It is impossible to counteract the modern cyber threats without the use of modern cybersecurity technologies that enable monitoring, collection, collation and processing of information in order to identify existing and predict future threats. Important role is given to the special units that deal with information and cyber security issues at the organizational and technical level – the Security Operation Centers (SOC).

Modern SOC solves the following tasks [1]: taking immediate actions to protect against cyberattacks and minimize their damage;

identification of system security vulnerabilities and taking actions to eliminate them; centralized security management of various devices in the system; continuous monitoring of system threats status; technical support for cyber security of the system and others.

Structurally, the SOC has three main components: personnel – skilled professionals using modern cybersecurity technologies with teamwork and management competencies; processes – business processes, technological processes, operational and analytical processes; technologies – tools for detecting, counteracting and preventing cyber threats.

Effective SOC should include the following modern technological tools to ensure cyber security [2]: Next Generation Firewall, Intrusion Prevention System (IPS), Web Application Firewall (WAF), Database Protection, Email Security, Endpoint Detection and Response, Vulnerability Scanners, Data Loss Prevention, Forensics, Network Access Control and others.

However, the basis for building an effective SOC is the use of the SIEM system (Security Information and Event Management) – a system for managing information and security events. The use of SIEM in protection system enables proactive management of cyber incidents. That is, to predict future events that will occur in the system by applying automated mechanisms that use information about events that have already occurred in the system, as well as to adapt the protection settings of the system to its current state, thereby implementing preventive measures even before the situation in the system becomes critical [2]. In accordance with this, SIEM system should solve a range of tasks which include [3]:

collection, processing and analysis of security events coming from a variety of heterogeneous distributed sources; detection of real-time or close cyber attacks and violations of security policies; investigation of cyber incidents; developing effective solutions for cyber security; generation of reporting documents and visualization of system status and others.

In order to solve these problems, the SIEM-system, on the basis of the initial data collected from the log files which accumulate information about the events that occur in the system, selects those events that may be a sign of cyber attacks or other undesirable actions in the system.

The main feature of the solution to the problem of choosing a SIEM-system for building SOC is a large number of indicators that characterize the degree of fulfillment the requirements for systems of this type which can be both quantitative and qualitative. Qualitative indicators, first of all, include those that characterize how effectively the SIEM system can be used to solve the functional tasks entrusted to it by the SOC; what will be the cost of purchasing and using the system; how reliable it is and easy to operate, etc.

Analysis of recent publications [4-11] showed that these figures can be represented as follows:

X = {x1, x2 , x3 , x4 , x5 , x6 , x7 , x8 , x9 , x10 , x11, x12 , x13}, where x1 – event source support; x2 – event collection; x3 – correlation; x4 – search and analytics; x5 – visualization and reporting; x6 – prioritization and notification; x7 – general settings and installed; x8 – scalability, fault tolerance, storing; x9 – system component monitoring and internal audit; x10 – ease of use; x11 – availability of state certificates of conformity; x12 – additional system modules; x13 – cost. where W − some generalized indicator of system quality;

S − a set of possible system choices; ( 1 )

Therefore, the problem of rational selection of SIEM-system for building the SOC is characterized by multicriteria and the need to consider a large number of qualitative and quantitative indicators.

In its turn, the first characteristic requires the use of an effective method of solving multicriteria problems, and the second – the application of fuzzy set theory for the processing of expert information on qualitative indicators [12, 13]. 2

The problem of rational choice of SIEM

The general statement of the problem of rational choice of SIEM-system can be described as follows.

It is necessary to find

S0 = argoptW (X (s)) s∈S qualitative.

X (s) = x1(s), x2 (s),, xk (s), xk+1(s),, xn (s) − vector of SIEM quality indicators, besides first k ( i = 1, k ) requirements are quantitative, and the other n-k k = k +1, n –

The value of the partial indicator i, which characterizes the degree of fulfillment the SIEM requirement i, is determined by its approximation to the optimal value.

The main stages in solving the task ( 1 ) are: preparing initial data; choosing a method for solving a multicriteria problem; algorithm development. 3

It is advisable to use normalized values to estimate the degree of proximity of the quantitative indicator i to the optimal value for j variant of the SIEM. xij , i = 1, k; j = 1, k; 0 ≤ xij ≤ 1.

Normalization of the value of a quantitative indicator can be made as follows: xij = xij − xi*j , xi*j* − xij * where xij – the value of indicator i for j variant of the system;

xi*j , xi*j* – the worst and the best indicator value.

Accordingly, the degree of proximity of the quality indicator i to the optimal value for the j variant of the SIEM can be determined using the membership function μ S (xi ) . To build a membership function μ S (xi ) it is advisable to use a rank-based method or pairwise ranking method [14, 15].

In this case, the rank of an element xi ∈ X refers to a number rs (xi ) that characterizes its importance in the formation of the SIEM property which is described by a fuzzy term S. Suppose that the greater the rank of an indicator, the greater the value of its membership function.

If you introduce the following figures then the distribution of membership degrees can be represented as follows: rS (xi ) = ri ,μ S (xi ) = μ i ; i = 1, n, μ1 = μ 2 = r1 r2 μ n , rn ( 2 ) ( 3 ) in case of normalization:

On the basis of ( 3 ), the membership degree of all elements of the set is determined by the membership degree of the so-called supporting member.

For supporting member x1 ∈ X that has a membership function μ1 : For supporting member x2 ∈ X that has a membership function μ 2 :

r r r μ 2 = 2 ⋅μ1; μ 3 = 3 ⋅μ1; ; μ n = n ⋅μ1; r1 r1 r1 r r r μ 2 = 1 ⋅μ 2; μ 3 = 3 ⋅μ 2;  ; μ n = n ⋅μ 2;

r2 r2 r2 Accordingly, for supporting member xn ∈ X , that has a membership function μ n : μ n = 1 ⋅μ n ; μ 2 = 2 ⋅μ n ;  ; μ n−1 = rn−1 ⋅μ n ; r r rn rn rn From ( 5-7 ) and in case of normalization ( 4 ) we obtain:  μ1 = 1+ r2 + r3 +  + rn    r1 r1 r1  μ 2 =  r1 +1+ r3 +  + rn −1  r2 r2 r2 

    r r r −1 μ n =  1 + 2 + 3 +  +1    rn rn rn  −1 On the basis of ( 8 ), it is possirble to calculate the membership degrees μ s (xi ) on the i = ξ ij , i, j = 1, n, relative estimates of the ranks rj which create the following matrix: ( 4 ) ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 )

It is easy to see that the properties of the matrix ( 9 ) are the following: it is diagonal, transitive, and elements of the matrix that are symmetric about the main diagonal are connected by dependence relation: ξ ij = 1/ξ ji .

Since matrix ( 9 ) is a matrix of paired comparison of the element ranks, a 9-point Saaty scale can be used for expert evaluation of its elements:ξ ij = ri / rj (Table 1). Thus, using ( 8 ), the expert data on element ranks (their paired comparison) are transformed into a fuzzy term membership function.

The algorithm for constructing the membership function includes the following steps. 1. Set a linguistic variable (qualitative characteristic of SIEM). 2. Determine the universal set on which the linguistic variable is set (the value of the qualitative characteristic of SIEM). 3. Set a variety of fuzzy terms {S1, S2 , , Sn } that are used to evaluate the variable set in the first step. 4. Form a matrix ( 9 ) for each term S j , j = 1, m . 5. Using the formulas ( 8 ) calculate the membership functions of the elements (SIEM characteristics) for each fuzzy term. 6. The procedure for the normalization of the received membership functions should be carried out by dividing them by the largest value of the membership function.

The most common methods for solving a multicriteria problem ( 1 ) are the following [16]: the principal indicator method, generalized additive/multiplicative indicator method, generalized minimax indicator method and lexographic method. The analysis shows that they all have their pros and cons, and the choice of a method is largely determined by the completeness and credibility of the expert knowledge of the importance and degree of interrelation of partial quality indicators. Since lexographic method is the least demanding for expert information about the degree of preference for partial indicators, it is advisable to choose the lexographic method in order to solve the problem of rational choice of SIEM-system for building the SOC. The essence of use of this method is the following.

At the previous stage of solving the task it is possible to find a set of “good solutions” (Pareto-optimal solutions) by consistently comparing possible SIEM options for all quality indicators. [17, 18, 19].

Further, all the partial indicators are ordered by importance. Then the set of alternatives with the best score by the most important indicator is outlined. When such an alternative is the only one it is considered to be the best. Otherwise, when several alternatives are obtained, they are distinguished by those that have a better rating on another indicator and so on. Thus, the algorithm for implementing the lexographic method for solving the problem of rational choice of the system consists of the following steps. 1. Partial quality indicators are ranked by importance:

x1(s) > x2 (s) >> xn (s) 2. For each indicator the value of permissible concession is determined Δxi , i = 1, n, within which the compared SIEM variants are considered to be equivalent; 3. For the first indicator x1(s) a set Ψ1 of equivalent SIEM variants is formed which meets the following condition:

max(x1 j − x1k ) ≤ Δx1, j = 1, m ; k = 1, m ; k ≠ j.

4. If the set contains only one variant, it is considered to be the best. Otherwise, when it contains more than one alternative, you need consider all variants of the set by indicator x2 (s) .

5. For the second indicator x2 (s) , from a set of variants Ψ1 , a set of variants Ψ2 is formed which meet the condition:

max(x2 j − x2k ) ≤ Δx2 , i ∈ Ψ1 ; k ∈ Ψ1 ; k ≠ j.

6. If the set Ψ2 contains one variant, it is considered to be the best. Otherwise, found variants are considered by indicator x3 (s) and so on. ( 10 ) ( 11 )

7. In the case where all indicators are consistently reviewed and a set Ψ = Ψ × Ψ ×× Ψ ,

1 2 n containing more than one alternative is obtained, there are two options: reduce the value of the permissible concession Δxi , i = 1, n, from the first most important indicator and repeat the algorithm from the beginning or allow the decision maker to choose the best option. event source support which are quantitative indicators, as well as and μ x4 (s) – ease to use which are qualitative indicators.

Five options for choosing a SIEM system s j , j = 1, 5

To illustrate the proposed algorithm in work we give an example of its application to the selection of a rational variant of the SIEM system.

To select a SIEM system, we use four partial indicators: x1(s) – cost and x2 (s) – μ x3 (s) have been selected for consid– scalability eration.

As a result of the calculations and expert assessments, the following data were obtained characterizing the degree of SIEM compliance with the specified requirements:  0,8 0,8 0,7 0,5 0,6  x1 =  ; ; ; ;   s1 s2 s3 s4 s5  ;  0,7 0,8 0,6 0,7 0,8  x2 =  ; ; ; ;   s1 s2 s3 s4 s5  ;  0,4 0,6 0,7 0,8 0,7  x3 =  ; ; ; ;   s1 s2 s3 s4 s5  ;  0,5 0,6 0,5 0,6 0,3  x4 =  ; ; ; ; 

 s1 s2 s3 s4 s5  .

x1 > x2 > μ S (x3 ) > μ s (x4 ).

Indicators are ranked by importance as follows:

The value of permissible concession Δxi = 0,1, i = 1,4.

3. With the maximum value of the first indicator x1 = 0,8 and the value of permissible concession Δx1 = 0,1 to the set Ψ1 of equal variants for SIEM, which meet the condition ( 2 ) the following variants are included: 4. Of the set Ψ1 , by the second indicator x2 meeting the condition ( 3 ): x2 = 0,8 and Δx2 = 0,1 to the set Ψ2 the following variants are included: Ψ1 = {S1, S2 , S3}.

Ψ2 = {S1, S2}.

Ψ3 = { S2} .

5. Of the set of variants: Ψ = Ψ1 × Ψ2 for the third indicator x3 meeting the condition ( 3 ) x3 = 0,6 and Δx3 = 0,1 to the set Ψ3 the following variants are included:

A rational choice of SIEM for building a SOC is the second option. 4

The conducted research shows that the lexographic method is an effective method for solving the multicriteria problem of SIEM selection for SOC. Groups of quantitative and qualitative indicators characterizing the requirements for SIEM in the SOC are formulated. Methods of processing quantitative and qualitative indicators of SIEM are offered. The expedience of applying the procedure for rationing quantitative indicators of SIEM and applying the method of paired comparison based on rank evaluations for processing its qualitative indicators is justified. The formulation of the SIEM selection problem is done and the main stages of its solution are outlined. An algorithm for the implementation of the lexographic method is developed and brought to practical implementation.

The results obtained can be used in practice to solve the problems of creating SOC and rational choice of its software such as SIEM.