11 Methodology of Rational Choice of Security Incident Management System for Building Operational Security Center © Igor Subach[0000-0002-9344-713X], © Volodymyr Kubrak[0000-0001-8877-5289] and © Artem Mykytiuk[0000-0002-8307-9978] Institute of Special Communications and Information Protection of the National Technical University of Ukraine "Igor Sikorsky Kiev Polytechnic Institute", Ukraine igor_subach@ukr.net Abstract. This article discusses the purpose, tasks and composition of the Oper- ational Security Center (SOC). The basic technological tools which should in- clude modern effective SOC are indicated. The focus is on the key role of the Information Security Incident Management System (SIEM) in the SOC. The pur- pose of SIEM and the main tasks that it should solve are reviewed. The peculiar- ities of solving the problem of choosing of SIEM are analyzed. The groups of indicators that characterize the degree of fulfillment of the requirements to SIEM are highlighted. The application of fuzzy set theory for processing expert infor- mation on qualitative indicators characterizing SIEM is proposed. The formula- tion of the SIEM selection problem is done and the main stages of its solution are proposed: preparation of initial data; choosing the method of solving the mul- ticriteria problem; algorithm development. The method of normalization of SIEM quantitative indicators and the method of paired comparison based on the rank estimates for processing of SIEM qualitative indicators are proposed. It is proposed to use the 9-point Saaty scale to derive functions of SIEM qualitative values based on the processing of expert assessments. The algorithm of the con- sidered method is implemented. Methods for solving multicriteria problems are analyzed and the use of a lexographic method is proposed for solving the SIEM solution for the Security Center (SOC). An algorithm for its implementation has been developed. To illustrate the operation of the proposed algorithm, we give an example of how to apply it to choose a rational SIEM option. Recommendations for application of the results obtained are offered. Keywords: cybersecurity, Information Security Incident Management System, Operational Security Center, lexographic method, fuzzy sets theory. 1 Introduction It is impossible to counteract the modern cyber threats without the use of modern cybersecurity technologies that enable monitoring, collection, collation and processing of information in order to identify existing and predict future threats. Important role is Copyright © 2019 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). 12 given to the special units that deal with information and cyber security issues at the organizational and technical level – the Security Operation Centers (SOC). Modern SOC solves the following tasks [1]: taking immediate actions to protect against cyberattacks and minimize their damage; identification of system security vulnerabilities and taking actions to eliminate them; centralized security management of various devices in the system; continuous monitoring of system threats status; technical support for cyber security of the system and others. Structurally, the SOC has three main components: personnel – skilled profes- sionals using modern cybersecurity technologies with teamwork and management com- petencies; processes – business processes, technological processes, operational and an- alytical processes; technologies – tools for detecting, counteracting and preventing cyber threats. Effective SOC should include the following modern technological tools to en- sure cyber security [2]: Next Generation Firewall, Intrusion Prevention System (IPS), Web Application Firewall (WAF), Database Protection, Email Security, Endpoint De- tection and Response, Vulnerability Scanners, Data Loss Prevention, Forensics, Net- work Access Control and others. However, the basis for building an effective SOC is the use of the SIEM system (Security Information and Event Management) – a system for managing information and security events. The use of SIEM in protection system enables proactive manage- ment of cyber incidents. That is, to predict future events that will occur in the system by applying automated mechanisms that use information about events that have already occurred in the system, as well as to adapt the protection settings of the system to its current state, thereby implementing preventive measures even before the situation in the system becomes critical [2]. In accordance with this, SIEM system should solve a range of tasks which include [3]: collection, processing and analysis of security events coming from a variety of heterogeneous distributed sources; detection of real-time or close cyber attacks and violations of security policies; investigation of cyber incidents; developing effective solutions for cyber security; generation of reporting documents and visualization of system status and others. In order to solve these problems, the SIEM-system, on the basis of the initial data collected from the log files which accumulate information about the events that occur in the system, selects those events that may be a sign of cyber attacks or other undesirable actions in the system. The main feature of the solution to the problem of choosing a SIEM-system for building SOC is a large number of indicators that characterize the degree of fulfillment the requirements for systems of this type which can be both quantitative and qualitative. Qualitative indicators, first of all, include those that characterize how effectively the 13 SIEM system can be used to solve the functional tasks entrusted to it by the SOC; what will be the cost of purchasing and using the system; how reliable it is and easy to oper- ate, etc. Analysis of recent publications [4-11] showed that these figures can be represented as follows: X = {x1 , x2 , x3 , x4 , x5 , x6 , x7 , x8 , x9 , x10 , x11 , x12 , x13 }, x where 1 – event source support; x2 – event collection; x3 – correlation; x4 – search and analytics; x5 – visualization and reporting; x6 – prioritization and notification; x7 – general settings and installed; x8 – scalability, fault tolerance, storing; x9 – system component monitoring and internal audit; x10 – ease of use; x11 – availability of state certificates of conformity; x12 – additional system modules; x13 – cost. Therefore, the problem of rational selection of SIEM-system for building the SOC is characterized by multicriteria and the need to consider a large number of qualitative and quantitative indicators. In its turn, the first characteristic requires the use of an effective method of solving multicriteria problems, and the second – the application of fuzzy set theory for the pro- cessing of expert information on qualitative indicators [12, 13]. 2 The problem of rational choice of SIEM The general statement of the problem of rational choice of SIEM-system can be de- scribed as follows. It is necessary to find S0 = arg opt W X (s ) ( ) s∈S , (1) where W − some generalized indicator of system quality; S − a set of possible system choices; 14 X (s ) = x1 (s ), x2 (s ),, xk (s ), xk +1 (s ),, xn (s ) − vector of SIEM quality indicators, be- sides first k ( i = 1, k ) requirements are quantitative, and the other n-k k = k + 1, n – qualitative. The value of the partial indicator i, which characterizes the degree of fulfillment the SIEM requirement i, is determined by its approximation to the optimal value. The main stages in solving the task (1) are: preparing initial data; choosing a method for solving a multicriteria problem; algorithm development. 3 The method of solving the problem It is advisable to use normalized values to estimate the degree of proximity of the quantitative indicator i to the optimal value for j variant of the SIEM. xij , i = 1, k ; j = 1, k ; 0 ≤ xij ≤ 1. Normalization of the value of a quantitative indicator can be made as follows: xij − xij* xij = , (2) xij** − xij* x where ij – the value of indicator i for j variant of the system; xij* , xij** – the worst and the best indicator value. Accordingly, the degree of proximity of the quality indicator i to the optimal value μ (x ) for the j variant of the SIEM can be determined using the membership function S i . μ ( x ) To build a membership function S i it is advisable to use a rank-based method or pairwise ranking method [14, 15]. x ∈X r (x ) In this case, the rank of an element i refers to a number s i that character- izes its importance in the formation of the SIEM property which is described by a fuzzy term S. Suppose that the greater the rank of an indicator, the greater the value of its membership function. If you introduce the following figures rS (xi ) = ri , μ S (xi ) = μi ; i = 1, n, then the distribution of membership degrees can be represented as follows: μ1 μ2 μn = = , (3) r1 r2 rn 15 in case of normalization: μ1 + μ 2 +  + μ n = 1. (4) On the basis of (3), the membership degree of all elements of the set is determined by the membership degree of the so-called supporting member. x ∈X μ For supporting member 1 that has a membership function 1 : r r r μ2 = 2 ⋅ μ1; μ3 = 3 ⋅ μ1;  ; μn = n ⋅ μ1; r1 r1 r1 (5) x2 ∈ X μ2 : For supporting member that has a membership function r r r μ 2 = 1 ⋅ μ 2 ; μ3 = 3 ⋅ μ 2 ;  ; μ n = n ⋅ μ 2 ; r2 r2 r2 (6) x ∈X μ Accordingly, for supporting member n , that has a membership function n : r r r μn = 1 ⋅ μn ; μ2 = 2 ⋅ μn ;  ; μn−1 = n−1 ⋅ μn ; rn rn rn (7) From (5-7) and in case of normalization (4) we obtain: −1   r2 r3 rn   μ1 = 1 + + +  +    r1 r1 r1     −1  μ 2 =  r1 + 1 + r3 +  + rn  (8)  r r2 r2   2    −1   r1 r2 r3  μ =   n r r r + + +  + 1     n n n  μ (x ) ri to calculate the membership degrees s i on the On the basis of (8), it is possible = ξ ij , i, j = 1, n, r relative estimates of the ranks j which create the following matrix: 16  r2 r3 rn  1 r r  r   1 1 1  r1 1 r3  rn  Ξ =  r2 r2 r2  (9)       r r r   1 2 3  1  rn rn rn  It is easy to see that the properties of the matrix (9) are the following: it is diagonal, transitive, and elements of the matrix that are symmetric about the main diagonal are ξ = 1 / ξ ji connected by dependence relation: ij . Since matrix (9) is a matrix of paired comparison of the element ranks, a 9-point ξ = r /r Saaty scale can be used for expert evaluation of its elements: ij i j (Table 1). Table 1. Relative Importance Scale Intensity of rela- tive importance Definition 1 Equal importance of compared requirements 3 Weak importance of one over another 5 Strong importance 7 Demonstrated importance 9 Absolute importance Intermediate values between the two adjacent 2,4,6,8 judgments Thus, using (8), the expert data on element ranks (their paired comparison) are trans- formed into a fuzzy term membership function. The algorithm for constructing the membership function includes the following steps. 1. Set a linguistic variable (qualitative characteristic of SIEM). 2. Determine the universal set on which the linguistic variable is set (the value of the qualitative characteristic of SIEM). {S , S ,  , S n } that are used to evaluate the variable set 3. Set a variety of fuzzy terms 1 2 in the first step. S , j = 1, m 4. Form a matrix (9) for each term j . 5. Using the formulas (8) calculate the membership functions of the elements (SIEM characteristics) for each fuzzy term. 6. The procedure for the normalization of the received membership functions should be carried out by dividing them by the largest value of the membership function. 17 The most common methods for solving a multicriteria problem (1) are the following [16]: the principal indicator method, generalized additive/multiplicative indicator method, generalized minimax indicator method and lexographic method. The analysis shows that they all have their pros and cons, and the choice of a method is largely determined by the completeness and credibility of the expert knowledge of the im- portance and degree of interrelation of partial quality indicators. Since lexographic method is the least demanding for expert information about the degree of preference for partial indicators, it is advisable to choose the lexographic method in order to solve the problem of rational choice of SIEM-system for building the SOC. The essence of use of this method is the following. At the previous stage of solving the task it is possible to find a set of “good solutions” (Pareto-optimal solutions) by consistently comparing possible SIEM options for all quality indicators. [17, 18, 19]. Further, all the partial indicators are ordered by importance. Then the set of alterna- tives with the best score by the most important indicator is outlined. When such an alternative is the only one it is considered to be the best. Otherwise, when several alter- natives are obtained, they are distinguished by those that have a better rating on another indicator and so on. Thus, the algorithm for implementing the lexographic method for solving the problem of rational choice of the system consists of the following steps. 1. Partial quality indicators are ranked by importance: x1 (s ) > x2 (s ) >  > xn (s ) Δx , i = 1, n, 2. For each indicator the value of permissible concession is determined i within which the compared SIEM variants are considered to be equivalent; x (s ) Ψ 3. For the first indicator 1 a set 1 of equivalent SIEM variants is formed which meets the following condition: ( ) max x1 j − x1k ≤ Δx1 , j = 1, m ; k = 1, m ; k ≠ j. (10) 4. If the set contains only one variant, it is considered to be the best. Otherwise, when it contains more than one alternative, you need consider all variants of the set by x (s ) indicator 2 . x (s ) Ψ Ψ 5. For the second indicator 2 , from a set of variants 1 , a set of variants 2 is formed which meet the condition: ( ) max x2 j − x2 k ≤ Δx2 , i ∈ Ψ1 ; k ∈ Ψ1 ; k ≠ j. (11) Ψ 6. If the set 2 contains one variant, it is considered to be the best. Otherwise, found x (s ) variants are considered by indicator 3 and so on. 18 7. In the case where all indicators are consistently reviewed and a set Ψ = Ψ1 × Ψ2 ×× Ψn , containing more than one alternative is obtained, there are two Δx , i = 1, n, options: reduce the value of the permissible concession i from the first most important indicator and repeat the algorithm from the beginning or allow the decision maker to choose the best option. To illustrate the proposed algorithm in work we give an example of its application to the selection of a rational variant of the SIEM system. x (s ) x (s ) To select a SIEM system, we use four partial indicators: 1 – cost and 2 – μ x3 (s ) event source support which are quantitative indicators, as well as – scalability μ x4 (s ) and – ease to use which are qualitative indicators. s , j = 1, 5 Five options for choosing a SIEM system j have been selected for consid- eration. As a result of the calculations and expert assessments, the following data were ob- tained characterizing the degree of SIEM compliance with the specified requirements:  0,8 0,8 0,7 0,5 0,6  x1 =  ; ; ; ;   s1 s2 s3 s4 s5  ;  0,7 0,8 0,6 0,7 0,8  x2 =  ; ; ; ;   s1 s2 s3 s4 s5  ;  0,4 0,6 0,7 0,8 0,7  x3 =  ; ; ; ;   s1 s2 s3 s4 s5  ;  0,5 0,6 0,5 0,6 0,3  x4 =  ; ; ; ;   s1 s2 s3 s4 s5  . 1. Indicators are ranked by importance as follows: x1 > x2 > μ S (x3 ) > μ s (x4 ). Δx = 0,1, i = 1,4. 2. The value of permissible concession i x = 0,8 3. With the maximum value of the first indicator 1 and the value of permis- Δx1 = 0,1 Ψ1 sible concession to the set of equal variants for SIEM, which meet the condition (2) the following variants are included: 19 Ψ1 = {S1 , S 2 , S3 } . Ψ x x = 0,8 4. Of the set 1 , by the second indicator 2 meeting the condition (3): 2 and Δx2 = 0,1 Ψ to the set 2 the following variants are included: Ψ2 = {S1 , S 2 } . Ψ = Ψ1 × Ψ2 x 5. Of the set of variants: for the third indicator 3 meeting the condi- x3 = 0,6 Δx3 = 0,1 Ψ3 tion (3) and to the set the following variants are included: Ψ3 = { S 2 } . A rational choice of SIEM for building a SOC is the second option. 4 Conclusion The conducted research shows that the lexographic method is an effective method for solving the multicriteria problem of SIEM selection for SOC. Groups of quantitative and qualitative indicators characterizing the requirements for SIEM in the SOC are for- mulated. Methods of processing quantitative and qualitative indicators of SIEM are of- fered. The expedience of applying the procedure for rationing quantitative indicators of SIEM and applying the method of paired comparison based on rank evaluations for processing its qualitative indicators is justified. The formulation of the SIEM selection problem is done and the main stages of its solution are outlined. An algorithm for the implementation of the lexographic method is developed and brought to practical imple- mentation. The results obtained can be used in practice to solve the problems of creating SOC and rational choice of its software such as SIEM. References 1. KG, Vogel Business Media GmbH & Co. Was ist ein Security Operations Center (SOC)? – https://www.security-insider.de/was-ist-ein-security-operations-center-soc-a- 617980/, , last accessed 22.06.19. 2. Laskin S. How to build a competent, scalable and effective information security manage- ment center / LAN Network Solutions Magazine. – https://www.osp.ru/lan/2017/04 /13051902/, last accessed 28.03.2019. 20 3. Kotenko I.V., Voroncov V.V., Chechulin A.A., Ulanov A.V.: Proactive security mecha- nisms against network worms: approach, implementation and results of the experiments. Information Technology. Vol. 1, pp. 37-42. (2009). 4. Kotenko I., Saenko I., Polubelova O., Chechulin A.: Application of security information and event management technology for information security in critical infrastructures / SPIIRAS Proceeding, ISSN: 2078-9181. Issue 1(20). pp. 27–56. (2012). 5. Paley L. Comparison of SIEM systems. Part 1. – https://www.anti-alware.ru/compare/ SIEM-systems, last accessed 07/04/2018. 6. Paley L. Comparison of SIEM systems. Part 2. – https://www.anti-alware.ru/compare/ SIEM-systems-part2, 1/16, last accessed 08/05/2019. 7. Niyazov T. Comparison of SIEM solutions for building SOC, https://www.jetinfo.ru/stati/ sravnenie-siem-reshenij-dlya-postroeniya-soc, last accessed 08/05/2019. 8. Comparison of SIEM systems, https://www.siem.su/compare_SIEM_systems.php, last ac- cessed 08/05/2019. 9. Donskoy K.A., Levin L.S., Trushin V.A.: SIEM overview on the Russian market / Collec- tion of scientific works of NSTU. No. 3 (89). pp. 124–132. (2017). 10. SIEM product comparison – https://comminity.softwaregrp.com/dcvta86296, last accessed 10/18/2019. 11. SIEM competitive comparision – https://www.securonix.com/products/competitive- comparison, last accessed 10/18/2019. 12. Boehm B., Brown J., Caspar H. et al.: Characteristics of software quality / [Translated from English]. – Moscow: Mir. – 208 p. (1981). 13. Borisov A.N., Krumberg O.A., Fedorov I.P.: Decision making based on fuzzy models: ex- amples of use / Riga: Zinatne. 184 p. (1990). 14. Zaichenko Y.P.: Operations Research: Fuzzy Optimization. – Kiev: High school. 191 p. (1991). 15. Rothstein A.P.: Intelligent identification technologies: fuzzy sets, genetic algorithms, neural networks. – Vinnytsia: UNIVERSUM. – 320 p. (1999). 16. Gerasimov B.M., Divizinyuk M.M., Subach I.Y.: Decision support systems: design, appli- cation, performance evaluation / Monograph. – Sevastopol: Publishing Center SNIYE and P. – 320 p. (2004). 17. Tutkin L.S.: Optimization of electronic devices according to a set of quality indicators / Moscow: Radio and communications,. – 367 p. (1975). 18. Podinovsky V.V., Gavrilov V.M.: Optimization according to successively applied criteria / Moscow: Soviet Radio,. – 234 p. (1975). 19. Podinovsky V.V., Nogin V.D.: Pareto-optimal solutions to multicriteria problems / Moscow: Science, Main edition of the physical and mathematical literature, – 256 p. (1982).