Method and means of security monitoring in a computer network by SIEM means

Liudmyla Savytska; Tatiana Korobeynikova; Oleksandr Volos; Mykola Tarnovskyi; Liudmyla Savytska; Tatiana Korobeynikova; Oleksandr Volos; Mykola Tarnovskyi

https://doi.org/10.31649/1999-9941-2023-58-3-22-32

Retrieved from Vol. 20, No. 3, 2023

Received 17.07.2023, Revised 20.10.2023, Accepted 24.11.2023

Method and means of security monitoring in a computer network by SIEM means

Liudmyla Savytska, Tatiana Korobeynikova, Oleksandr Volos, Mykola Tarnovskyi

This work focuses on researching, analyzing, and enhancing methods and tools for security monitoring in computer networks. The study develops security monitoring tools and methods based on SIEM agents, improving the data normalization process from security logs. The research explores SIEM's role in the SIEM-EDR-NDR triad perspective to accelerate responses to network security threats. The investigation is grounded in the experiences of foreign companies and domestic banking networks.

The interaction of SIEM-EDR-NDR components, forming a SOC triad, is examined. SIEM is utilized for centralized data analysis, including EDR and NDR, providing a comprehensive security overview. EDR detects and responds to threats on endpoints, complemented by NDR, extending SIEM analysis. This combination ensures effective response to cyberattacks, reducing "dwell time" until detection.

The formulation of tasks for EDR components in the SIEM-EDR-NDR triad is discussed. Emphasis is placed on the importance of protecting endpoints at all stages of an attack, and effective strategies, such as traffic analysis, application control, and centralized cybersecurity management, are identified. Integration of EDR with existing security tools to create a comprehensive system is highlighted.

Within the SIEM context, data processing stages, from log collection and normalization to event classification and correlation, are illuminated. The role of correlation in incident formation and investigation is underscored. An enhanced normalization scheme with an expanded agent deployment and key data processing stages within the SIEM system is proposed.

The work addresses the improvement of event log processing in SIEM for effective network security monitoring and timely threat mitigation. The achieved goal accelerates threat response processes through SIEM agent integration, facilitating the organization and classification of information flows for prompt threat mitigation

SIEM, EDR, NDR, SIEM-EDR-NDR triad, testing, monitoring, log normalization process

22-32

Savytska, L., Korobeynikova, T, Volos, O., & Tarnovskyi, M. (2023). Method and means of security monitoring in a computer network by SIEM means. Information Technologies and Computer Engineering, 20(3), 22-32. https://doi.org/10.31649/1999-9941-2023-58-3-22-32

References

[1] Cyber security of business in conditions of instability. (2022). Retrieved from https://www.pwc.com/ua/uk/publications/2022/cybersecurity-uncertainty-state.html.

[2] Decree of the President of Ukraine No. 242/2016 “On the National Cyber Security Coordination Center”. (2016, June). Retrieved from https://zakon.rada.gov.ua/laws/show/242/2016#Text.

[3] Computer emergency response team of Ukraine CERT-UA. (n.d.). Retrieved from https://cert.gov.ua.

[4] Military cyber security. (n.d.). Retrieved from https://www.mil.gov.ua/ukbs.

[5] Decree of the President of Ukraine No. 447/2021 “On the Decision of the National Security and Defense Council of Ukraine Dated May 14, 2021 “On the Cybersecurity Strategy of Ukraine”. (2021, August). Retrieved from https://www.president.gov.ua/documents/4472021-40013.

[6] What is the SOC visibility triad? (n.d.). Retrieved from https://www.nomios.be/en/resources/what-is-the-soc-visibility-triad.

[7] Zakharchenko. S.M., Troyanovska. T.I.,& Boyko. O.V. (2017). Construction of protected networks based on company equipment Cisco. Vinnytsia: VNTU.

[8] Miller. D. (2020). Security information and event management (SIEM). Boca Raton: CRC Press.

[9] Grebenyuk. A.M., & Rybalchenko. L.V. (2020). Fundamentals of information security management. Dnipro: Dnipro State University Internal Affairs.

[10] Pitis, A. (2020). SIEM: Trends and best practices for operations and development. New York: Apress.

[11] Top SIEM Use cases for correlation and SIEM alerts best practices. (2020). Retrieved from https://www.dnsstuff.com/common-siem-alerts.

[12] Kiser, Q. (2020). Computer networking and cybersecurity: A guide to understanding communications systems, internet connections, and network security along with protection from hacking and cyber security threats. Jakarta: PRIMASTA.

[13] Korobeynikova, T.I., & Fedorchenko V.V. (2023). System monitoring of network security in the SIEM-EDR-NDR triad. International Scientific Journal “Grail of Science”, 27, 354-360.

[14] Korobeynikova, T.I., & Fedorchenko, V.V. (2023). System monitoring of network security in the SIEM-EDR-NDR triad. ScientificWorldJournal. 19(1), 33-39. doi: 10.30888/2663-5712.2023-19-01029.

[15] Savytska, L.A., & Korobeynikova, T.I. (2021). An improved method of developing high-speed ARI. Information Technologies and Computer Engineering, 1(50), 31-35.

[16] Savytska, L.A., Dobrovolska, V.O., & Kondratyuk, N.V. (2023). Software module for preliminary diagnosis of patients based on the Kohonen neural network. Information Technologies and Computer Engineering, 1, 66-74.