ANALYTICAL REVIEW OF METHODS FOR IMPLEMENTING SUBSYSTEMS FOR DATA COLLECTION, PROCESSING, STORAGE AND VISUALIZATION FOR SOC (SECURITY OPERATIONS CENTER)
Keywords:
SOC, data collection, data processing, data storage, visualization, SIEM, machine learning, cybersecurity, HIDS, XDR, agent, server, indexer, dashboard.Abstract
Modern corporate information systems are exposed to a multitude of threats on a daily basis, requiring not only timely detection, but also effective analysis and visualization of security data. In this paper, an analytical review of methods for implementing a subsystem for data collection, processing, storage and visualization within the framework of security monitoring centers (SOC) is carried out. Special attention is paid to the analysis of the architectural and functional features of the Wazuh solution, which combines the capabilities of SIEM, HIDS, log management and visual presentation of information. The existing approaches based on SIEM systems (Splunk, QRadar, ArcSight), log managers (ELK, Graylog), XDR solutions (Cortex XDR, Microsoft Defender) and IDS/IPS systems (Suricata, Snort) are considered, and their comparison with the Wazuh solution is carried out. The key components of Wazuh are described: agent, server, indexer and dashboard, as well as their interaction in the implementation of the subsystem.Based on the analysis, recommendations are formulated for building a universal, cost-effective and scalable subsystem for centralized monitoring and analysis of information security events.
References
1. Gartner. Market Guide for Security Information and Event Management [Электронный ресурс]. – 2024. – Режим доступа: https://www.gartner.com/, свободный.
2. Forrester. The State of Open-Source Security Tools Adoption [Электронный ресурс]. – 2023. – Режим доступа: https://www.forrester.com/, свободный.
3. MITRE ATT&CK Framework [Электронный ресурс]. – Офиц. сайт MITRE ATT&CK. – Режим доступа: https://attack.mitre.org/, свободный.
4. Elastic Stack Documentation. How Wazuh integrates with Elastic Stack [Электронный ресурс]. – Режим доступа: https://www.elastic.co/, свободный.
5. IBM QRadar SIEM Overview [Электронный ресурс]. – Офиц. сайт IBM. – Режим доступа: https://www.ibm.com/qradar, свободный.
6. Splunk SIEM Documentation [Электронный ресурс]. – Режим доступа: https://www.splunk.com/, свободный.
7. Microsoft Sentinel. Cloud-native SIEM capabilities [Электронный ресурс]. – 2024. – Режим доступа: https://www.microsoft.com/sentinel, свободный.
8. ArcSight SIEM by Micro Focus [Электронный ресурс]. – Режим доступа: https://www.microfocus.com/arcsight, свободный.
9. Zeek (Bro) Network Security Monitor. Official Zeek documentation [Электронный ресурс]. – Режим доступа: https://www.zeek.org/, свободный.
10. Wazuh Documentation. Features, integrations, and use cases [Электронный ресурс]. – Режим доступа: https://documentation.wazuh.com/, свободный.
11. Cybersecurity Trends Report. Analysis of SIEM adoption trends [Электронный ресурс]. – 2023. – Режим доступа: https://www.cybersecurity-insiders.com/, свободный.
12. CISO Club. Почему open-source становится доминирующим трендом в кибербезопасности [Электронный ресурс]. – 2024. – Режим доступа: https://cisoclub.ru/, свободный.
13. Как Wazuh помог наладить круглосуточный мониторинг и реагирование на ИБ-события [Электронный ресурс] // Habr. – Режим доступа: https://habr.com/ru/companies/nubes/articles/778990/, свободный.
14. Google Chronicle Security Analytics. Cloud-based SIEM and security tools [Электронный ресурс]. – Режим доступа: https://cloud.google.com/chronicle, свободный.
