The current tool for information security is the use of SIEM-type systems, which allow collecting and processing a large amount of data on the protected infrastructure by defining dependencies between emerging security events. The ways in which such systems used more effectively are therefore equally valuable. This process linked to the development of new algorithms for infrastructure monitoring and the need for its (infrastructure) modernization. Classical analysis methods were used to identify important aspects and stages of the SIEM process, mathematical modelling methods for analytical calculations were used to increase the efficiency of the SIEM interaction – protected infrastructure, methods of comparative analysis in determining the advantages and disadvantages of using current software development architecture, synthesis methods for determining the applicability of intelligent application methods as a means of expansion of the obtained for the calculation of correlation events without-danger information. The objectives of the study are to increase the level of automation of SIEM decision-making and the efficiency of critical information security parameters: the speed of analysis of incoming events and decision-making, the load on information security resources in the protected infrastructure, the quality of the protection system when separating SIEM functionality into small local network «representative offices». Materials and methods. Subject of study, the process of functioning SIEM, whose efficiency does not reach optimal for solution given to systems of this type value. Classical analysis methods were used to determine important aspects and stages of the SIEM process, mathematical modeling methods for analytical calculations increase efficiency of interaction construction «SIEM – protected infrastructure», methods of comparative analysis in the determination of pre-advantages and disadvantages of using today’s current architecture for software development, synthesis methods for determining the applicability of mining methods as a means of extending the information security events correlation obtained. Results. Based on the results of the research, a new architecture of protected infrastructure for implementing SIEM interaction proposed – an infrastructure based on decentralization of information collection and preprocessing processes through delegation of SIEM software functionalities platform. The structural features of the implementation of the program platform as well as its basic functionality defined. In addition, based on the results of a comparative analysis of monolithic, service-oriented and micro-service approach, the most preferred way to implement the proposed software platform was determined, and a list of advanced functionalities, taking into account the need to use information-mining techniques to improve SIEM performance. Conclusions. The use of the proposed solution increases the performance of SIEM systems when implementing such stages as information collection and pre-processing, expands the capabilities of information security specialists by obtaining new correlated data through the use of intelligent analysis methods, and also allows you to move from a centralized implementation of the protection process to a decentralized one. The implementation of the software platform based on a service-oriented approach makes it possible to increase the level of system integration and its fault tolerance. In addition, the use of the proposed platform in conjunction with second-generation SIEM systems allows you to get an alternative assessment of the state of the infrastructure, which indicates the possibility of improving the accuracy of decision-making.
Read full abstract