Generalized Net Model of an Automated System for Monitoring, Analysing and Managing Events Related to Information Security

A R T I C L E I N F O : RECEIVED: 02 JUL 2019 REVISED: 08 SEP 2019 ONLINE: 22 SEP 2019 K E Y W O R D S : security information and event management, information security, security tools, security services Creative Commons BY-NC 4.0 Introduction Every day cyber attackers break into networks disguising as employees and delete their tracks as they go. With time against you and with inadequate tools it can take an average of eight months to filter through such massive volumes of data in order to detect and contain the attack. The IBM QRadar Security Intelligence Platform is designed to automatically identify and analyse threads earlier in the attack cycle providing the necessary time to respond. Ivelina Vardeva, ISIJ 43, no. 2 (2019): 257-263 258 Methods Is computer security a problem? Today we are completely dependent on computer networks and information. Business, industry, utilities, and strategic sites bind their processes to computer networks and the Internet. Technology alone cannot solve the problem; they are the only tool we manage. People creating technology and managing information systems and computer networks are not mature, human errors create prerequisites for security breaches. The use of security information and event management (SIEM) systems increases the level of information security in already existing architectures that provide the ability to manipulate the flow of information and manage incidents and events in real-life mode of these systems. In order to man-age realtime security incidents, it is necessary to make a decision before the situation becomes critical. To perform such control and analysis, automated forecasting mechanisms are used based on the accumulated data for the normal operating state of these systems. The automation of real-time decision making is based on mechanisms that determine the state of information security. To enable security analysts to perform investigations, SIEM correlates information such as these examples: Point in time, Offending users, Origins, Targets, Vulnerabilities, Asset information, Known threats. Overview of key SIEM capabilities The key SIEM capabilities include: • Ability to process security-relevant data from a wide variety of sources, such as: o Firewalls o User directories o Proxies o Applications o Routers; • Collection, normalization, correlation, and secure storage of raw events, vulnerabilities, network flows, assets, and threat intelligence data; • Layer 7 payload capture up to a configurable number of bytes from un-encrypted traffic; • Comprehensive search capabilities; • Monitor network and host behaviour changes that could indicate an attack or policy breach such as these examples; • Off hours or excessive usage of an application or network activity patterns inconsistent with historical user profiles; • Prioritization of suspected attacks and policy breaches; • Notification by email, SNMP, and others; GN Model of an Automated System for Managing Information Security Events 259 • Provision of a variety of generic reporting templates. Based on these key capabilities of SIEM, intelligent automated security solutions are taken. They also include automation, dashboard, visualizations, workflows, reporting capabilities. Security intelligence platforms incorporate: • use cases – advanced threat detection, insider threat detection, risk and vulnerability management, critical data and GDPR, incident response, cloud security, compliance; • analytics engine – security analytics, real time detection and user driven analytics (machine learning, powerful search, behavioural analytics, artificial intelligence, threat hunting); • unlimited logging – date store (endpoint network, applications identity vulnerabilities, configuration assets 3th party data stores); • deployment model, that can be on the premise, as a service, cloud, or hybrid. All SIEM tools are an important part of the data security: they aggregate data from multiple systems (described above) and analyse that data to catch abnormal/unconventional behaviour or potential cyberattacks. What the SIEM processes involve is shown in Figure 1.