Financial Ombudsman Service Implements MaxPatrol SIEM for Cybersecurity Monitoring

The Service for Supporting the Activities of the Financial Ombudsman (ANO “SODFU”), established by the Central Bank of Russia in 2018, has deployed Positive Technologies’ MaxPatrol SIEM solution for continuous cybersecurity monitoring of its infrastructure. The implementation covers 1,800 assets including workstations, servers, network devices, DLP systems, and antivirus solutions, processing 1,800 security events per second with 1,300 correlation rules and 9,000 normalization rules¹.

Technical Implementation Details

The MaxPatrol SIEM deployment serves as a centralized event collection point for SODFU’s security operations. The system’s flexibility allowed integration with assets outside the traditional security perimeter using non-standard connection schemes, as noted by Denis Saveliev from SODFU². The Behavioral Anomaly Detection (BAD) machine learning module provides advanced analysis of suspicious activities across the network. Integration with MaxPatrol VM (Vulnerability Management) creates a comprehensive security monitoring solution that meets Russian regulatory requirements including GOST R 57580.1-2017 and domestic software mandates (Presidential Decrees No. 166 and 250)³.

Vulnerability Management Integration

The companion MaxPatrol VM solution provides vulnerability assessment capabilities, identifying trending vulnerabilities with data updates every 12 hours. The system performs asset inventory, software control, and open port monitoring. Future plans include implementing the Host Compliance Control (HCC) module for OS configuration verification⁴. According to Denis Matyukhin from Positive Technologies, the solution’s vulnerability prioritization features significantly reduce response times to critical security issues.

Key Metrics of SODFU’s MaxPatrol Implementation

Component	Specification
Assets Monitored	1,800 (workstations, servers, network devices)
Event Processing Rate	1,800 events/second
Correlation Rules	1,300
Normalization Rules	9,000

Russian SIEM Market Context

The deployment reflects broader trends in the Russian cybersecurity market toward import substitution, with domestic SIEM solutions like MaxPatrol, RuSIEM, and KOMRAD gaining prominence. These systems increasingly incorporate machine learning capabilities and integration with government monitoring systems like GosSOPKA⁵. MaxPatrol SIEM distinguishes itself through its asset-oriented approach and tight integration with Positive Technologies’ threat intelligence database.

“MaxPatrol SIEM serves as a single point for event collection. The system’s flexibility enabled us to connect assets outside the standard perimeter through non-standard schemes,” noted Denis Saveliev from SODFU⁶.

Security Operations Relevance

The implementation demonstrates several operational security considerations for large financial institutions. The high event processing capacity (1,800 events/second) requires careful tuning of correlation rules to avoid alert fatigue. The integration between SIEM and VM solutions provides a model for combining threat detection with vulnerability management. The use of machine learning for anomaly detection (BAD module) shows the growing role of AI in security monitoring, particularly for identifying novel attack patterns that might evade signature-based detection.

For security teams considering similar deployments, key lessons from this implementation include:

• The importance of flexible architecture for monitoring non-traditional assets
• The value of integrating vulnerability data with event monitoring
• The need for extensive rule tuning (1,300 correlation rules)
• The benefits of machine learning for detecting anomalous behavior

Conclusion

SODFU’s deployment of MaxPatrol SIEM represents a significant case study in large-scale security monitoring for financial sector organizations in Russia. The implementation addresses both technical security requirements and regulatory compliance needs, while demonstrating the capabilities of domestic cybersecurity solutions. The integration between SIEM and VM components provides a comprehensive approach to threat detection and vulnerability management that could serve as a model for similar organizations.