Chronic Workload Problems in Computer Security Incident Response Teams

Johannes Wiik, Jose J. GonzalezUniversity of Agder, Norway

Pl I. DavidsenUniversity of Bergen, Norway

Klaus-Peter KossakowskiSEI Europe, Carnegie Mellon University, Germany

Computer security incidentsLow-priority incidentsSuch as port scans, spam, fake email, and other nuisances Nevertheless, a significant challenge owing to their large volumeDynamics: quite accurately described as exponentially growingEssential point: Cannot be matched by staff increase and CSIRT-fundingHigh-priority incidentsSuch as attacks on net infrastructure, serious new worms, viruses, botnets, sniffers, account compromisers, etcLow volume, but very seriousDynamics: basically oscillatory

CSIRTsComputer Security Incidence Response Teams (CSIRTs/CERTs) provide one or more services:incident analysisincident response on site, support & coordinationnowadays increasing emphasis on proactive servicesChronic situation for CSIRTs since their inception in 1988CSIRTs are underfunded, understaffedCSIRT staff is overworkedWorsening situation for CSIRTs in recent yearsIncreasing volume of (mainly low-priority) incidents, automation and speed of new attack tools give CSIRT staff less and less time to reactInstabilities in high-priority security incident reports from the constituency (internal sites) and affected external sites

High priority incidentsInstabilities in incident reports instabilities in workload inefficient use of resourcesProblems to retain the CSIRT constituency ( funding problems)See posters # 1193 and 1212

Chart2

0.05438708311994

0.44189504991995

0.52347567451996

1.41066496711997

1.56022944551998

1.59337157431999

1.16847248781.291005291

1.23220735081.0476190476

0.77331633740.9523809524

0.91353303590.6666666667

0.9092840450.9206349206

1.41916294881.1216931217

Incident variation high priority

Site variation high priority

Sheet1

Incident variation high priorityIncident variation low prioritySite variation high prioritySite variation low priority

1993

19940.050.00

19950.440.02

19960.520.02

19971.410.06

19981.560.06

19991.590.10

20001.170.541.291.68

20011.230.951.051.27

20020.771.930.950.76

20030.914.900.670.65

20040.912.850.920.90

20051.420.571.120.74

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

Sheet1

Incident variation low priority

Sheet2

Incident variation high priority

Site variation high priority

Site variation low priority

Sheet3

Incident variation high priority

Site variation high priority

Incident variation high priority

Site variation high priority

Incident variation high priority

Site variation high priority

Low-priority incidentsOverwhelming increase in the rate of low-priority incidentsThe workload increases accordinglyHuman resources cannot keep paceWork LoadHuman Resources

Modeling processClose collaboration with one of the oldest and largest coordinating CSIRTsInitial research questionsWhat factors limit the effectiveness of the incident response service in the CSIRTWhat policies can improve the effectiveness of the incident response service in the CSIRT?What constitutes effective incident response in the CSIRT?The management and staff of the CSIRT participated in 5 face-to-face working sessions of 1 4 days over a 1 year period:Eliciting of mental, written and numerical information, incl. reference behavior modesReview of model structureModel verification, validation & policy testing

Reference behavior modesIdealized reference behavior derived from time series data and from interviews with CSIRT management and staff

*

Percent of low priority incidents actually handled

0 %

100 %

Manual productivity is sufficient

The manual productivity limit is reached

The service is gradually discontinued

First attempt at developing automation fails due to work overload

Less work pressure releases effort for automation

An increasing fraction of incidents is handled automatically

Effort to automation (0-100% of need)

Fraction of low priority incidents handled (0-100%)

Policy structure diagram

Base run

Policy analysis scenariosFixed resource split: The CSIRT separates the workforce into two fixed workgroups instead of using it as a shared resource between tool development and incident responseOnly automation: The CSIRT only offers automatic responseMaintain manual handling: The CSIRT refuses to change the service scope and only provides manual handling

Policy runs

Thank you!