The Threat Intelligence Platform (TIP) product based on the Security Vision 5 platform meets the needs of each TI level. The solution helps to look for signs of attacks based on behavioral indicators and build an enterprise information security strategy in the long term, taking into account current threats and risks.
TIP provides the following functionality:
· Receiving a stream of events from solutions of various classes (SIEM, NGFW, Proxy/e-mail server, data lakes, etc.), due to the large number of ready-made connectors, support for universal formats (Syslog, CEF, LEEF, EMBLEM, Event log), as well as a convenient constructor that allows you tocode to set up new integrations;
· Automatic loading of all levels of indicators: technical (hash amounts, IP addresses, URLs, domains, e-mail, masks), tactical (registry keys, processes and JARM), operational (vulnerabilities, VPO, user data, etc.) and strategic;
· Integration with dozens of different commercial and open-source feeds;
· The ability to enrich both from external sources (VirusTotal, Shodan, LOLBAS, Kaspersky Parentip, IPGeolocation.io and others), and from embedded MITRE ATT&CK sources;
· Integrated response and interaction with SPI, in particular, launching actions from an incident and an analytical graph of relationships, without the mandatory use of SOAR for automation;
· Advanced indicator detection mechanics: phishing and DGA mechanisms using machine learning, match in the event stream, and retro-search through all collected data or specific IOCs.
In the new version of the product:
· The deep cyber threat analytics engine second match has been significantly improved. It provides secondary verification of Compromise Indicators (IoC). The mechanism uses additional correlation with external systems (SIEM, VM, IDS) and internal data sources, which allows the formation of contextually enriched events, reducing the number of false positives, improving the quality of triage and increasing the effectiveness of incident response.
· A package of feeds from Security Vision is integrated, with a daily update of about 50K IoC. It is available without a subscription and without a limit on the number of requests via the API or web interface (including in the customer's personal account). This package has key and operational feeds that allow you to immediately apply all TIP functionality out of the box. It also includes feeds from the Database of Information Security Threats of the FSTEC of Russia, NCCI, FinCERT, which take into account the specifics of attacks and threats for the Russian segment. By receiving Russian expertise in the form of feed data, you can use TIP to switch from a manual and reactive approach to a proactive one, when threats relevant to the Russian segment are automatically detected in your network as soon as possible.
· Added support for more than a dozen new feed sources. New cyber intelligence data sources improve the elements of data analysis and exchange, improving the overall TIP user experience.
· In order to make strategic decisions, the TIP product pays a lot of attention to working with newsletters. They help identify trends and plan an infrastructure protection strategy by providing operational information for analysts about new threats with descriptions of compromise indicators (malicious file hashes, suspicious IP addresses and domains, malicious URLs), tactics, techniques and procedures according to the MITRE methodology (i.e. how exactly an attacker acts and what he uses for his own purposes illegitimate actions), impact assessments, and recommendations for response. The product continues to develop the implementation of automatic integration and receipt of newsletters from individual suppliers and aggregators. ML models allow you to automatically process bulletins and link them to specific detection indicators with the ability to view them from the incident card or from the investigation graph.
The match analytical engine has been optimized to work on large data streams (from 100K EPS). The product also adds the possibility of an agent-based data collection scheme from individual high-load servers or collector servers, which also optimizes the processing of data flows.
.png)
.jpg)
