Security Vision SOAR is a comprehensive solution for handling information security incidents at all stages of their life cycle according to the NIST/SANS methodology:
1. Preparation
2. Detection
3. Analysis
4. Containment
5. Eradication
6. Recovery
7. Post-Incident
The main advantages of Security Vision SOAR are:
· Kill Chain - Combine related incidents into a single sequence of stages that reflects the attacker's path and threat evolution.
· Object-oriented response - an approach where each element of the incident (hosts, accounts, processes, etc.) is considered as an object with properties, actions and connections.
· Dynamic Playbook - the system itself selects the relevant actions to collect additional information and perform actions to respond to an incident.
· Expert recommendations that the system provides to the analyst working on the incident throughout the entire life cycle of its processing.
Security Vision NG SOAR complements the above capabilities with a mechanism for automated interaction with NCCCH and FinCERT, as well as its own SIEM and EDR.
The main advantages of SIEM from Security Vision are:
· The ability to create complex correlation rules with multilevel nesting of conditions, including using repetitions in the rule, the optionality of events, the first event - with a condition of the type "negation."
· Graphical No-Code editor of correlation rules, which significantly reduces the entry threshold and timing of analysts' adaptation.
· Optimize memory and disk space usage when storing source events.
· When events are received from different sources in a disjoint order, the time is synchronized despite failures, and the chain is restored retrospectively for the correlation rule.
The main advantages of EDR from Security Vision are:
· Deep monitoring - Extend standard OS auditing capabilities by intercepting system events. Event interception is carried out through the hooks of user space on hosts, as well as at the kernel driver level of both Windows and Linux.
· Proactive blocking - automatically stops untrusted applications when attempting to perform dangerous operations.
· Automation of response - integration with other SIS, for example, to send suspicious files to the Sandbox. EDR correlation rules can be modified in a single interface with SIEM.
New features added in the update:
Completely redesigned interface. We have rethought the user experience, placed the most significant elements in quick access, redesigned the visual component to increase the speed of incident processing, as well as reduce the time for adaptation in the product for new users.
A number of new ML models have been added:
· Scoring False Positive - the model is trained on data from closed incidents, and when a new incident arrives, the system evaluates how similar it is to previously closed false positive cases and gives the result as a percentage match.
· Similar incidents - the model analyzes the context of the incident, searches for and shows similar cases. This allows the analyst to both see such incidents, which are also now in work, and see how similar situations were processed in the past.
· Recommendations on the history of actions - the model will tell the analyst what actions were performed at different phases when investigating similar incidents in the past. Thus, the new SOC employee will undergo adaptation faster, even if he does not have ready-made instructions, due to access to the accumulated data on how incidents are processed.
· Documentation help - now you can ask the model a product question and get an answer in the chat.
· Knowledge Base Recommendations - In addition to documentation, the analyst can receive a recommendation in the chat about what actions should be performed for a specific incident in a specific response phase. The model, trained in best practices for responding to cyber incidents, will provide a short answer, taking into account the entire context of the incident.
The functionality of constructing graphs of reachability of critical assets has been updated. Now routes can be built using the ML engine, taking into account the routing rules and ACLs configured on network devices in the organization.
The mechanism of dynamic playbooks has been updated. The functionality received its interface for setting the conditions for applying atomic actions depending on the context of the incident. The progress of the playbook is now transparent to the user, all scheduled actions, as well as their progress, are clearly displayed on the incident page.
Added related Threat Intelligence bulletins. The system automatically associates incidents with public TI reports when the attributive composition matches. This gives the analyst:
· Quick access to information about similar attacks;
· Data on the tactics of intruders (TTPs);
· Current IOC/IOA;
· Response recommendations from bulletin vendors.
Added built-in incident notes. The analyst can conveniently record the progress of the investigation directly in the system using text formatting, adding files and screenshots. You no longer need to search for information in chats or local files - all interim results of the investigation are always at hand.
 (2).jpg)
.jpg)
.jpg)