METHOD AND MEANS OF SECURITY MONITORING IN A COMPUTER NETWORK BY SIEM MEANS
DOI:
https://doi.org/10.31649/1999-9941-2023-58-3-22-32Keywords:
SIEM, EDR, NDR, SIEM-EDR-NDR triad, testing, monitoring, log normalization processAbstract
Abstract. This work focuses on researching, analyzing, and enhancing methods and tools for security monitoring in computer networks. The study develops security monitoring tools and methods based on SIEM agents, improving the data normalization process from security logs. The research explores SIEM's role in the SIEM-EDR-NDR triad perspective to accelerate responses to network security threats. The investigation is grounded in the experiences of foreign companies and domestic banking networks.
The interaction of SIEM-EDR-NDR components, forming a SOC triad, is examined. SIEM is utilized for centralized data analysis, including EDR and NDR, providing a comprehensive security overview. EDR detects and responds to threats on endpoints, complemented by NDR, extending SIEM analysis. This combination ensures effective response to cyberattacks, reducing "dwell time" until detection.
The formulation of tasks for EDR components in the SIEM-EDR-NDR triad is discussed. Emphasis is placed on the importance of protecting endpoints at all stages of an attack, and effective strategies, such as traffic analysis, application control, and centralized cybersecurity management, are identified. Integration of EDR with existing security tools to create a comprehensive system is highlighted.
Within the SIEM context, data processing stages, from log collection and normalization to event classification and correlation, are illuminated. The role of correlation in incident formation and investigation is underscored. An enhanced normalization scheme with an expanded agent deployment and key data processing stages within the SIEM system is proposed.
The work addresses the improvement of event log processing in SIEM for effective network security monitoring and timely threat mitigation. The achieved goal accelerates threat response processes through SIEM agent integration, facilitating the organization and classification of information flows for prompt threat mitigation.
References
References
Kiberbezpeka biznesu v umovakh nestabilʹnosti [Elektronnyy resurs] // PwC Ukrayina. – 2022. – Rezhym dostupu do resursu: https://www.pwc.com/ua/uk/publications/2022/cybersecurity-uncertainty-state.html
Pro Natsionalʹnyy koordynatsiynyy tsentr kiberbezpeky [Elektronnyy resurs] // Verkhovna Rada Ukrayiny. – 2016. – Rezhym dostupu do resursu: https://zakon.rada.gov.ua/laws/show/242/2016#Text
Pro CERT-UA [Elektronnyy resurs] // Derzhavna sluzhba spetsialʹnoho zvʺyazku ta zakhystu informatsiyi Ukrayiny. – 2023. – Rezhym dostupu do resursu: https://cert.gov.ua
Viysʹkova kiberbezpeka [Elektronnyy resurs] // Ministerstvo oborony Ukrayiny. – 2023. – Rezhym dostupu do resursu: https://www.mil.gov.ua/ukbs
UKAZ PREZYDENTA UKRAYINY №447/2021 [Elektronnyy resurs] // Pro rishennya Rady natsionalʹnoyi bezpeky i oborony Ukrayiny vid 14 travnya 2021 roku "Pro Stratehiyu kiberbezpeky Ukrayiny". – 2021. – Rezhym dostupu do resursu: https://www.president.gov.ua/documents/4472021-40013
What is the SOC visibility triad? [Elektronnyy resurs] // SOC visibility triad Rezhym dostupu do resursu: https://www.nomios.be/en/resources/what-is-the-soc-visibility-triad/
Pobudova zakhyshchenykh merezh na bazi obladnannya kompaniyi Cisco. // Zakharchenko S.M., Troyanovsʹka T. I., Boyko O.V. Navchalʹnyy posibnyk. Vinnytsya : VNTU, 2017. – 133 s.
Miller D. Security Information and Event Management (SIEM) - Implementation Guide / David R. Miller. CRC Press, 2020.
Hrebenyuk A. M. Osnovy upravlinnya informatsiynoyu bezpekoyu [El. resurs] / A. M. Hrebenyuk, L. V. Rybalʹchenko. – 2020. – Rezhym dostupu: https://er.dduvs.in.ua/bitstream/123456789/5717/1/%D0%9F%D0%9E%D0%A1I%D0%91%D0%9D%D0%98%D0%9A%20%D0%9E%D0%A3I%D0%91%20.pdf
Pitis Andrei. SIEM: Trends and Best Practices for Operations and Development / Andrei Pitis, Apress: 2020.
Top SIEM Use Cases for Correlation and SIEM Alerts Best Practices [Elektronnyy resurs] // DNSstuff. – 2020. – Rezhym dostupu do resursu: https://www.dnsstuff.com/common-siem-alerts.
Computer Networking and Cybersecurity: A Guide to Understanding Communications Systems, Internet Connections, and Network Security Along with Protection from Hacking and Cyber Security Threats, 2020 – 242p.
Korobeynikova T.I. Systemnyy monitorynh merezhevoyi bezpeky v triadi SIEM-EDR-NDR / Korobeynikova T.I., Fedorchenko V. V. // International scientific journal «Grail of Science» – 2023. – № 27 (May, 2023). – S. 354–360. ISSN: 2710–3056. ISBN 979-8-88955-792-0.
Korobeynikova T.I. Cystemnyy monitorynh merezhevoyi bezpeky v triadi SIEM-EDR-NDR / Korobeynikova T.I., Fedorchenko V. V. // International periodical scientific journal «SWorldJournal» – 2023. – № 19 (part 1) (May, 2023). – S. 33–39. ISSN: 2663-5712. DOI: 10.30888/2663-5712.2023-19-01-029.
Savytsʹka L.A., Korobeynikova T.I. Udoskonalenyy metod rozrobky ARI pidvyshchenoyi shvydkodiyi Informatsiyni tekhnolohiyi ta komp`yuterna inzheneriya 2021: - №1 (50). - S. 31–35
Savytsʹka L. A. Prohramnyy modulʹ poperednʹoho diahnostuvannya patsiyentiv na osnovi neyronnoyi merezhi Kokhonena [Tekst] / L. A. Savytsʹka, N. V. Dobrovolʹsʹka, V. O. Kondratyuk // Informatsiyni tekhnolohiyi ta komp`yuterna inzheneriya. – 2023. – № 1. – S. 66-74.
Downloads
-
PDF (Українська)
Downloads: 159