Security Information And Event Management Systems Research Articles

Cybersecurity on a budget: Evaluating security and performance of open-source SIEM solutions for SMEs.

The proliferation of cyber threats necessitates robust security measures to safeguard critical assets and data in today's evolving digital landscape. Small and Medium Enterprises (SMEs), which are the backbone of the global economy are particularly vulnerable to these threats due to inadequate protection for critical and sensitive information, budgetary constraints, and lack of cybersecurity expertise and personnel. Security Information and Event Management (SIEM) systems have emerged as pivotal tools for monitoring, detecting, and responding to security incidents. While proprietary SIEM solutions have historically dominated the market, open-source SIEM systems have gained prominence for their accessibility and cost-effectiveness for SMEs. This article presents a comprehensive study focusing on the evaluation of open-source SIEM systems. The research investigates the capabilities of these open-source solutions in addressing modern security challenges and compliance with regulatory requirements. Performance aspects are explored through empirical testing in simulated enterprise-grade SME network environments to assess resource utilization, and real-time data processing capabilities. By providing a rigorous assessment of the security and performance features of open-source SIEM systems, this research offers valuable insights to cybersecurity practitioners, organizations seeking cost-effective security solutions, and the broader academic community. The findings shed light on the strengths and limitations of these systems, aiding decision-makers in selecting the most suitable SIEM solution for their specific requirements while enhancing the cybersecurity posture of SMEs.

You are your friends: Detecting malware via guilt-by-association and exempt-by-reputation

With the increase in the prevalence of Security Information and Event Management Systems (SIEMs) in today's organizations, there is a growing interest in data-driven threat detection.In this research, we formulate malware detection as a large-scale graph mining and inference problem using host-level system events/logs. Our approach is built on two basic principles: guilt-by-association and exempt-by-reputation, with the intuition, that an adversary's resources are limited; hence, reusing infrastructures and techniques is inevitable. We present MalLink, a system that models all host-level process activities as a Heterogeneous Information Network (HIN). The HIN emphasizes shared characteristics of processes/files across the enterprise, e.g., parent/sub-processes, written/read files, loaded libraries, registry entries, and network connections. MalLink then propagates maliciousness from a set of previously known malicious entities to obtain a set of previously unknowns.MalLink was deployed in a real-world setting, next to the SIEM system of a large international enterprise, and evaluated using 8 days (20 TB) of EDR logs collected from all endpoints within the organization. The results demonstrate high detection performance (F1-score of 0.83), particularly when manually investigating the 50 highest scored files with no prior, 37 are found malicious. This demonstrates MalLink's capability to detect previously unknown malicious files.

A Literary Review of Pattern Matching Techniques in Network Intrusion Detection

With the exponential growth in devices and services being added to networks, we are also witnessing an increase in the volume and complexity of threats, urging an increased efficiency in network intrusion detection systems which primarily rely on pattern matching to identify malicious activity on the network. In this literary review of pattern matching techniques in network intrusion detection, we explore the limitations and the research carried out in both signature-based and anomaly-based intrusion detection systems to overcome them. It focuses on the performance improvements in signature-based intrusion detection systems achieved through methodologies and technologies like regular expressions, Hyperscan, RE2, Flashtext, a generalized Aho-Corasick algorithm, usage of Bloom filters and payload sampling. It also covers the usage of machine learning techniques, including genetic algorithms, Support Vector Machines (SVM) and Improved Self-Adaptive Bayesian Algorithm (ISABA), which are used to detect anomalous behavior and identify potential threats in a network in anomaly-based network intrusion detection to assist the security analysts carry out their job functions. Additionally, this review explores the integration of the MITRE ATT&CK framework and Security Information and Event Management (SIEM) systems in network intrusion detection as this framework provides a structured and standardized approach for analyzing the tactics and techniques used by attackers to classify them, while SIEM systems enable the correlation of threat activity across multiple sources, allowing for a more comprehensive and accurate view of the network security. Overall, this literary review provides insights into the state-of-the-art techniques and frameworks used in Network Intrusion Detection based on Pattern Matching, highlighting the significant improvements in performance and detection capabilities.

The Future of SIEM in a Machine Learning-Driven Cybersecurity Landscape

As cyber threats become increasingly sophisticatedand complex, traditional Security Information and Event Management (SIEM) systems are struggling to keep up. The integration of artificial intelligence (AI) and machine learning (ML) into SIEM tools is transforming the way organizations detect, investigate, and respond to security incidents. This paper explores the future of SIEM tools in the context of the evolving cybersecurity landscape and discusses how organizations can prepare for the adoption of ML-enabled SIEM systems.ML-enabled SIEM systems significantly enhance the capabilities of traditional SIEM tools,enabling them to more effectively detect and respond to both known andemergingthreats.Organizations must develop a robust data strategy,invest in talent,and adopt ML-enabled SIEM solutions gradually to fully take advantage ofthepotentialof these technologies.Staying up-to-date with the latest trends in ML and cybersecurity isalsocrucial for organizations to maximize the benefits of ML-enabled SIEM tools.

Financial Fortification: Navigating Cybersecurity Imperatives

The digital era runs on information. This detailed examination examines the evolution of cybersecurity and future adjustments. It describes how hackers continually improve their tactics to steal from financial institutions or compromise data. It addresses economic fortress flaws like obsolete systems and operational sloppiness and suggests logical counteroffensives. The research paper below addresses how cybersecurity approaches and frameworks are helpful yet needs to be revised. It also highlights potential new technologies like AI threat detection and biometrics. Proposed measures are to promote technology usage, improve cyber hygiene, and foster international collaboration. The government also reformed vital laws and regulations. The conclusion emphasizes the need for financial institutions to use awareness and resolution to prevent computer crime. Financial institutions must fight cyberattacks with many strategies. Investing in and adopting newer technologies like SIEM (security information and event management) systems that detect threats quickly, high-level data encryption to protect private information, and threat intelligence platforms that preplan security measures based on the future is even more crucial. Businesses must educate employees, create an incident response plan, and spot-check weaknesses for cybersecurity hygiene.

Security Information and Event Management (SIEM): Analysis, Trends, and Usage in Critical Infrastructures.

Security Information and Event Management (SIEM) systems have been widely deployed as a powerful tool to prevent, detect, and react against cyber-attacks. SIEM solutions have evolved to become comprehensive systems that provide a wide visibility to identify areas of high risks and proactively focus on mitigation strategies aiming at reducing costs and time for incident response. Currently, SIEM systems and related solutions are slowly converging with big data analytics tools. We survey the most widely used SIEMs regarding their critical functionality and provide an analysis of external factors affecting the SIEM landscape in mid and long-term. A list of potential enhancements for the next generation of SIEMs is provided as part of the review of existing solutions as well as an analysis on their benefits and usage in critical infrastructures.

A Dense Neural Network Approach for Detecting Clone ID Attacks on the RPL Protocol of the IoT.

At present, new data sharing technologies, such as those used in the Internet of Things (IoT) paradigm, are being extensively adopted. For this reason, intelligent security controls have become imperative. According to good practices and security information standards, particularly those regarding security in depth, several defensive layers are required to protect information assets. Within the context of IoT cyber-attacks, it is fundamental to continuously adapt new detection mechanisms for growing IoT threats, specifically for those becoming more sophisticated within mesh networks, such as identity theft and cloning. Therefore, current applications, such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Security Information and Event Management Systems (SIEM), are becoming inadequate for accurately handling novel security incidents, due to their signature-based detection procedures using the matching and flagging of anomalous patterns. This project focuses on a seldom-investigated identity attack—the Clone ID attack—directed at the Routing Protocol for Low Power and Lossy Networks (RPL), the underlying technology for most IoT devices. Hence, a robust Artificial Intelligence-based protection framework is proposed, in order to tackle major identity impersonation attacks, which classical applications are prone to misidentifying. On this basis, unsupervised pre-training techniques are employed to select key characteristics from RPL network samples. Then, a Dense Neural Network (DNN) is trained to maximize deep feature engineering, with the aim of improving classification results to protect against malicious counterfeiting attempts.

Secured Access Control in Security Information and Event Management Systems

Nowadays, Security Information and Event Management (SIEM) is very important in software. SIEM stores and monitors events in software and unauthorized access to logs can prompt different security threats such as information leakage and violation of confidentiality. In this paper, a novel method is suggested for secured and integrated access control in the SIEM. First, the key points where the SIEM accesses the information within the software is specified and integrated policies for access control are developed in them. Accordingly, the threats entered into the access control module embedded in this system are carefully detected. By applying the proposed method, it is possible to provide the secured and integrated access control module for SIEM as well as the security of the access control module significantly increases in these systems. The method is implemented in the three stages of the requirements analysis for the establishment of a secure SIEM system, secure architectural design, and secure coding. The access control module is designed to create a secured SIEM and the test tool module is designed for evaluating the access control module vulnerabilities. Also, to evaluate the proposed method, the dataset is considered with ten thousand records, and the accuracy is calculated. The outcomes show the accuracy of the proposed method is significantly improved. The results of this paper can be used for designing an integrated and secured access control system in SIEM systems.

SPEAR SIEM: A Security Information and Event Management system for the Smart Grid

The technological leap of smart technologies has brought the conventional electrical grid in a new digital era called Smart Grid (SG), providing multiple benefits, such as two-way communication, pervasive control and self-healing. However, this new reality generates significant cybersecurity risks due to the heterogeneous and insecure nature of SG. In particular, SG relies on legacy communication protocols that have not been implemented having cybersecurity in mind. Moreover, the advent of the Internet of Things (IoT) creates severe cybersecurity challenges. The Security Information and Event Management (SIEM) systems constitute an emerging technology in the cybersecurity area, having the capability to detect, normalise and correlate a vast amount of security events. They can orchestrate the entire security of a smart ecosystem, such as SG. Nevertheless, the current SIEM systems do not take into account the unique SG peculiarities and characteristics like the legacy communication protocols. In this paper, we present the Secure and PrivatE smArt gRid (SPEAR) SIEM, which focuses on SG. The main contribution of our work is the design and implementation of a SIEM system capable of detecting, normalising and correlating cyberattacks and anomalies against a plethora of SG application-layer protocols. It is noteworthy that the detection performance of the SPEAR SIEM is demonstrated with real data originating from four real SG use case (a) hydropower plant, (b) substation, (c) power plant and (d) smart home.

Towards GDPR-compliant data processing in modern SIEM systems

The introduction of the General Data Protection Regulation (GDPR) in Europe raises a whole series of issues and implications on the handling of corporate data. We consider the case of security-relevant data analyses in companies, such as those carried out by Security Information and Event Management (SIEM) systems. It is often argued that the processing of personal data is necessary to achieve service quality. However, at present existing systems arguably are in conflict with the GDPR since they often process personal data without taking data protection principles into account. In this work, we first examine the GDPR regarding the resulting requirements for SIEM systems. On this basis, we propose a SIEM architecture that meets the privacy requirements of the GDPR and show the effects of pseudonymization on the detectability of incidents.

New approach for threat classification and security risk estimations based on security event management

Security Information and Event Management (SIEM) systems are essential for identifying cyber attacks, being an extended practice in organizations to detect threats, vulnerabilities and to estimate security risks. The management of events and information related to security is done through systems that provide all the information, processing different data sources. The developing of alternative models that provide complementary information to commercial solutions, based on the same data sources, is presented as a novel and interesting challenge, not only for organizations, but also for the scientific community. This paper presents a new system to classify security threats, computing their criticality according to the Bug Bar technique, with the aim of addressing threats in order of priority. High correlations were achieved between severity risk values achieved from commercial systems and results computed by the new approach. Accordingly, the new proposal could complement the information of SIEM systems, and help in the prediction of criticalities of future threats.

Impact of SIEM on Compliance: Achieving Security and Adherence Simultaneously

Security Information and Event Management (SIEM) solutions are broadly used as important tools to identify, prevent, and respond to cyber security incidents. Recently, SIEM systems have immensely advanced to become extensive solutions that provide a broad view of IT infrastructures, help IT teams spot cyber risks, and devise proactive mitigation strategies aimed at minimizing time and expenditure for incident response. Besides, SIEM addresses a vast range of regulatory requirements, like state and international regulations with which organizations must comply together with industry-specific policies and standards. As such, this review paper explains how SIEM helps businesses meet regulatory requirements and achieve compliance with industry best practices.

Problems of implementing SIEM systems in the practice of managing information security of economic entities

The aim of the study is to increase the efficiency of information security management of economic entities that use Security Information and Event Management (SIEM) systems by identifying and solving the main problems of introducing these systems into the management of information security practices of economic entities [1-3]. Materials and research methods . Based on the analysis of scheme of the typical architecture of the SIEM system and the standard process of introducing the SIEM system into practice of managing information security of various types of economic entities, the main problems of the installation and configuration of the SIEM system are determined, and ways to solve them are substantiated. During the installation and configuration of the SIEM system, the team of customers and contractors may experience the following typical problems. The process of installing and configuring the SIEM system as part of a systematic approach is considered as a set of interconnected resource-based procedures that implement the installation and configuration of individual components of the SIEM system. Out of the whole set of these procedures, the procedures to be automated are determined. To determine the rational structure of the process of automated installation and configuration of the SIEM system, a method of network planning and management is proposed [4-5], which also allows you to evaluate the effectiveness of implementing the SIEM system in the practice of managing information security of economic entities based on the development and calculation of network schedules. Results. In this work, we developed ways to solve the problems of introducing SIEM systems into information security management practice: simplifying the SIEM system, which is a rejection of rarely used modules and rebuilding the architecture of the SIEM system; automation of the process of typical installation and general setup of the SIEM system, which represents the development of a methodology for automating the procedure of typical installation and general setup of the SIEM system and software module that implements the developed methodology; a combined approach, which is a joint application of the two above approaches, which allows you to bring the SIEM system closer as a product to the “box option. The paper presents reasonable proposals for improving the implementation of the SIEM system, based on the development and application of automated procedures for the typical installation and configuration of the SIEM system, which reduces the time spent on the implementation of the SIEM system, increases the convenience of performing these procedures, and in general can lead to the “boxed version of the solution for a product of this class of information security event management systems. Conclusion. The proposed ways to solve the problems of implementing SIEM systems in the practice of managing information security of economic entities based on the optimization of the installation and configuration of SIEM systems can accelerate the distribution and implementation of information security event management systems and increase efficiency by automating standard installation procedures and SIEM system settings.

ПРИМЕНЕНИЕ SIEM РЕШЕНИЙ НА МУЛЬТИСЕРВИСНЫХ СЕТЯХ СВЯЗИ

The article discusses solutions in the field of SIEM (Security information and event management systems) and the operation of IDS / IPS class network intrusion detection / prevention systems. The general functional characteristics of these software products are presented, typical solutions for the inclusion of IDS / IPS in data transmission network are offered, at the second, third and fourth levels of the OSI model. A brief description and some practical examples of using IDS / IPS from Sourcefire, the SNORT product, are given.

Designing blockchain-based SIEM 3.0 system

PurposeNowadays, to operate securely and legally and to achieve business objectives, secure valuable assets and support uninterrupted business processes, all organizations need to match a lot of internal and external compliance regulations such as laws, standards, guidelines, policies, specifications and procedures. An integrated system able to manage information security (IS) for their intranets in the new cyberspace while processing tremendous amounts of IS-related data coming in various formats is required as never before. These data, after being collected and analyzed, should be evaluated in real-time from an IS incident viewpoint, to identify an incident’s source, consider its type, weigh its consequences, visualize its vector, associate all target systems, prioritize countermeasures and offer mitigation solutions with weighted impact relevance. Different security information and event management (SIEM) systems cope with this routine and usually complicated work by rapid detection of IS incidents and further appropriate response. Modern challenges dictate the need to build these systems using advanced technologies such as the blockchain (BC) technologies (BCTs). The purpose of this study is to design a new BC-based SIEM 3.0 system and propose a methodology for its evaluation.Design/methodology/approachModern challenges dictate the need to build these systems using advanced technologies such as the BC technologies. Many internet resources argue that the BCT suits the intrusion detection objectives very well, but they do not mention how to implement it.FindingsAfter a brief analysis of the BC concept and the evolution of SIEM systems, this paper presents the main ideas on designing the next-generation BC-based SIEM 3.0 systems, for the first time in open access publications, including a convolution method for solving the scalability issue for ever-growing BC size. This new approach makes it possible not to simply modify SIEM systems in an evolutionary manner, but to bring their next generation to a qualitatively new and higher level of IS event management in the future.Research limitations/implicationsThe most important area of the future work is to bring this proposed system to life. The implementation, deployment and testing onto a real-world network would also allow people to see its viability or show that a more sophisticated model should be worked out. After developing the design basics, we are ready to determine the directions of the most promising studies. What are the main criteria and principles, according to which the organization will select events from PEL for creating one BC block? What is the optimal number of nodes in the organization’s BC, depending on its network assets, services provided and the number of events that occur in its network? How to build and host the SIEM 3.0 BC infrastructure? How to arrange streaming analytics of block’s content containing events taking place in the network? How to design the BC middleware as software that enables staff to interact with BC blocks to provide services like IS events correlation? How to visualize the results obtained to find insights and patterns in historical BC data for better IS management? How to predict the emergence of IS events in the future? This list of questions can be continued indefinitely for a full-fledged design of SIEM 3.0.Practical implicationsThis paper shows the full applicability of the BC concept to the creation of the next-generation SIEM 3.0 systems that are designed to detect IS incidents in a modern, fully interconnected organization’s network environment. The authors’ attempt to begin with a detailed description of the basics for a BC-based SIEM 3.0 system design is presented, as well as the evaluation methodology for the resulting product.Originality/valueThe authors believe that their new revolutionary approach makes it possible not to simply modify SIEM systems in an evolutionary manner, but to bring their next generation to a qualitatively new and higher level of IS event management in the future. They hope that this paper will evoke a lively response in this segment of the security controls market from both theorists and direct developers of living systems that will implement the above approach.

Near-miss situation based visual analysis of SIEM rules for real time network security monitoring

Security information and event management (SIEM) systems are generally used to monitor the network for malicious activities. These systems are capable of detecting a wide range of malicious activities in the network using built-in rules to generate alerts on malicious activities. Although SIEM systems provide comprehensive reports about each alert including relevant details such as, severity score, events, and events counts. However, a key limitation of SIEM systems is not presenting the rule’s status in real time before an alert is raised. This paper presents a novel visual tool that enables security analyst to grasp visually, and in real time a complete overview of SIEM rules execution, and alert circumstances that may happen in advance based on near-miss situation. Apart from the real time rules analysis, it also enables security analysts to explore the reasoning behind the alerts in an organized and efficient manner via security questions. The essence of the approach is to evaluate and visualize the current status of each rule execution according to pre-compiled conditions in real time. We demonstrate the utility of our approach using IBM QRadar events data to support the informative analysis of different rules in real time, and security questions based insight about the rules via story page.

Attack scenario reconstruction using intrusion semantics

Security information and event management (SIEM) systems receive a large number of alerts from different intrusion detection systems. They are expected, from these alerts, to make reliable and timely decisions regarding the types of ongoing attack scenarios and their priorities. However, the lack of an agreed-upon vocabulary for the representation of the domain knowledge makes it difficult for state-of-the-art SIEM systems to effectively manage these complex decisions. To overcome this problem, an ontology-based expert system approach can provide domain knowledge modeling as a foundation for disambiguation of meaning and automatic reasoning regarding ongoing attack scenarios. The proposed approach reconstructs attack scenarios by reasoning based on the evidences in the alert stream. The main idea of the proposed approach is to identify the causal relation between alerts using their similarity. This approach assumes that the similarity between two successive steps in an attack scenario is greater than that of two non-successive steps. Moreover, the similarity between the steps of the same attack scenario is greater than that between the steps of two different attack scenarios. The benefit of the proposed approach includes the fast and incremental reconstruction of known and unknown attack scenarios without expert intervention, which is an enormous step forward in developing expert and intelligent systems for cyber security. We evaluated the proposed technique by performing experiments on two known datasets: DARPA 2000 and MACCDC 2012. The results prove the advantages of the proposed approach with regard to completeness and soundness criteria.

A high-level domain-specific language for SIEM (design, development and formal verification)

Organizations deploy security information and event management (SIEM) systems for centralized management of security events. The real-time security monitoring capability of the SIEM depends on the correlation process where events data are matched against the security rules. Most SIEM systems use general purpose languages to define security rules. Creating new rules in general purpose languages require excellent programming skills in the proprietary language and intimate knowledge of events. This paper introduces a high-level domain-specific language (HDSL) which simplifies rule creation for the SIEM system. We formally specify the HDSL with extended Backus–Naur form grammar in another tool for language recognition according to the model driven engineering approach. In our implementation framework, the rules defined in the HDSL are converted in the standard event processing language. For evaluation purpose, the converted security rules are tested on the service real-time data security analytics. The results indicate that the rules are converted accurately and generate alarms when specific attacks are detected. For checking correctness of the HDSL, formal verification is carried out using satisfiability modulo theory and Z3 solver. The results are evaluated under diverse attack scenarios, which reveal that HDSL is functioning correctly. The HDSL enhances the SIEM correlation capabilities by providing a tranquil approach for writing the correlation rules.

Towards a system for complex analysis of security events in large-scale networks

After almost two decades of development, modern Security Information and Event Management (SIEM) systems still face issues with normalisation of heterogeneous data sources, high number of false positive alerts and long analysis times, especially in large-scale networks with high volumes of security events. In this paper, we present our own prototype of SIEM system, which is capable of dealing with these issues. For efficient data processing, our system employs in-memory data storage (SAP HANA) and our own technologies from the previous work, such as the Object Log Format (OLF) and high-speed event normalisation. We analyse normalised data using a combination of three different approaches for security analysis: misuse detection, query-based analytics, and anomaly detection. Compared to the previous work, we have significantly improved our unsupervised anomaly detection algorithms. Most importantly, we have developed a novel hybrid outlier detection algorithm that returns ranked clusters of anomalies. It lets an operator of a SIEM system to concentrate on the several top-ranked anomalies, instead of digging through an unsorted bundle of suspicious events. We propose to use anomaly detection in a combination with signatures and queries, applied on the same data, rather than as a full replacement for misuse detection. In this case, the majority of attacks will be captured with misuse detection, whereas anomaly detection will highlight previously unknown behaviour or attacks. We also propose that only the most suspicious event clusters need to be checked by an operator, whereas other anomalies, including false positive alerts, do not need to be explicitly checked if they have a lower ranking. We have proved our concepts and algorithms on a dataset of 160 million events from a network segment of a big multinational company and suggest that our approach and methods are highly relevant for modern SIEM systems.

A framework for mastering heterogeneity in multi-layer security information and event correlation

We detected limits of SIEM systems while being used to protect critical infrastructures from sophisticated cyberattacks.We developed a new data collection and pre-correlation framework named GET.GET links physical to logical security and exploits knowledge of the Business Process.The GET framework has been integrated into the open-source SIEM OSSIM.We validated the GET in a dam control system and a mobile phone based payment service. Security Information and Event Management (SIEM) is a consolidated technology that relies on the correlation of massive amounts of security-relevant information in order to detect ongoing attacks and intrusions. This correlation process is usually fed with logs generated by network devices and equipment, thus proving to be ineffective against attacks that affect multiple domains (e.g. physical, logical) or different architectural levels (e.g. network, operating system, application) of a service infrastructure. To bridge the gap, we propose a flexible framework for event collection and correlation, namely the Generic Event Translator, which is able to process heterogeneous data and spot evidence of security issues by using complex event pattern detectors that correlate information from multiple architectural layers and domains of the monitored infrastructure. The framework has been integrated into the open-source SIEM OSSIM, and validated in two challenging case studies, namely a dam infrastructure control system and a mobile phone based payment service. Display Omitted