Project Summary - Systems Engineering and Operations ...



Optimal Cyber Security Staffing PlanOR/SYST 699 Project ProposalJennifer Krajic, Kendrick van Doorn, Thomas LeppTable of Contents TOC \o "1-3" \h \z \u 1.Project Summary PAGEREF _Toc475033255 \h 32.Introduction PAGEREF _Toc475033256 \h 32.1.Background PAGEREF _Toc475033257 \h 32.2.Problem Statement & Definition PAGEREF _Toc475033258 \h 42.3.Problem Scope PAGEREF _Toc475033259 \h 42.3.1.Past Research PAGEREF _Toc475033260 \h 42.3.2.Primary Problem Requirements PAGEREF _Toc475033261 \h 42.3.3.Initial Assumptions PAGEREF _Toc475033262 \h 53.Technical Approach PAGEREF _Toc475033263 \h 54.Expected Results PAGEREF _Toc475033264 \h 64.1.In Scope PAGEREF _Toc475033265 \h 64.2.Out of Scope PAGEREF _Toc475033266 \h 65.Project Plan PAGEREF _Toc475033267 \h 65.1.Methodology PAGEREF _Toc475033268 \h 65.2.Resources PAGEREF _Toc475033269 \h 75.3.Schedule PAGEREF _Toc475033270 \h 75.4.Milestones PAGEREF _Toc475033271 \h 96.References PAGEREF _Toc475033272 \h 9Table of Figures TOC \h \z \c "Figure" Figure 1: Typical CSOC Workflow PAGEREF _Toc475033282 \h 3Figure 2: Daily Alert Demand Graphically Representation PAGEREF _Toc475033283 \h 5Figure 3: MS Project File PAGEREF _Toc475033284 \h 7Figure 4: MS Project File #2 PAGEREF _Toc475033285 \h 8Figure 5: MS Project File #3 PAGEREF _Toc475033286 \h 8Table of Tables TOC \h \z \c "Table" Table 1: Project Milestones PAGEREF _Toc475033287 \h 9Project SummaryThe purpose of this project is to develop a model allowing for the production of variable shift staffing patterns for a CyberSecurity Operations Center (CSOC). All alerts received must be investigated by an analyst within the agreed upon time constraints. A dynamic workload pattern will be incorporated into the model allowing variable scheduling of analysts time. IntroductionBackgroundA Network Intrusion Detection System (NIDS) is a type of hardware or software that monitors a network, through the use of sensors, to generate alerts. The alerts are generated by signature or anomaly based methods. A traditional workflow can be seen below by a typical CSOC.Figure SEQ Figure \* ARABIC 1: Typical CSOC WorkflowCyber security is a dynamic field that requires constant vigilance and adaptation to evolving threats. NIDS is utilized to generate alerts for cyber security analysts to review for potential danger and risk to the network. In recent news, data breaches across both private and commercial sectors have drastically increased. The data breaches have cost individuals and companies millions of dollars in damages and credibility.At the core of cyber security is monitoring. Monitoring is the critical action that is seen across all cyber security methodologies. It is no longer a viable method to configure a system or network to be “secure”. The dynamic nature of cyber security threats today requires constant monitoring for anomalies or atypical events in your system and network. Monitoring could include system logs, vulnerability scans, and NIDS alerts. Without complete monitoring coverage, a system, network, or company is at risk.Problem Statement & DefinitionA CSOC protects against emerging and dynamic cybersecurity threats. It is critical that all alerts are covered in a timely manner to reduce risk to the organization while minimizing payroll costs. Problem ScopeThe team shall deliver a variable shift pattern staffing schedule that allows for the investigation of all alerts that a CSOS receives in a 14 day time period, while minimizing payroll costs. The mathematical model will meet the staffing and shift requirements established by the customer. ?This project shall run from January 19th to May 4th, 2017.Past ResearchOptimal Cybersecurity Analyst Staffing Plan is a continuation of the research in the article “Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning”. “The article presents a reinforcement learning-based stochastic dynamic programming optimization model that incorporates … estimates of future alert rates and responds by dynamically scheduling cybersecurity analysts to minimize risk (i.e., maximize significant alert coverage by analysts) and maintain the risk under a pre-determined upper bound” (Ganesan et al. 1).The Optimal Cybersecurity Analyst Staffing Plan will minimize payroll cost by using variable shift patterns so that all alerts are investigated in a timely manner, while meeting staffing and shift requirements.Input parameters used for the staffing plan are from the article “Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning”. The input parameters include investigation rates of analysts, assumed rate arrival rates, and three levels of analysts junior, intermediate, and senior. ?Primary Problem RequirementsThe staffing plan must meet the following shift and staffing requirements:A minimum of two analysts must be on schedule every hour, with at least one being a senior.A shift length can vary from 4 to 12 hours.Each analyst must work 80 hours per 2 weeks.A minimum of 8 hours off-work must be between shifts for employees.Analysts require every other weekend off-work.Analysts cannot work more than six consecutive days. In addition to staffing and shift requirements, alert volume ranges from very high to low and repeats weekly as shown in the chart below.Figure SEQ Figure \* ARABIC 2: Daily Alert Demand Graphically RepresentationInitial AssumptionsAssumptions made for developing the Optimal Cyber Security Analyst Staffing Plan are the following: Alerts arrives at the beginning of each hour.All alerts are investigated by the end of the hour received.Analysts work the entire hour.Investigation rates incorporate nominal work breaks.Technical ApproachThe team proposes to approach the staffing plan using integer programming. The mathematical model will have the following high level attributes:Objective Function: Minimize payroll costsConstraint Categories: Staffing ConstraintsShift ConstraintsAnalyst ConstraintsAlert ConstraintsGurobi, with Python as the coding language, will be the optimization solver. It shall accept input from an Excel or CSV file. Input options will include minimum and maximum shift times, wages, alert generation rates, and percentage of alerts that must be analyzed. The output of the model will be a basic employee work schedule.The team will create a model based off the parameters from the input Excel or CSV file to validate the model. Once an accurate base model is established and time permits, the team will attempt to integrate additional capabilities, such as probability distributions for alert generation, manager friendly schedule, and additional constraints that were found through additional research.Expected ResultsIn ScopeThe team will have the following expected deliverables at the conclusion of the project:Report - A written document summarizing the project. Major sections will include: introduction, scope, technical approach, model, results and analysis, shift case studies, and trade-off analysis. conclusions/recommendations of results, future requirements.Mathematical Model - A integer programming model written in python with the use of Gurobi as the optimizer.Final Presentation - A high level presentation summarizing the content covered in the report.Web Site - A website that describes the team’s project and includes the proposal, final report, and final presentation.Out of ScopeThe out of scope deliverables at the conclusion of the project include:A manager friendly staffing schedule, including advanced features such as specific analyst leave time, swapping of analyst shifts, fluctuating times of analyst shifts, analysts shift preferences, and professionally formatted output.Probability distributions for alert generation.Project PlanMethodologyThe project team shall implement an Agile approach to project management for the development of artifacts and deliverables to the customer. This approach will allow for a common understanding of successes, issues, and risks that the project team encounters. In addition, this will allow the customer to understand how the team is progressing and provide feedback to further define the scope and requirements.ResourcesThe project team is comprised of two Systems Engineering students and one Operations Research student. Each of these students are employed full-time and part-time students. The team will utilize all software discussed in the previous sections on personal computers for completion of the scope and requirements.ScheduleThe schedule is broken down into milestones and work packages to better define the areas of work required. The schedule can be found on the following pages and via the link.Figure SEQ Figure \* ARABIC 3: MS Project FileFigure SEQ Figure \* ARABIC 4: MS Project File #2Figure SEQ Figure \* ARABIC 5: MS Project File #3MilestonesMilestoneECDProject Definition Presentation2/2/17Project Scope Presentation2/9/17Project Proposal Presentation2/16/17In Progress Presentation 13/9/17In Progress Presentation 23/30/17Submission of Tool / Model5/1/17Web Page Submission5/8/17Submission of Final Presentation5/8/17Submission of Final Report 5/8/17Table SEQ Table \* ARABIC 1: Project MilestonesReferencesGanesan, R. ?Jajodia, S., Shah, A. and Cam, H. 2016b. Dynamic Scheduling of Cybersecurity Analysts for Minimizing Risk Using Reinforcement Learning. ACM Trans. on Intelligent Systems and Technology, 8, 1, Article 4 (July 2016), 21 pages. DOI: ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download