Improving Cybersecurity Detection: Russian Researchers Develop a Method to Strengthen Security Monitoring Systems
Researchers at Novosibirsk State Technical University NETI have developed a methodology for quantitatively assessing the quality of information security events.
The new methodology makes it possible to evaluate the completeness and accuracy of data used for normalization, correlation, and incident detection. Today, even a formally well-configured SIEM system may fail to detect an attack if logs are missing mandatory fields such as a source IP address or authentication status. The NSTU NETI approach is designed to assess whether incoming data is suitable for correlation rules, including those used to identify password-guessing attacks.
A Valuable Domestic Methodology
The researchers’ work is not a mass-market product. Rather, it is an applied development intended for corporate and government cybersecurity environments. In the future, it could be used by security operations centers (SOCs), information security teams at large organizations, government agencies, critical infrastructure operators, system integrators, and developers of SIEM (Security Information and Event Management) platforms. The development represents an important step for Russia’s cybersecurity sector. Following the withdrawal of foreign vendors, the domestic SIEM market has continued to expand, driven by import substitution efforts and a growing volume of cyber threats.
The methodology is expected to reduce the number of attacks that go undetected across banking, government services, telecommunications, healthcare, transportation, and other everyday services. Advancing approaches of this kind increases the maturity of the national cybersecurity ecosystem. That is particularly important given the growing requirements for critical infrastructure protection and the operation of Russia’s state system for detecting and responding to cyberattacks.
In a global context, however, the underlying idea is not unique. Log quality and telemetry quality remain persistent challenges for SOC and SIEM deployments worldwide. At the same time, the Russian development could become an important domestic methodology tailored to local regulatory requirements and infrastructure characteristics.
A New Layer of Data Quality Assurance
The methodology can be viewed as a promising addition to existing security operations practices. Most likely, it will be used as a supporting tool within SOC and SIEM environments when onboarding new log sources, validating data completeness, configuring correlation rules, and identifying monitoring blind spots. For Russian vendors, it could become part of broader data-quality assurance functionality, increasing the value of SIEM platforms at a time when incident volumes and operational workloads continue to rise.
The methodology is also important for government organizations and operators of critical information infrastructure as a way to improve monitoring and reporting capabilities amid stricter regulatory requirements and limitations on foreign cybersecurity services. While it is unlikely to become a standalone export product, it could strengthen the competitiveness of Russian SIEM and SOC solutions in friendly international markets. To achieve that, however, pilot deployments, integration with specific systems, and evidence that it measurably reduces missed attacks will be required.
The Shift Toward Intelligent Threat Analysis
Russia’s government-driven cybersecurity agenda began to strengthen significantly in 2022 following a presidential decree signed by Vladimir Putin that introduced additional protective measures. That move accelerated demand for domestic event-monitoring technologies. The same year, CROC became one of the first organizations to migrate the services of its cybersecurity center to Kaspersky Lab’s KUMA SIEM platform. The transition signaled a broader shift by SOCs toward Russian-developed platforms. The SIEM market continued to evolve throughout 2023 and 2024 as organizations moved away from foreign systems and adopted domestic alternatives. Among the notable players, MaxPatrol SIEM established a strong position.
In 2024, data-source quality controls were enhanced in MaxPatrol SIEM 8.2. That same year,
Kaspersky KUMA 3.4 introduced expanded AI capabilities, improved visualization tools, and stronger correlation functionality. These developments reflected a broader transition in SIEM technology from simple log storage toward intelligent threat analysis. In 2025, Solar introduced a platform that combines SIEM and SOAR capabilities. The solution automates event processing, incident analysis, and response activities.
Requirements for protecting government information systems became more stringent in 2025 and 2026. New regulations are being prepared that would require government information systems to connect to the national attack-detection and prevention platform and report cyber incidents to security agencies. At the same time, domestic SIEM platforms continue to become more sophisticated. In 2026, Kaspersky KUMA 4.2 added AI-powered capabilities designed to detect credential theft. The direction of travel is clear: SIEM platforms are evolving toward intelligent analysis of complex compromise scenarios.
Piloting the Methodology in Academic and Research Environments
The NSTU NETI methodology matters not because it is a mass-market product, but because it provides an engineering tool for improving the reliability of cybersecurity monitoring. Its central idea is a shift away from the assumption that collecting logs is sufficient and toward evaluating whether those logs are actually capable of supporting real-world attack detection.
This is particularly pressing for Russia’s cybersecurity market as cyberattacks increase, regulation becomes more demanding, and organizations continue migrating to domestic platforms. The methodology will most likely advance through pilot projects at universities and joint testing initiatives involving Russian SOCs and vendors. Over time, it could be integrated into SIEM auditing tools and event-quality assessment systems, potentially becoming part of more intelligent platforms that incorporate automation, recommendations, and AI-driven capabilities.
