THE CONCEPT OF INFORMATION SECURITY MANAGEMENT BASED ON A CYCLE OF INFORMATION SECURITY INCIDENTS CONTINUOUS DETECTION AND RESPONSE
Abstract
For dynamically changing management objects, new tasks arise in the task of information
security management, such as changing approaches to data collection and analysis, developing
dynamic scenarios for responding to information security threats. They should be solved through
the creation of algorithms, models, methods and approaches of security management applicable to
this task, including at the level of organizing processes, working with data and forming the organization's
information security architecture. In addition, for the development and formation of continuous
detection and response tools, it is necessary to propose new ways of integrating these algorithms
into the structure of the control object. At the same time, the creation of response systems
based on the new concept also involves changing the security management algorithms of such
systems in special cases, such as decentralized management, stability testing, cloud security services
and others that require separate research. At the same time, responding to information security
incidents should take into account the continuously changing threat landscape and reconfiguration
of the organization's infrastructure. Also, the development of the new concept presented in
the article was influenced by the concept of object-oriented programming in terms of the main
provisions. This work contains a description of the control concept based on a continuous detection
and response cycle, provides some algorithms and processes that distinguish the implementation
of the concept shown, as well as examples of their implementation. The practical examples
given in the article relate to issues such as the formation of the incident neighborhood, and allow
you to form the context of information security management. In addition, an approach to automation
of information security management processes is shown. The results of the work can be used
both for simulation models and for implementation as a set of information security management
processes in practical tasks. In addition, the results obtained can be integrated into orchestration
tools for information security systems, which increases the effectiveness of responding to information
security incidents.
References
Available at: https://cloud.google.com/blog/products/identity-security/it-predictionvast-
majority-of-security-operations-workloads-will-be-automated.
2. Korolev I.D., Litvinov E.S., Markin D.I. Povyshenie urovnya avtomatizatsii protsessov sbora
dannykh o vyyavlennykh sobytiyakh i intsidentakh informatsionnoy bezopasnosti [Increasing
the level of automation of data collection processes on identified events and incidents of information
security], Inzhenernyy vestnik Dona [Engineering Bulletin of the Don], 2021,
Vol. 82, No. 10, pp. 140-151.
3. Kotenko I.V., Saenko I.B., Yusupov R.M. Novoe pokolenie sistem monitoringa i upravleniya
intsidentami bezopasnosti [A new generation of security incident monitoring and management
systems], Nauchno-tekhnicheskie vedomosti Sankt-Peterburgskogo gosudarstvennogo
politekhnicheskogo universiteta. Informatika. Tele-kommunikatsii. Upravlenie [Scientific and
Technical Bulletin of St. Petersburg State Polytechnic University. Computer science. Telecommunications.
Management], 2014, No. 3 (198), pp. 7-18.
4. Bogdanov V.V., Domukhovskiy N.A., Savin M.V. SOAR: avtomatizatsiya raboty s intsidentami
informatsionnoy bezopasnosti [SOAR: automation of work with information security incidents],
Zashchita informatsii. Insayd [Information protection. Inside], 2021, No. 3 (99), pp. 13-17.
5. Kotenko I.V., Fedorchenko A.V., Saenko I.B., Kushnerevich A.G. Tekhnologii bol'shikh
dannykh dlya korrelyatsii sobytiy bezopasnosti na osnove ucheta tipov svyazey [Big data technologies
for the correlation of security events based on the types of connections], Voprosy
kiberbezopasnosti [Issues of cybersecurity], 2017, No. 5 (24), pp. 2-16. DOI: 10.21681/2311-
3456-2017-5-2-16.
6. Zolotarev V.V., Lapina M.A. Model' i algoritm upravleniya informatsionnoy bezopasnost'yu
obrazovatel'noy organizatsii vysshego obrazovaniya s uchetom trebovaniy upravleniya na osnove
dannykh [Model and algorithm of information security management of an educational organization
of higher education taking into account the requirements of data-based management], Prikaspiyskiy
zhurnal: upravlenie i vysokie tekhnologii [Caspian Journal: management and high technologies],
2022, No. 4 (60), pp. 107-118. DOI: 10.54398/20741707_2022_4_107.
7. Bailey K. Detection Engineering Maturity Matrix. Available at: https://detectionengineering.io/.
8. Veligodskiy S.S., Miloslavskaya N.G. Podkhod k otsenke urovnya zrelosti tsentrov upravleniya
setevoy bezopasnost'yu [An approach to assessing the level of maturity of network security
management centers], Sistemy vysokoy dostupnosti [High availability systems], 2023, Vol. 19,
No. 2, pp. 25-37. DOI: 10.18127/j20729472-202302-02.
9. Korolev I.D., Popov V.I., Konovalenko S.A. Metodika analiticheskoy obrabotki
raspredelennykh vo vremeni intsidentov informatsionnoy bezopasnosti [Methodology of analytical
processing of information security incidents distributed in time], Naukoemkie
tekhnologii v kosmicheskikh issledovaniyakh Zemli [High–tech technologies in Earth space research],
2020, Vol. 12, No. 5, pp. 53-61. DOI: 10.36724/2409-5419-2020-12-5-53-61.
10. Sagirov R.A. Primenenie neyronnykh setey dlya avtomatizatsii zadach v oblasti
informatsionnoy bezopasnosti [Application of neural networks for automation of tasks in the
field of information security], Zashchita informatsii. Insayd [Information protection. Inside],
2019, No. 5 (89), pp. 56-59.
11. Zolotarev V.V. Algoritm kontrolya eksfil'tratsii dannykh s uchetom trebovaniy upravleniya na
osnove dannykh [Algorithm of data exfiltration control taking into account the requirements of
data-based management], Prikaspiyskiy zhurnal: upravlenie i vysokie tekhnologii [Caspian
Journal: management and high technologies], 2023, No. 4 (64).
12. Ivanov A.V., Nikroshkin I.V., Ognev I.A., Kiselev M.A. Primenenie sredstv ekspertizy Blue
Team v protsesse monitoringa informatsionnykh sistem na primere platformy TI (Threat Intelligence)
[The use of Blue Team expertise tools in the process of monitoring information systems
on the example of the TI (Threat Intelligence) platform], Bezopasnost' tsifrovykh
tekhnologiy [Security of digital technologies], 2023, No. 2 (109), pp. 34-51. DOI:
10.17212/2782-2230-2023-2-34-51.
13. Savin M.V., Stoychin K.L., Nekrasov A.V., Komarov N.V. Obzor standartov i formatov
predstavleniya avtomatizirovannykh stsenariev reagirovaniya na intsidenty komp'yuternoy
bezopasnosti [Review of standards and formats for the presentation of automated scenarios for
responding to computer security incidents], Zashchita informatsii. Insayd [Information protection.
Inside], 2022, No. 4 (106), pp. 14-19.
14. Rahman R., Hezaveh R., Williams L. What Are the Attackers Doing Now? Automating
Cyberthreat Intelligence Extraction from Text on Pace with the Changing Threat Landscape: A
Survey, ACM Comput. Surv., December 2023, 55, 12, Article 241, 36 p. Available at:
https://doi.org/10.1145/3571726.
15. Erokhin V. Poisk vredonosnykh stsenariev powershell s ispol'zovaniem sintaksicheskikh
derev'ev [Searching for malicious powershell scripts using syntax trees], Bezopasnost'
informatsionnykh tekhnologiy [Information Technology Security], 30 (3), pp. 77-89. DOI:
http://dx.doi.org/10.26583/bit.2023.3.05.
16. Follina Exploit Leads to Domain Compromise. Available at: https://thedfirreport.com/
2022/10/31/follina-exploit-leads-to-domain-compromise/.
17. Salitin M.A., Zolait A.H. The role of User Entity Behavior Analytics to detect network attacks in real
time, 2018 International Conference on Innovation and Intelligence for Informatics, Computing,
and Technologies (3ICT), Sakhier, Bahrain, 2018, pp. 1-5. DOI: 10.1109/3ICT.2018.8855782.
18. Hutchins E.M., Cloppert M.J., Amin R.M. Intelligence-Driven Computer Network Defense Informed
by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin Corporation.
Available at: https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/
cyber/LM-White-Paper-Intel-Driven-Defense.pdf.
19. MITRE ATT&CK. Available at: https://attack.mitre.org/.
20. Bank dannykh ugroz bezopasnosti informatsii [Data bank of information security threats],
Federal'naya sluzhba po tekhnicheskomu i eksportnomu kontrolyu, Gosudarstvennyy nauchnoissledovatel'skiy
ispytatel'nyy institut problem tekhnicheskoy zashchity informatsii [Federal
Service for Technical and Export Control, State Research and Testing Institute of Problems of
Technical Protection of Information]. Available at: https://bdu.fstec.ru/.
