Incident management and orchestration of various SPIs. NG SOAR Review

Security Vision

The development of information technology, accelerated by pandemic effects and geopolitical changes, has led to an increase in the number of cyber attacks not only in Russia, but also around the world. This increase and the increase in the average amount of damage have led to increased public attention to the issue of information protection.

With the change in attack methods and approaches to protection, the problem of shortage of personnel in the field of information security has become particularly acute. It is estimated that about 3.5 million vacancies for cybersecurity specialists are still open in the world, and over the past 10 years the total number of offers for cyber experts has almost quadrupled.

The current review will focus on the application of incident management technologies and the orchestration of various information security tools (SPI) in the form of a Security Orchestration Automation and Response (SOAR) product. In the Security Vision product line, there is both a separate module and a set of modules (NG SOAR), which additionally includes SIEM, EDR, and two-way integration with regulators' cyber incident response centers.

This solution makes it possible to make the incident management process transparent in companies of different scales, is responsible for automating actions and integrating SPI into a single ecosystem (the connector constructor built into the platform allows you to quickly integrate with any data sources and response tools in no-code mode). The Cyberattack Monitoring and Response Center (SOC) is a complex integration of three key components: technology, organized processes, and specialists:

• The technological component includes a variety of solutions aimed at protecting corporate infrastructure from cyber threats, with SOAR with connected data sources serving as the central element of the SOC. The most common source is SIEM class solutions, which are responsible for collecting, normalizing, and storing information security event data from various systems, but data can also be redirected point—by-point from various information security systems. In this case, a special correlation engine in the NG SOAR module can be responsible for collecting and analyzing such "raw" events, as well as searching for incidents;
• The processes organize incident analysis, classification, and data enrichment from external sources, policy settings for automatic response, and other actions related to incident preparation and lessons learned analysis;
• Specialists are an indispensable part of an effective system, therefore, visualization of analytics and acceleration of big data processing by specialists are accepted as the third aspect of Security Vision solutions. For example, the graph of connections between incident objects becomes not just a picture, but an interactive tool for responding and studying materials, and built-in ML models and expert recommendations allow you to build step-by-step action strategies.

"Many Russian vendors have been working for years, their products have reached a high level of maturity, are already superior in functionality to their imported counterparts and are successfully used both in financial institutions and by major information security players (for example, in commercial SOC centers) - such products (SOAR/SGRC/TIP) are being developed by Security Vision with modules (products) on the design platform".

Alexander Babkin,
Vice President — Head of Information Security Monitoring Department, Gazprombank

Incident monitoring

The solution is based on the unique technology of dynamic playbooks (response scenarios that automatically adjust to the environment and automatically trigger each other depending on a change in the context of the incident). This concept allows you to take into account the specifics of each incident and the available actions to contain and neutralize incidents: the system analyzes the event and its attributes (attack techniques used, objects involved, and available SPI) and automatically generates the appropriate playbook using built-in atomic response scenarios. Through a retrospective analysis of incident-related data, SOAR identifies the attack chain and develops an optimal response plan based on the information received.

"Based on the results of the analysis, we chose the Russian Security Vision SOAR product, carried out the necessary preparation and implementation of the product. ...Automation using Security Vision SOAR significantly reduces the labor costs of preparing and sending notifications to the NCCC, which facilitates the work of specialists. In addition, it is possible to automate the processes of inventory of information resources, vulnerability analysis, configuration and update management, internal and external audits, as well as direct analysis of information security events and identification of computer incidents at significant CII facilities".

Andrey Nuikin,
Head of the Information Systems Security Department of the Vice President's IT Unit, Evraz

Integrations with regulatory response centers (for example, GosSOPKA NCC and FinCERT CB), IT asset management automation solutions (AM, CMDB), vulnerabilities (VS, VM) and hardening (SPC) can complement SOAR technology. By working together, they will achieve synergy and maximize the reach of opportunities. During the investigation of an information security incident, the SOC analyst can simultaneously work with various security tools such as antiviruses, NGFW, sandboxes, and others. This is necessary to study the rules, policies, configurations, and other information that allows you to understand the circumstances of the incident in detail. In addition, the analyst turns to various services, including analytical platforms, suspicious file analysis tools (Sandbox), proactive search solutions (Threat Hunting) and more comprehensive cyber threat information management (TIP), as well as threat databases and knowledge.

The incident management module includes asset and inventory management functionality, which allows you to build a resource-based data service model to focus on critical business processes and facilities, individual rooms, and entire information systems.

The Security Vision NG SOAR process goes through all phases of incident handling and solves the tasks of a full-cycle focused response to information security threats:

   1.   Preparation

   2.   Detection

   3.   Analysis

   4.   Containment

   5.   Eradication

   6.   Recovery

   7.   Post-Incident

Each stage of incident handling is fully automated and implemented using a modern object-oriented approach.

The system automatically visualizes the route of the incident's spread through the infrastructure, displaying the time of compromise of network nodes and the artifacts used by the attacker.

Chain of attack and chronology of events

"To solve the problem of automating the response to cyber incidents, we chose the Security Vision SOAR solution. The vendor offers extensive integration capabilities with various IT solutions used by us, maximally adaptive response scenarios, support for the low-code/no-code approach when setting up integrations and response actions, the use of machine learning and neural network methods to identify anomalies in the infrastructure, as well as the formation of a variety of reports and various options for visualizing attacks. and the relationships of the entities affected by the incident".

Roman Morozov,
Head of Information Security, Capital Group

Based on data on network segments and routing tables of network devices, using the ML model, the system displays on a network map where an incident can potentially spread, based on data on compromised nodes and their characteristics.

"By and large, any scenario can be implemented based on Security Vision"

Vyacheslav Kasimov,
Director of the Information Security Department of the Moscow Credit Bank

The reachability graph

The communication graph is an analytics and response tool that allows you to run processes and various actions to manage the company's security features and devices. It is accompanied by recommendations from Security Vision experts and communication capabilities both in a chat within the company and with the connection of external ML models.

  Graph of links and recommendations

In addition to an expandable knowledge base and recommendations with the expertise of analysts, the module includes a heat map of MITRE ATT&CK techniques and tactics and the FSTEC threat database. Now, in incidents and correlation rules, you can use this data on threats and implementation methods, and for boxed rules in NG SOAR, the corresponding implementation methods from the FSTEC database are already configured.

 Heat map for FSTEC and MITRE databases

"We have relaunched our IRP platform based on Security Vision, which allows us to significantly speed up incident response".

Pavel Goncharov,
Deputy Director of Development at Solar JSOC

The product includes a set of ML assistants:

· False Positive Scoring - to identify false positive incidents, built into the solution, it learns which verdicts analysts assign to incidents when incidents are closed, and when a new incident arrives, it issues a verdict on how similar (in percentage) it is in its attributes to those previously closed with a verdict of False Positive.

· Similar incidents – the model analyzes the context of the incident, looks for and shows similar cases. This allows the analyst to both see similar incidents that are also currently in progress, and see how similar situations have been handled in the past.

· Recommendations on the history of actions – the model will tell the analyst what actions were performed at different phases during the investigation of similar incidents in the past. This way, a new SOC employee will adapt faster, even if they do not have ready-made instructions, due to access to accumulated data on how incidents are handled.

· Documentation help – now you can ask a product question from the model and get an answer in the chat.

· Knowledge base recommendations – in addition to documentation, the analyst can receive a chat recommendation on what actions should be performed for a specific response phase. A model trained on the best practices in responding to cyber incidents will provide a concise response, taking into account the entire context of the incident.

All ML assistants are marked with the appropriate ML tag

"The Security Vision SOAR solution, implemented as a result of competitive procedures, is not only 100% Russian-made, but also has advanced functionality at the level of the best imported analogues: visual interactive tools for incident and entity management, a low-code or no-code approach when developing integrations and playbooks, using machine learning methods and neural networks for detecting anomalies in the infrastructure".

Stanislav Loginov,
Director of the Department of Informatization of the Tyumen region

With the help of the built-in notes, the analyst can conveniently record the progress of the investigation directly in the system using text formatting, adding files and screenshots. You no longer need to search for information in chat rooms or local files – all the interim results of the investigation are always at hand. 

For quick access to global expertise, the product includes incident mapping with Threat Intelligence bulletins. The system automatically links incidents to public TI reports when the attributes match. It provides analytics:

 · Quick access to information about similar attacks;

· Data on the tactics of intruders (TTPs); 

· Current IOC/IOA; 

· Response recommendations from bulletin providers.

The product or set of modules solves the complex problem of incident management with a focus on business objects, knowledge bases and technologies of dynamic playbooks, object-oriented response and ML application. The solution is based on a single platform, allowing users to adapt their work to the smallest detail:

• manage logic and policies (matrices and decision trees);
• customize the appearance and access (role model, menu designer, and multitenancy);
• automate maximum actions (workflow designer);
• create custom integrations (connector constructor);
• modify existing data representations and develop new ones in the form of cards and tables (object constructor), static documents, for example, scheduled to be uploaded (report constructor), and interactive widgets and dashboards (analytics constructor).

This approach accelerates adaptation to any changes, allows you to build a sustainable ecosystem around SOAR with the ability to quickly replace components and close each stage of incident management with minimal human involvement.

"We turned to vendors who develop SOAR-class products. And in this regard, Security Vision, which is engaged in the development of these products, has helped us a lot. We are still cooperating and have already gone beyond the usual SOAR solution".

Dmitry Baldin,
Deputy Director of the IT and Digital Development Department of RusHydro