Large-scale Security Vision SIEM update

Security Vision announces the release of the SIEM product update, a unified security event analytics platform designed for companies of all sizes. The solution ensures the implementation of key processes for monitoring and responding to information security incidents:

 •  collecting and storing events from IT assets;

 •  correlation of events and identification of alerts indicating attempts to implement information security threats;

 •  Incident investigation and handling in a single operational loop.

The product is based on a single No-Code Security Vision 5 platform, which simplifies scaling and customization to meet the needs of each Customer, as well as provides opportunities to expand response scenarios, including through seamless integration with other Security Vision products.

Key components of the Security Vision SIEM

Scanning, identification and inventory of IT Assets

As part of Security Vision SIEM, a fully functional Assets Management module is available, which forms a single up-to-date showcase of IT assets. The module provides scanning, identification and inventory of hosts and services, asset group management and categorization by criticality and roles. This provides Analytics, when investigating incidents, the context of which asset is affected, which segment it belongs to, and what business significance it has.

The system is also able to detect and scan assets without directly connecting to their network segments: for these purposes, a separate dedicated connector service component is installed, through which (or through a chain of similar services) asset data is detected and collected from remote network segments.

Additionally, Assets Management includes the management of whitelisted and blacklisted software, as well as the functionality of building reachability routes between assets based on routing tables and ACLs. Due to this, SOC specialists can assess how an incident on one node can affect other systems, how likely it is to reach critical assets and strategic systems, and which isolation points will be most effective.

Collecting events from multiple data sources

The system collects events from sources via a remote connection or using agents. Additionally, it is possible to use autonomous agents that receive data collection tasks and forward all accumulated events as soon as a connection to the corporate network is established. Remote data collection can be performed without direct access to end devices from a central server – through a chain of separate connector services distributed over separate segments of the corporate network.

Event source management is implemented based on the task management mechanism for standard profiles, which makes it possible to reuse settings and quickly scale the connection of new sources. The product includes ready-made profiles for various collection methods (for example, WMI, Syslog, JDBC/DBC, HTTP).

The following functionality is also available in the Task Management console:

 •  automatic configuration and management of logging on hosts;

 •  automatic agent installation and management.

According to the created tasks, the system visualizes event flows on an interactive graph, with the volume of received or sent data and EPS displayed for each node. The system is able to track flows from all primary event sources, even those that are collected centrally via WEF or syslog. This ensures detailed control of the completeness of the collection, the search for bottlenecks and the diagnosis of problems.

The platform includes mechanisms for optimizing the use of memory and disk space when storing received events. For example, you can set different retention periods for different types of events, or disable full logging mode for individual types and store only events necessary for the operation of correlation rules.

Normalization in No-Code format

The product includes normalization schemes for all popular log sources (such as Microsoft Server, Exchange Server, Syslog, DNS, VMware, 1C, Kubernetes, PostgreSQL, and others), which makes it possible to quickly connect the Customer's infrastructure to SIEM and receive normalized events.

At the same time, for non-typical scenarios, normalization schemes in connectors can be edited and new ones created in No-Code mode, using additional enrichment and calculating the total values in variables in real time. Thus, the solution easily adapts to any infrastructure and has a low entry threshold for specialists.

Powerful correlation engine and rich rules expertise

Security Vision SIEM implements a high-performance correlation engine and a graphical No-Code correlation rule editor that does not require learning any syntax for setting rules and conditions, and provides the ability to work through a graphical interface:

 •  build rules with multilevel nesting of filter conditions;

 •  use complex sequences and conditions for the ratio of blocks to each other, including unlimited nesting of building blocks of various types;

 •  set conditions for blocks and bundles in the chain, including "denial" type scenarios (when the absence of an expected event is a signal, including for the first event in the chain – an example for a golden ticket);

 •  when events arrive from different sources in a disjointed order, the system performs time synchronization and supports the retrospective restoration of chains for correct processing.

There are over 1000 correlation rules available out of the box, covering 73% of MITRE ATT&CK techniques. All rules are accompanied by mapping both on MITRE ATT&CK and on the FSTEC database. 

The correlation engine is capable of operating under heavy loads (more than 100K EPS) and is significantly optimized for operation on small resources used. 

Incident response

To investigate incidents, the product provides an incident card in which the analyst can access:

 •  Information about related assets — with the ability to perform response actions directly from the incident card;

 •  Information about identified artifacts (for example: process, external IP, URL, etc.);

 •  Expert recommendations on how to respond to this incident;

 •  Chat for interaction with colleagues and the response team;

 •  Data on initial alerts and events;

 •  The functionality of creating tasks, including in external ITSM with two-way integration, the ability to send and receive emails, sending messages to messengers.

This set makes it possible to perform basic response actions from a single SIEM console. Integration with Security Vision SOAR and NG SOAR products is available for enhanced response.

The product includes a number of ML models:

 •  False Positive Scoring – the model is trained on data from closed incidents, and when a new incident arrives, the system evaluates how similar it is to previously closed ones with a verdict of False positive and outputs the result as a percentage match.;

 •  Similar incidents – the model analyzes the context of the incident, looks for and shows similar cases. This allows the analyst to both see similar incidents that are currently in progress and see how similar situations have been handled in the past.;

 •  ML criticality scoring – the service evaluates the criticality of an incident based on signs reflecting the mass and significance of the affected assets, taking into account the context of the alerts associated with the incident.

The results of all ML models are available in the incident card for convenient investigation and response.

Retrospective verification of correlation rules

In Security Vision SIEM, you can check correlation rules based on historical data: you can run a set of rules based on events that have already been collected and see how it would work. This simplifies quality control of changes and helps to find traces of previously undetected attacks after new rules and hypotheses appear, or conditions are adjusted, new IOCs are added, checks, etc.

Single status monitoring window

The product includes a set of dashboards and reports, as well as a built-in constructor that allows you to create your own reports and dashboards in No-code mode, set up schedules for automatic uploading and sending via any communication channels.

A monitoring dashboard is implemented separately, which brings together key metrics of SIEM operation on one screen. The dashboard helps you quickly assess the current state and dynamics of changes in the "health" of the system, identify anomalies in the flow of events, problematic sources and rules with increased noise in order to take prompt action.

Key advantages of Security Vision SIEM:

 •  Flexible and manageable data collection: built-in profiles and a task engine allow you to quickly scale the connection of typical sources;

 •  Normalization of popular sources "out of the box" with the possibility of customization in No-Code mode;

 •  More than 1000 correlation rules covering 73% of MITRE ATTACK techniques;

 •  Unified work area for investigation and response: the incident card combines events/alerts, artifacts, related objects, recommendations, communications, and tasks;

 •  Built-in ML analytics: models help to focus attention on the most important incidents.