To solve problems related to security and fixing events of a SIEM system, consider the main functionality of SIEM systems:  Data aggregation: data log management; data is collected from various sources.  Correlation: finding common attributes, linking events to meaningful clusters.  Alert: automated analysis of correlated events and generation of notifications (alarms) about current problems (e-mail, GSM-gateway, applications on the phone).  Display facilities: displays graphs to help identify work anomalies using prepared patterns.  Compatibility: using add-ons to automate data collection, create reports to adapt aggregated data to existing information security management and audit processes.  Data storage: the use of long-term data storage in historical order to correlate data over time and for further computer forensics and investigation of network incidents.  Expert analysis: the ability to search through a variety of journals on various nodes, including for software and technical expertise.

Based on these characteristics, we have analyzed up-to-date SIEM systems and compare their capabilities. It was the main objective of this research study.

IBM QRadar Security Intelligence Platform [ 4 ] consists of a number of integrated systems for event collection, monitoring, security analysis and incident investigation: 1. Log Manager. 2. SIEM. 3. Flow Processor. 4. Vulnerability Manager. 5. Risk Manager. 6. Network Insights. 7. Watson Advisor for Cyber Security. 8. Packet Capture and Incidents Forensics.

QRadar allows you to collect and process information about information security events from security audit logs, analyze network statistics (NetFlow, etc.), independently analyze network traffic and transmitted information, build a network topology and emulate changes in configuration files of network equipment, identify vulnerabilities and unsafe settings systems, completely capture traffic and recreate a chain of communications between network nodes.

Benefits of the IBM QRadar Security Intelligence Platform (Fig. 1):  A unified platform for the systematic creation of SOC: collection and analysis of information security events, detection of abnormal network activity, scanning of vulnerabilities and identification of unsafe configurations, integration with artificial intelligence IBM Watson, network forensics and transition to incident response processes in IBM Resilient.  Flexible architecture of QRadar Platform, which allows you to redefine the role and functions of platform modules and does not limit client companies to rigid frameworks of a once-selected scheme.  A large number of free applications, content and integration modules.

LogRhythm [ 5 ], as a platform, offers an intelligent security solution that uses artificial intelligence to analyze logs and traffic on Windows and Linux systems (Fig. 2).

System advantages:  has an expandable data storage;  suitable for systems where there is no structured data, no centralized visibility or automation;  suitable for small and medium-sized organizations;  allows you to filter out useless information or other logs and narrow the analysis down to the network level;  Compatible with a wide range of logs and devices, and seamlessly integrates with Varonis to enhance threat and incident response capabilities.

Hewlett Packard Enterprise (HPE) ArcSight is the most widespread SIEM system in the EastEuropean market [ 6 ].

HPE ArcSight is targeted at midsize to large enterprises and service providers (Fig. 3).

The HPE ArcSight platform can be deployed as a device, software, or virtual instance. HPE ArcSight supports a scalable n-tier architecture with HPE ArcSight Management Center.

HPE ArcSight benefits:  Arcsight ESM provides a complete set of SIEM capabilities that can be used to support a large-scale SOC, including a complete incident investigation and management workflow, and a dedicated deployment management console.  HPE User Behavior Analytics identifies anomalies based on user behavior analysis and complements traditional correlation, which is the core function of arcsight.  DNS Malware Analytics analyzes DNS traffic and provides complete visibility of the IT infrastructure, which helps to identify network vulnerabilities even before attackers take advantage of them.  Arcsight Threat Central contains an online threat knowledge base and allows you to share information on how to detect and eliminate them.

Splunk is a tool that leverages the power of artificial intelligence and machine learning to deliver actionable, effective, and predictive insights (Fig. 4).

Splunk [ 5,7 ] is suitable for all types of organizations for both on-premises and SaaS deployments. Key benefits:  Fast threat detection.  Identification and assessment of risks.  Management of alerts.  Ordering events.  Fast and efficient response.  Works with data from any machine, both on-premises and in the cloud infrastructure.

McAfee Enterprise Security Manager (ESM) [ 5 ] is delivered as physical and virtual devices and software. The three main components that make up SIEM are ESM, Event Receiver and Enterprise Log Manager, which can be deployed together as a single instance or separately for distributed or largescale environments (Figure 5).

McAfee Enterprise Security Manager benefits:  Enterprise Security Manager has good coverage of Industrial Control Systems (ICS) and

Supervisory Control and Data Acquisition (SCADA) devices.  McAfee Data Exchange Layer (DXL) from Intel Security provides non-API integration with third-party technologies. This approach makes it possible to use ESM as a SIEM platform.  McAfee Global Threat Intelligence extends Enterprise Security Manager's SIEM system by adding a source of continuously updated threat intelligence, enabling rapid detection of events involving communications with suspicious or malicious IP addresses.

Alient Vault USM is a comprehensive information security management platform that centralizes and simplifies threat detection, incident response, and compliance management in cloud and onpremises environments (Fig. 6).

FortiSIEM is a comprehensive, scalable security, performance, and compliance management tool for all infrastructure components, capable of working with both the cloud and the Internet of Things (IoT) [ 15–18 ]. The FortiSIEM solution [ 5 ] is aimed at reducing the complexity of detecting threats while increasing the effectiveness of the security system and exchanging information with the product, including about discovered vulnerabilities (Fig. 7.). Key features of FortiSIEM (Fig. 8):  Scalable and flexible log collection.  Incident notification and management.  Providing the user with fully functional custom dashboards.  Integration of external threat data.  Providing a scalable analysis function.  Set baselines and identify statistical anomalies in endpoint /server/user behavior.  Integration of external technologies.

Key features (Fig. 9):  Ensuring full bandwidth.  Eliminate threats by blocking all traffic from known malicious sites and untrusted countries.  Elimination of the possibility of false positives - visual confirmation of malicious actions for all blocked sites.  Improved processing efficiency by reducing the number of safety alerts.  Threat Intelligence updates every 5 minutes using Cloud Update Subscription (ATI).  Quick identification of compromised internal systems.  Blocking the connection with the captured ip-addresses.  Dual power redundancy and built-in bypass capability for maximum reliability.  Easy 30-minute setup with no further adjustments or maintenance, and centralized management from the cloud.

 Increases the return on investment and performance of the network security infrastructure [ 7 ].

The Mozilla SIEM system MozDef [ 7 ] is used to automate security incident handling. The system is designed from scratch for maximum performance, scalability and fault tolerance, with a microservice architecture - each service runs in a Docker container (Fig. 10).

Benefits:  Does not use agents - works with standard JSON logs.  Easily scalable due to microservice architecture.

 Supports cloud service data sources including AWS CLOUDTRAIL and GUARDDUTY. 3.10. Wazuh

System advantages (Fig. 11):  Based and compatible with the popular SIEM OSSEC.  Supports various installation options: DOCKER, PUPPET, CHEF, ANSIBLE.  Supports monitoring of cloud services including AWS and AZURE.  Includes a comprehensive set of rules to detect many types of attacks and allows them to be compared in accordance with PCI DSS V3.1 and CIS.  Integrates with the SPLUNK log storage and analysis system, event visualization and API support [ 8 ].

Prelude OSS (Fig. 12) solution is a flexible modular SIEM system that supports many log formats, integration with third-party tools such as OSSEC, Snort and Suricata network detection system. Advantages [ 8,9 ]:  A time-tested system in development since 1998.  Supports many different log formats.

 Normalizes data to IMDEF format, making it easy to transfer data to other security systems. 3.12. Sagan

The advantages of this system (Fig. 14):  Modularity of the product providing high scalability and performance.  Deep integration of the SIEM system with the MAXPATROL security analysis tool.  Correlation rules are resistant to changes in its infrastructure.  Vendor’s willingness to connect any source of logs.  An event normalization system that allows you to search for events using various structured data.  Customer customization support—the ability to create your own event filters, correlation rules, collection profiles.  The ability to distribute incidents among employees, track the status of investigations and conduct work processes within the SIEM system.

SolarWinds (Fig. 15) has great capabilities for managing logs and reporting, responding to incidents in real time [ 5,10 ].

Main features of the system:  Fast detection of suspicious actions and threats.  Continuous monitoring of the security status.  Determining the time of the event.  Compliance with DSS, HIPAA, SOX, PCI, STIG, DISA and other regulations.  Solarwinds’ solution is suitable for small and large businesses. It has both on-premises and cloud Deployment options and runs on Windows and Linux.

EventLog Analyzer ManateEngine is a SIEM solution that focuses on analyzing various logs and extracting various performance and security information from them (Fig. 16).

Target areas include key sites and applications such as web servers, DHCP servers, databases, print servers, mail services, etc.

In addition, the ManageEngine analyzer, which runs on Windows and Linux systems, is useful for bringing systems into compliance with data protection standards such as PCI, HIPPA, DSS, ISO 27001, etc. [ 9,11 ].

Key features of the SIEM EventTracker platform (Fig. 17): 1. Real-time alert and incident response. EventTracker generates rule-based alerts with dashboard updates and fix recommendations. 2. Search and forensic analysis. Logs are indexed in Elastic Search using an extensible shared indexing model. 3. Making report. The reporting module includes over 1,500 predefined security and compliance reports. Full support is included for PCI-DSS, HIPAA, ISO 27001, NIST 800-171, DoD, RMF, GDPR and more. 4. Behavior analysis and correlation. EventTracker quickly detects and tracks changes in systems and user behavior. Real-time processing and correlation gives a complete picture of what's new and different. 5. Threat analysis. EventTracker integrates with valuable threat data streams from ecosystem partners and open source vendors to provide fast and accurate threat detection to your network [ 5,12 ].

Micro Focus ArcSight is a cybersecurity product that provides big data security analytics and intelligence software for information security and event management (SIEM) and account management.

Real-time threat detection and response supported by efficient, intelligent open source SIEM (security information and event management) software. Micro Focus ArcSight is a cybersecurity product that provides big data security analytics and intelligence software for information security and event management (SIEM) and account management [ 6,13 ].

The BlackStratus SIEMStorm device provides flexible threat visualization and mitigation tools across distributed networks. SIEMStorm integrates with existing network and security equipment, providing the following advanced features [ 10,14 ]: 1. Extended architecture. Blackstratus Siemstorm provides full failover and tiered redundancy to meet complex regulatory requirements, business continuity and risk management. 2. Real-time visualization of the attack. Identify zero-day attacks using complex metrics based on rules, vulnerabilities, statistical and historical correlations. 3. Correlation of vulnerability. Integrate data from CVE-compliant intrusion detection systems, eliminate false positives and free your team to focus on real threats 4. Transparency. Gain unprecedented visibility across distributed networks to correlate activity in separate network environments, identify hidden threats, suspicious trends, and other potentially harmful behavior 5. Making report. Blackstratus Siemstorm provides easy reporting for iso, pci, hipaa, sox and other compliance standards

RSA NetWitness Suite provides threat visibility using data from security events and other log sources, full packet capture, NetFlow, and endpoints (via RSA NetWitness Endpoint).

RSA NetWitness is focused on real-time monitoring, analysis, and alerting in addition to proactive threat support and incident response and forensic investigation [ 5,14 ].

Benefits of RSA NetWitness Suite:

The rsa netwitness platform brings together threat detection and event monitoring analytics, investigation and analysis of threats in network traffic, endpoints and other sources of security events and logs.

Modular deployment options allow customers to choose to monitor network traffic and monitor and analyze events and logs as needed.

RSA LIVE provides a simple and automated approach to ensure uninterrupted delivery of threat intelligence, content and other updates.

In this paper, we reviewed existing modern SIEM systems, their functionality, the basic principle of their operation, and also conducted a comparative analysis of each of them, their capabilities and differences, advantages and disadvantages of use. An analysis was also carried out for compliance with international specifications and standardizations in this sphere.

Based on the analysis, we can declare that the FortiSIEM system is the most optimal. Systems IBM QRadar, LOGRHYTHM, according to the selection criteria, also gain a large number of points, but are expensive and not available for many companies. Also, developers should pay their attention on the open source solutions specified in Table 1 and 2.

In the future these results will be used in research project realization devoted to open source SIEM development and implementation in critical infrastructure to improve the cybersecurity level in the context of information warfare and cyber threats realization. linux linux/windows

linux

This work is carried out within the framework of research grant №АР06851243 “Methods, models and tools for security events and incidents management for detecting and preventing cyber attacks on critical infrastructures of digital economics” (2020–2022), funded by the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan.

[16] Berdibayev R., Gnatyuk S., Yevchenko Yu., Kishchenko V. “A concept of the architecture and creation for SIEM system in critical infrastructure”, Studies in Systems, Decision and Control, Vol. 346, 2021, pp. 221-242. [17] Gnatyuk S., Berdibayev R., Avkurova Z., Verkhovets O., Bauyrzhan M. “Studies on cloud-based cyber incidents detection and identification in critical infrastructure”, CEUR Workshop Proceedings, 2021, Vol. 2923, pp. 68-80. [18] J. Lee, Y. S. Kim, J. H. Kim and I. K. Kim, “Toward the SIEM architecture for cloud-based security services,” 2017 IEEE Conference on Communications and Network Security (CNS), 2017, pp. 398-399, DOI: 10.1109/CNS.2017.8228696. [19] Faure, E., Shcherba, A., Vasiliu, Y., Fesenko, A. Cryptographic key exchange method for data factorial coding (2020) CEUR Workshop Proceedings, 2654, pp. 643-653. [20] Astapenya V., Buriachok V., Sokolov V., Skladannyi P. and Ageyev D. “Last mile technique for wireless delivery system using an accelerating lens”, Proceedings of 2020 IEEE International Conference on Problems of Infocommunications Science and Technology, PIC S and T 2020, pp. 811-814, 2021. DOI:10.1109/PICST51311.2020.946788 [21] V. Kuzmin, M. Zaliskyi, R. Odarchenko, Yu. Petrova, “New Approach to Switching Points Optimization for Segmented Regression during Mathematical Model Building”, CEUR Workshop Proceedings, 2022, Vol. 3077, pp. 106-122. [22] I. Ostroumov and N. Kuzmenko, “Configuration Analysis of European Navigational Aids Network,” 2021 Integrated Communications Navigation and Surveillance Conference (ICNS), 2021, pp. 1-9, DOI: 10.1109/ICNS52807.2021.9441576. [23] O. Solomentsev, M. Zaliskyi, O. Shcherbyna, O. Kozhokhina, “Sequential Procedure of Changepoint Analysis During Operational Data Processing”, Microwave Theory and Techniques in Wireless Communications, 2020, pp 168-171, DOI: 10.1109/MTTW51045.2020.9245068. [24] I. Ostroumov, N. Kuzmenko “Compatibility analysis of multi signal processing in APNT with current navigation infrastructure,” in Telecommunications and Radio Engineering, vol. 77, issue 3, 2018, pp. 211-223. [25] I. Zhukov, N. Pechurin, L. Kondratova et al, Increasing the accuracy of the information load annual growth evaluation on the internet of things, CEUR Workshop Proceedings, vol. 2588, 2019, art. 158907.