Security Vision
The Threat Intelligence Platform (TIP) product based on the Security Vision 5 platform is designed to search for signs of attacks based on behavioral indicators and create, in the long term, an enterprise information security strategy taking into account current threats and risks.
On the one hand, the solution is embedded in the perimeter of the company and collects data for analytics in the form of "raw" events, on the other hand, it conducts cyber intelligence using commercial and open–source feeds with indicators of compromise (IoC), Indicators of Attack (IoA) and strategic attributes. Next, the analysis processes for Threat Hunting and the actual elimination of incidents and their consequences are automated.
Let's analyze each component in more detail.
1.1 Perimeter data collection
Internal sources (the results of incident handling and the results of corporate SPI work) are used to obtain operational and consistent data on the fly. Most often, the sources are data from sandboxes and deception platforms, proxy and mail servers, directories, and web applications. There are ready-made connectors to other systems: for example, most implementations also use integrations with SPI used in SOC (SIEM, SOAR, NGFW, EDR/XDR, etc.) and analytical services on the network.
Agent-based data collection from servers and collectors and agent-free integration with any external system are supported. Security Vision TIP supports universal formats (CEF, LEEF, EMBLEM, ELFF, Syslog, Event log) and other data "transports" (STIX, JSON, XML, CSV, REST API, SQL, MISP, Kafka), and also includes a special constructor that allows you to configure new ones in Low-code mode. integrations:
- HTTP (API requests get, post, put, patch, delete) and DNS;
- databases (SQL queries in the database: MS SQL, MySQL, Postgres and Oracle);
- files (read/write operations with machine-readable files);
- corporate mail (IMAP, POP3, SMTP, Exchange);
- directory services (LDAP, Active Directory);
- remote script execution (WMI, PowerShell, SSH, SshShell);
- local script execution (on the Security Vision server): executable command, Shell scripts, Bash commands, Unix shell, Windows cmd command line commands, Windows batch files, bat, etc. (for example, Python, Java, JavaScript).
After connecting the sources, automatic cross-validation and deduplication (cleaning) of context-rich data is performed (not just an IOCs list, but the relationship between the indicator, cyber group, VPO, and attack vector), as well as the classification of indicators by type, for each of which a "lifetime" period is set. This makes it possible to simplify the system's database and leave information only about current threats: by default, for example, the lifetime of hash type indicators is not limited, and frequently updated threats like IP and email addresses are updated more often (because they become obsolete and have a different TTL attribute).
All the data in its cleaned form with its life cycles is sent to a common database, which is used for analytics and threat search.
1.2 Cyber Intelligence
The process of collecting, processing and analyzing information about current and potential cyber threats for decision-making in the field of information security is traditionally divided into four levels:
1) At the technical level, static objects are used that indicate an attack that has already occurred (IOCs), including signature objects.
Examples of compromise indicators include hashes of malicious files, process names, registry keys, names of mutexes and named channels, IP addresses and DNS names of malicious resources, URL links, fingerprints of malicious server certificates (JA3, JA3S, JARM). In some cases, IOCs are divided into categories and levels of criticality (for example, low-risk access to an advertising site or the launch of a confirmed malicious file can be processed in SOC with different priorities and using different response scenarios).
Indicators of compromise (as well as other perimeter data) are cleaned, deduplicated, assessed for danger and trust (scoring). In addition to the "lifetime" time, relevance is established, ensuring the participation of indicators in detections and reducing false positive earnings.
2) At the tactical level, attack indicators (IoAs) are used, dynamic objects that indicate a cyberattack occurring at the moment, possibly at its earliest stages and even before the onset of negative consequences.
The attack indicators describe the Tactics, Techniques, and Procedures (TTPs) of the attackers – the sequence of actions and the tools used, indicating a likely attack that can still be prevented. This allows you to predict what the attackers' next steps in the infrastructure will be and prevent their further progress. Attack indicators are more difficult to describe and may be less structured than compromise indicators, but it is more difficult for attackers to replace their handwriting and tools.
In addition, at the tactical level, specific cyber intelligence data is processed in industry SOC centers (for example, fraud indicators or signs of transactions carried out without the consent of customers in financial institutions). These can be the INN of one-day firms, customer actions that are signs of fraud (for example, suspicious transactions when working with ATMs) and phone numbers of drops.
3) At the operational level, attributes related to current vulnerabilities and exploits for them, malicious cyber campaigns and families of VPO, information about the motivation and goals of cybercriminal groups and clusters are processed.
At this level, analytics of exploits and vulnerabilities, data on the connections of vulnerabilities used in attacks, exploits used, VPO and hacker tools, cyber groups, and attacked industries are processed. For example, based on the results of monitoring the DarkNet forum, a TI data provider revealed that a cyber group actively attacking Russian companies had begun using an exploit for a recently published vulnerability that was relevant to the company's infrastructure (this means that eliminating this vulnerability should be a priority and urgent, and the SIEM system needs to take on in-depth monitoring of all potentially vulnerable devices).
4) At the strategic level, data on cyber threat trends, the goals and motivations of hacktivists and cyber-hires, the activity of cybercrime clusters, as well as information on state conflicts in cyberspace are used.
Information at this level determines the cyber risk management strategy, information security budgeting and the development of the internal SOC center functionality, and also serves as an introduction for possible adjustments to the company's business development strategy based on the results of cyber threat analysis. It is at this level that cyber intelligence can show its importance for business: if the SOC center team provided the company's management with effective analytical conclusions, on the basis of which the information security area received an expanded budget or new powers, and business processes were adjusted to minimize cyber risks, then we can talk about the success of the chosen Threat Intelligence strategy.
For the cyber intelligence process, Security Vision TIP offers ready-made integrations with commercial and open sources of TI data (BI.Zone, Kaspersky, Solar, Garda, CyberThreatTech, F6, Vault, Tracker, DigitalSide, Shodan, MISP, URLhaus, VirusTotal) and 100+ connectors with the ability to develop new ones in the platform constructor.
In addition to third-party suppliers, the module includes:
- built-in Security Vision feed package with daily updates of more than 50,000 IOCs by its own analytical center, including data from FSTEC, NCC and FinCERT;
- the ability to combine feeds from any suppliers without "linking" connector licenses to vendors or specific versions;
- integration database on the marketplace.
1.3 Analysis
After collecting internal events and feeds, external sources are connected: publicly available information flows, OSINT resources (for example, data from domain registrars, IANA and ICANN databases, public registries), data from government CERTS (for example, from NCCI and FinCERT), external analytical services (VirusTotal, Shodan, LOLBAS, KasperskyOpenTIP, IPGeolocation.io, etc.) and other data provided by information security companies and communities.
The analysis tools use the built-in (and updatable) MITRE ATT&CK database, as well as AI assistants: external LLMs (ChatGPT, Yandex, Deepseek, etc.) and built-in ML models for analyzing unstructured data (for example, newsletters).
Enrichment is started automatically for detections (or manually, if necessary, to test a hypothesis for a threat that has not been detected in the perimeter), and the detections themselves appear as a result of the work of several engines:
- checking the complete archive of indicators (retro), full-text search capabilities for any card attributes (simple search, filtering with logical conditions and interactive link graphs);
- on-stream check (match) to analyze all newly incoming indicators on large data streams (from 100K EPS);
- deep cyber threat analytics engine (second match), which provides secondary verification and additional correlation with external systems and internal data sources;
- an engine for detecting algorithmically generated domains (DGA) and phishing indicators.
Together, they allow you to create contextually enriched events, reducing the number of false positives, improving the quality of triage and increasing the effectiveness of incident response.
The exchange (export) of TI data with the information security community and partner organizations is also supported, taking into account TLP privacy tags, tagging, and indicator management (for example, deleting, manually changing TTL, and establishing links).
To make strategic decisions, the Security Vision TIP product pays a lot of attention to working with newsletters. They help identify trends and plan an infrastructure protection strategy by providing operational information for analysts, impact assessments, and response recommendations. The product continues to develop the implementation of automatic integration and receipt of newsletters from individual suppliers and aggregators. ML models allow you to automatically process bulletins and link them to specific detection indicators with the ability to view them from the incident card or from the investigation graph.
Information security specialists can use IoAs and enriched data for proactive threat Hunting, in which hypotheses and scenarios of possible attacks are worked out in the SOC center, taking into account knowledge about TTPs attackers relevant to the protected company.
1.4 Response
The built-in response and interaction with SPI, in particular, launching actions from an incident and an analytical graph of relationships, can be complemented by integration with Security Vision SOAR, which uses dynamic playbook technology with an object-oriented approach (scenarios in this case will be built automatically depending on the types of objects and artifacts in incidents) and building attack chains (grouping incidents by objects and timeline).
Using the Security Vision TIP gives the SOC center the following advantages:
· Demonstrate the value of SOC work for businesses by providing strategic-level cyber analytics and the ability to predict changes in the threat landscape to correctly assess cyber risks;
· Proactive approach to cyber defense through predictive analysis using knowledge about threats, vulnerabilities, trends, and attack vectors;
· Faster response due to the integration of TI-data with SOC security solutions, rapid detection of intruders, effective counteraction taking into account the context of the attack and detected artifacts, which leads to a reduction in the time of the attackers' covert presence on the network (dwell time);
· Prioritization of relevant vulnerabilities, enriched with data on their exploitation in real cyber attacks;
· Performing Compromise Assessment and Threat Hunting tasks.
The Security Vision platform, which includes the Security Vision TIP module, is included in the database of the Ministry of Communications of the Russian Federation and the registry of Russian software (registry entry No. 364 dated 04/08/2016), certified by the FSTEC of Russia (Certificate of Trust level 4 No. 4964 dated 08/19/2025), the FSB of Russia (Conclusion 8 of the FSB of Russia Center 149/3/6/908 dated 01/10/2024), The Ministry of Defense of the Russian Federation (certificate No. 7564 dated 08/28/2025), as well as the OAC under the President of the Republic of Belarus (certificate No. BY/112 02.02. TR027 036.01 01673 dated 12/6/2024).
.jpg)
 (2).jpg)
