Discrete and event modelling of monitoring and management processes of information security

The article uses the method of discrete-event modeling to describe the processes of monitoring and management of information security. In the course of simulation experiments it is shown that these models allow the most adequate, in real time to present the process of responding to computer attacks, to calculate the rapidly changing load on information system and personnel providing its protection, to visualize the functioning of the subsystem of monitoring and management of information security. The discrete-event model is created in AnyLogic software environment and reflects messages about attacks from two sources of information (internal and external), coming from workstations, network devices, web-resources and information security tools. SIEM (Security Information and Event Management) is described, where messages are sequentially collected, filtered, aggregated and correlated. SIEM makes it possible to distribute messages according to the degree of risk - high, medium, low. Next, the SOC (Security Operations Center) is modeled with three lines of service, the levels of recognition of computer attacks and, accordingly, the levels of staff training. The results of experiments with the model include the study of the response time to computer attacks, the waiting time in the queue, the processing time in SIEM and SOC systems, the number of messages with detected signature matches, resulting in computer attacks, as well as the study of the situation in which there is a sharp increase in the number of messages transmitted from sources to the information security monitoring Center. AnyLogic software allows to play different scenarios using discrete-event model, to interpret the results of computer attacks, to carry out various types of simulation experiments, avoiding the complexity of their practical implementation and reducing the cost of obtaining estimates of the information security state. Simulation experiments make it possible to predict the response time to computer attacks, to study the blocks of filtering, aggregation and correlation.