7

5.4. Milestones...................................................................................................................................9

6. References...........................................................................................................................................9

Table of FiguresFigure 1: Typical CSOC Workflow.................................................................................................................3Figure 2: Daily Alert Demand Graphically Representation...........................................................................5Figure 3: MS Project File..............................................................................................................................7Figure 4: MS Project File #2.........................................................................................................................8Figure 5: MS Project File #3.........................................................................................................................8

Table of TablesTable 1: Project Milestones.........................................................................................................................9

1. Project SummaryThe purpose of this project is to develop a model allowing for the production of variable shift staffing patterns for a CyberSecurity Operations Center (CSOC). All alerts received must be investigated by an analyst within the agreed upon time constraints. A dynamic workload pattern will be incorporated into the model allowing variable scheduling of analysts time.

2. Introduction2.1. Background

A Network Intrusion Detection System (NIDS) is a type of hardware or software that monitors a network, through the use of sensors, to generate alerts. The alerts are generated by signature or anomaly based methods. A traditional workflow can be seen below by a typical CSOC.

Figure 1: Typical CSOC Workflow

Cyber security is a dynamic field that requires constant vigilance and adaptation to evolving threats. NIDS is utilized to generate alerts for cyber security analysts to review for potential danger and risk to the network. In recent news, data breaches across both private and commercial sectors have drastically increased. The data breaches have cost individuals and companies millions of dollars in damages and credibility.

At the core of cyber security is monitoring. Monitoring is the critical action that is seen across all cyber security methodologies. It is no longer a viable method to configure a system or network to be “secure”. The dynamic nature of cyber security threats today requires constant monitoring for anomalies or atypical events in your system and network. Monitoring could include system logs, vulnerability scans, and NIDS alerts. Without complete monitoring coverage, a system, network, or company is at risk.

2.2. Problem Statement & DefinitionA CSOC protects against emerging and dynamic cybersecurity threats. It is critical that all alerts are covered in a timely manner to reduce risk to the organization while minimizing payroll costs.

2.3. Problem ScopeThe team shall deliver a variable shift pattern staffing schedule that allows for the investigation of all alerts that a CSOS receives in a 14 day time period, while minimizing payroll costs. The mathematical model will meet the staffing and shift requirements established by the customer.  This project shall run from January 19th to May 4th, 2017.

2.3.1.Past ResearchOptimal Cybersecurity Analyst Staffing Plan is a continuation of the research in the article “Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning”.

“The article presents a reinforcement learning-based stochastic dynamic programming optimization model that incorporates … estimates of future alert rates and responds by dynamically scheduling cybersecurity analysts to minimize risk (i.e., maximize significant alert coverage by analysts) and maintain the risk under a pre-determined upper bound” (Ganesan et al. 1).

The Optimal Cybersecurity Analyst Staffing Plan will minimize payroll cost by using variable shift patterns so that all alerts are investigated in a timely manner, while meeting staffing and shift requirements.

Input parameters used for the staffing plan are from the article “Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning”. The input parameters include investigation rates of analysts, assumed rate arrival

rates, and three levels of analysts junior, intermediate, and senior.  

2.3.2.Primary Problem RequirementsThe staffing plan must meet the following shift and staffing

requirements:

1. A minimum of two analysts must be on schedule every hour, with at least one being a senior.

2. A shift length can vary from 4 to 12 hours.3. Each analyst must work 80 hours per 2 weeks.4. A minimum of 8 hours off-work must be between shifts for

employees.5. Analysts require every other weekend off-work.6. Analysts cannot work more than six consecutive days.

In addition to staffing and shift requirements, alert volume ranges from very high to low and repeats weekly as shown in the chart below.

Figure 2: Daily Alert Demand Graphically Representation

2.3.3. Initial AssumptionsAssumptions made for developing the Optimal Cyber Security Analyst Staffing Plan are the following:

1. Alerts arrives at the beginning of each hour.2. All alerts are investigated by the end of the hour received.3. Analysts work the entire hour.4. Investigation rates incorporate nominal work breaks.

3. Technical Approach

The team proposes to approach the staffing plan using integer programming. The mathematical model will have the following high level attributes:

1. Objective Function: Minimize payroll costs2. Constraint Categories: Staffing Constraints

Shift Constraints

Analyst ConstraintsAlert Constraints

Gurobi, with Python as the coding language, will be the optimization solver. It shall accept input from an Excel or CSV file. Input options will include minimum and maximum shift times, wages, alert generation rates, and percentage of alerts that must be analyzed. The output of the model will be a basic employee work schedule.

The team will create a model based off the parameters from the input Excel or CSV file to validate the model. Once an accurate base model is established and time permits, the team will attempt to integrate additional capabilities, such as probability distributions for alert generation, manager friendly schedule, and additional constraints that were found through additional research.

4. Expected Results4.1. In Scope

The team will have the following expected deliverables at the conclusion of the project:

1. Report - A written document summarizing the project. Major sections will include: introduction, scope, technical approach, model, results and analysis, shift case studies, and trade-off analysis. conclusions/recommendations of results, future requirements.

2. Mathematical Model - A integer programming model written in python with the use of Gurobi as the optimizer.

3. Final Presentation - A high level presentation summarizing the content covered in the report.

4. Web Site - A website that describes the team’s project and includes the proposal, final report, and final presentation.

4.2. Out of ScopeThe out of scope deliverables at the conclusion of the project include:

1. A manager friendly staffing schedule, including advanced features such as specific analyst leave time, swapping of analyst shifts, fluctuating times of analyst shifts, analysts shift preferences, and professionally formatted output.

2. Probability distributions for alert generation.

5. Project Plan5.1. Methodology

The project team shall implement an Agile approach to project management for the development of artifacts and deliverables to the customer. This approach will allow for a common understanding of successes, issues, and risks that the project team encounters. In addition, this will allow the customer to understand how the team is progressing and provide feedback to further define the scope and requirements.

5.2. ResourcesThe project team is comprised of two Systems Engineering students and one Operations Research student. Each of these students are employed full-time and part-time students. The team will utilize all software discussed in the previous sections on personal computers for completion of the scope and requirements.

5.3. ScheduleThe schedule is broken down into milestones and work packages to better define the areas of work required. The schedule can be found on the following pages and via the link.

Figure 3: MS Project File

Figure 4: MS Project File #2

Figure 5: MS Project File #3

5.4. MilestonesMilestone ECD

Project Definition Presentation 2/2/17Project Scope Presentation 2/9/17Project Proposal Presentation 2/16/17In Progress Presentation 1 3/9/17In Progress Presentation 2 3/30/17Submission of Tool / Model 5/1/17Web Page Submission 5/8/17Submission of Final Presentation 5/8/17Submission of Final Report 5/8/17

Table 1: Project Milestones

6. ReferencesGanesan, R.  Jajodia, S., Shah, A. and Cam, H. 2016b. Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning. ACM Trans. on Intelligent Systems and Technology, 8, 1, Article 4 (July 2016), 21 pages. DOI:http://dx.doi.org/10.1145/2882969