This work focuses on researching, analyzing, and enhancing methods and tools for security monitoring in computer networks. The study develops security monitoring tools and methods based on SIEM agents, improving the data normalization process from security logs. The research explores SIEM's role in the SIEM-EDR-NDR triad perspective to accelerate responses to network security threats. The investigation is grounded in the experiences of foreign companies and domestic banking networks. The interaction of SIEM-EDR-NDR components, forming a SOC triad, is examined. SIEM is utilized for centralized data analysis, including EDR and NDR, providing a comprehensive security overview. EDR detects and responds to threats on endpoints, complemented by NDR, extending SIEM analysis. This combination ensures effective response to cyberattacks, reducing "dwell time" until detection. The formulation of tasks for EDR components in the SIEM-EDR-NDR triad is discussed. Emphasis is placed on the importance of protecting endpoints at all stages of an attack, and effective strategies, such as traffic analysis, application control, and centralized cybersecurity management, are identified. Integration of EDR with existing security tools to create a comprehensive system is highlighted. Within the SIEM context, data processing stages, from log collection and normalization to event classification and correlation, are illuminated. The role of correlation in incident formation and investigation is underscored. An enhanced normalization scheme with an expanded agent deployment and key data processing stages within the SIEM system is proposed. The work addresses the improvement of event log processing in SIEM for effective network security monitoring and timely threat mitigation. The achieved goal accelerates threat response processes through SIEM agent integration, facilitating the organization and classification of information flows for prompt threat mitigation.
Read full abstract