Designing blockchain-based SIEM 3.0 system

摘要

Purpose - Nowadays, to operate securely and legally and to achieve business objectives, secure valuable assets and support uninterrupted business processes, all organizations need to match a lot of internal and external compliance regulations such as laws, standards, guidelines, policies, specifications and procedures. An integrated system able to manage information security (IS) for their intranets in the new cyberspace while processing tremendous amounts of IS-related data coming in various formats is required as never before. These data, after being collected and analyzed, should be evaluated in real-time from an IS incident viewpoint, to identify an incident's source, consider its type, weigh its consequences, visualize its vector, associate all target systems, prioritize countermeasures and offer mitigation solutions with weighted impact relevance. Different security information and event management (SIEM) systems cope with this routine and usually complicated work by rapid detection of IS incidents and further appropriate response. Modern challenges dictate the need to build these systems using advanced technologies such as the blockchain (BC) technologies (BCTs). The purpose of this study is to design a new BC-based SIEM 3.0 system and propose a methodology for its evaluation. Design/methodology/approach - Modern challenges dictate the need to build these systems using advanced technologies such as the BC technologies. Many internet resources argue that the BCT suits the intrusion detection objectives very well, but they do not mention how to implement it. Findings - After a brief analysis of the BC concept and the evolution of SIEM systems, this paper presents the main ideas on designing the next-generation BC-based SIEM 3.0 systems, for the first time in open access publications, including a convolution method for solving the scalability issue for evergrowing BC size. This new approach makes it possible not to simply modify SIEM systems in an evolutionary manner, but to bring their next generation to a qualitatively new and higher level of IS event management in the future. Research limitations/implications - The most important area of the future work is to bring this proposed system to life. The implementation, deployment and testing onto a real-world network would also allow people to see its viability or show that a more sophisticated model should be worked out. After developing the design basics, we are ready to determine the directions of the most promising studies. What are the main criteria and principles, according to which the organization will select events from PEL for creating one BC block? What is the optima) number of nodes in the organization's BC, depending on its network assets, services provided and the number of events that occur in its network? How to build and host the SIEM 3.0 BC infrastructure? How to arrange streaming analytics of block's content containing events taking place in the network? How to design the BC middleware as software that enables staff to interact with BC blocks to provide services like IS events correlation? How to visualize the results obtained to find insights and patterns in historical BC data for better IS management? How to predict the emergence of IS events in the future? This list of questions can be continued indefinitely for a full-fledged design of SIEM 3.0. Practical implications - This paper shows the full applicability of the BC concept to the creation of the next-generation SIEM 3.0 systems that are designed to detect IS incidents in a modern, fully interconnected organization's network environment. The authors' attempt to begin with a detailed description of the basics for a BC-based SIEM 3.0 system design is presented, as well as the evaluation methodology for the resulting product. Originality/value - The authors believe that their new revolutionary approach makes it possible not to simply modify SIEM systems in an evolutionary manner, but to bring their next generation to a qualitatively new and higher level of IS event management in the future. They hope that this paper will evoke a lively response in this segment of the security controls market from both theorists and direct developers of living systems that will implement the above approach.