Security Vision SOAR is a comprehensive solution for handling information security incidents at all stages of their lifecycle according to the NIST/SANS methodology, namely:
1. Preparation
2. Detection
3. Containment
4. Investigation
5. Eradication
6. Recovery
7. Post-Incident - Post-incident (working on errors)
The main distinguishing features of Security Vision SOAR:
- Ability to build a consistent attack chain (Kill Chain) by grouping incidents based on common characteristics.
- Object-Oriented Response - an architecture in which all relevant incident entities such as hosts, accounts, processes, hashes, etc., are objects with their own set of attributes, enrichment and response actions, as well as history and relationships.
- Dynamic Playbook - the system itself selects relevant actions to gather additional information and perform actions to contain the spread of the incident based on information about the objects - participants of the incident and their characteristics.
- Expert recommendations, which the system provides to the analyst working on the incident throughout its lifecycle. Recommendations are generated based on the context of the incident and its processing phase, including the use of machine learning models.
Security Vision Next Generation SOAR (NG SOAR) complements the above capabilities with a mechanism for automated interaction with NCSCI and FinCERT, as well as its own SIEM engine.
The main distinguishing features of SIEM from Security Vision:
- Ability to create complex correlation rules with multi-level nesting of conditions, including using repetitions in the rule, event optionality, first event - with a condition like ‘negation’.
- Graphical No-Code editor of correlation rules, which significantly reduces the entry threshold and adaptation time of analysts.
- Optimisation of memory and disc space usage when storing source events.
- When events are received from different sources in a disparate order, time is synchronised despite failures and the chain is reconstructed retrospectively for the correlation rule.
New features added to Security Vision SOAR and Security Vision NG SOAR:
FSTEC DBU Expertise. Incidents and correlation rules can now use not only Mitre Attack tactics and techniques, but also threats and implementation methods from the FSTEC BDU. For boxed correlation rules, the implementation methods corresponding to them are already configured.
Heatmaps for Mitre Attack and FSTEC BDU expertise sets showing the distribution of incidents by tactics and implementation methods, as well as their coverage by correlation rules.
ML model for identifying false positive incidents. The model is trained on the verdicts assigned to incidents by analysts when closing incidents, and when a new incident arrives, it gives a verdict on how similar (in percent) it is in terms of its attributes to previously closed incidents with a False Positive verdict.
Attacker Route. The system automatically visualises the route of incident propagation through the infrastructure, showing the time of compromise of network nodes and the artifacts used by the attacker.
Reachability Graph. Based on network segment data and network device routing tables, the system allows the analyst to map where an incident could potentially spread based on compromised nodes and their characteristics.
