A typical Cybersecurity Operations Center (CSOC) is a service organization. It hires and trains analysts, whose task is to perform analysis of alerts that were generated while monitoring the client’s networks. Due to ever-increasing financial and infrastructure burden on a CSOC driven by the rapidly growing demand for security services, it would become prohibitively expensive to continually expand the size of a CSOC to meet the demands in the future. An alternative solution is to outsource the alert analysis process to on-demand analysts, to provide scalable CSOC service to its clients with features, such as (1) higher throughput, (2) higher quality, and (3) more economical service than the current in-house service. The current outsourcing model is not cost effective and an exact optimization model is computationally inefficient. This article presents a novel two-step sequential mixed integer programming optimization method that is used in the development of a new decision-support business model for outsourcing the alert analysis process. It is demonstrated that through this model, a CSOC can effectively deliver its alert management services with the above-mentioned features. Results indicate that the model is scalable, computationally viable, real-time implementable, and can deliver CSOC services that meet the service-level agreement (SLA) between the CSOC and its client. In addition, the article provides valuable insights into the cost of operating the new business process outsourcing model for cybersecurity services.

中文翻译：

---

网络安全运营中心警报分析的外包模型

典型的网络安全运营中心 (CSOC) 是一个服务组织。它雇用和培训分析师，他们的任务是对监控客户网络时生成的警报进行分析。由于对安全服务的需求快速增长，CSOC 的财务和基础设施负担不断增加，因此不断扩大 CSOC 的规模以满足未来的需求将变得非常昂贵。另一种解决方案是将警报分析流程外包给按需分析师，为其客户提供可扩展的 CSOC 服务，其特点包括：(1) 更高的吞吐量，(2) 更高的质量，以及 (3) 比现有服务更经济的服务。目前的内部服务。当前的外包模型不具有成本效益，并且精确的优化模型在计算上效率低下。本文提出了一种新颖的两步顺序混合整数规划优化方法，用于开发用于外包警报分析过程的新决策支持业务模型。证明通过该模型，CSOC 可以有效地提供具有上述特征的警报管理服务。结果表明，该模型是可扩展的、计算上可行的、实时可实施的，并且可以提供满足 CSOC 与其客户之间的服务水平协议 (SLA) 的 CSOC 服务。此外，本文还提供了有关运营网络安全服务新业务流程外包模式成本的宝贵见解。