Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Incidents per Analyst

from [Alex Arndt] Network Security [Permanent Link]
Subject: RE: Incidents per Analyst
Date: Thu, 12 Aug 2004 21:59:59 -0400 
-----Original Message-----
From: i94yj@yahoo.com [mailto:i94yj@yahoo.com]
Sent: August 11, 2004 12:02 PM
To: security-management@securityfocus.com
Subject: Incidents per Analyst




I am doing a paper and was wondering if anyone knows where I can 
find a metric.  I am looking to find the average incident per 
analyst in a given time period.   How many incidents they see.   
Thanks


IMHO, the question isn't so much "How many incidents [will] they
see?" but rather "How many incidents/events/alarms can an analyst
accurately process in a given time period?"

The number of events (and by events I mean IDS alarms, firewall
alarms, syslog entries or any other data you are providing to an
analyst for review and/or reaction) an analyst will "see" will
depend entirely on how much data, and from how many unique
sources, you give him/her to look at. Obviously, a shop running
two IDS sensors and one firewall will have a lot less to look at
than a MSS provider with a grid of over 20 sensors, 15 firewalls
and syslog coming in from every router (ouch). That being said,
100 sensors won't stress somebody out in a well-managed, internal
network that is entirely disconnected from the world (read: no
Internet connections of any kind...) by the simple fact that the
amount of data moving around (and please ignore the O/S background
noise, network printers and network management activities, because
this should be tuned out) may prove to be negligible.

The ability of an individual analyst to process event data, and
what their average throughput (receive alarm, analyse it, discard
it or pass it to next tier for response or initiate response, move
on to the next alarm) is affected by many factors. Experience,
technical knowledge, overall awareness of and familiarity with the
network segment(s) they are monitoring, total number of events
being received during the given time period and various
physiological/psychological factors (fatigue, stress, etc.) will all
have an impact on this metric.

That being said, I know of no formulae that can be used to
calculate the desired value, and I would argue it is a difficult one
to quantify for an "average" situation (after all, what is average?).
The trap to avoid is to not get wrapped up in the event throughput
that your various data sources can produce under full load. The true
effort needs to be focused on what the average rate of occurrence for
events might be in your particular environment and how well are your
analyst are prepared to handle this wave of data when it occurs.

In the end, it's not how many alarms they'll "see" that matters.
It's how many alarms that they can accurately process and react to
appropriately while still maintaining their overall monitoring
capability as time marches on that matters. But like I already said,
this is just my humble opinion...

Alex Arndt
CISSP, GCIA

"Within all order is the potential for chaos..."
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Create management interest?, the_lonely star
Next by Date:  RE: Create management interest?, Britton, Jeff B.
Previous by Thread:  Incidents per Analyst, i94yj
Next by Thread:  Create management interest?, the_lonely star
Indexes:  [Date] [Thread] [Top] [All Lists]