Security Vision SOAR is a comprehensive solution for managing and automating information security incident handling at all stages of the lifecycle according to NIST/SANS best practices: preparation, detection, analysis, containment, elimination, recovery, and post-incident.
Key Features of Security Vision SOAR
· An object-oriented approach to responding: each element of an incident (host, account, process, artifact) is considered as an object with its own attributes, history, relationships, and available actions.
· Dynamic playbooks: Investigation and response scenarios adapt as the context of an incident changes — as new facilities, MITRE ATT&CK techniques, analysis results, and enrichment become available.
· Building a Kill Chain: the mechanism automatically combines incidents into a single sequence of steps (including through additional requests for missing information), shows the attacker's path and the evolution of the attack.
· Expert recommendations: the system suggests what the next steps of incident handling should be. The context of the incident and the accumulated experience within the SOC are taken into account. Based on the expert base and ML models, the probability of FP is estimated, the system finds similar incidents and recommends actions performed in similar cases.
The functionality of orchestration, analytics and process management
Security Vision SOAR provides the orchestration of security tools, analytical services, and infrastructure facilities:
· Integration with SPI: the main sources of incidents are SIEM, EDR, AV, NGFW, WAF, antispam and other classes of solutions. Most integrations are two—way, from data acquisition to active response from a single management console.
· Asset Interaction: The asset management module supports identification, inventory, and data acquisition both through external systems and through direct access to infrastructure facilities.
· Artifact enrichment: The product includes a rich set of integrations with both publicly available and subscription-based analytical services.
· Analytical tools: Built-in analytics services evaluate potential impact areas and possible incident development directions, as well as automatically link incidents to TI bulletins.
· Asset reachability calculation: the system automatically builds routes to the most critical and strategic assets of the Company, allowing you to predict the development of an attack and future actions of an attacker.
· The built-in lifecycle task system and integration with popular application/ITSM systems (Jira, Naumen, OTRS, etc.) allow you to coordinate the work of SOC and interact with related departments in a single loop.
New functionality added in the release
Local AI assistant: assistance based on the context of the incident is completely in the customer's loop
Security Vision SOAR has an AI assistant in the chatbot format, trained on the world's best incident response practices, product documentation, and practical background data on administration and information security. The model answers questions based on the context of a particular incident: its phase, related objects, the history of actions on it, the history of processing similar cases and related bulletins — helping analysts to interpret events and make decisions faster.
The model is not static, it is trained during use in SOC on the results of incident handling, as well as on bulletins issued by the expert community or individual analytical centers. Further training of the model is performed entirely in the Customer's contour.
The AI assistant will help with issues such as confirming an incident, decoding events (for example, Windows Event ID), or building commands to diagnose the system and network, as well as provide explanations on the attacker's utilities and techniques.
A separate use case is interactive help on the product and its functionality: users can ask questions and receive answers in the chat interface.
The main feature of the solution is completely local placement. The AI assistant is deployed in the customer's contour and does not interact with external systems, which allows it to be used in isolated infrastructures and environments with high confidentiality requirements.
ML-scoring of incident criticality
The product includes a scoring ML model that helps determine the criticality of information security incidents and provides faster prioritization in the SOC.
The model generates a criticality score based on a set of features reflecting the scale of the event and the significance of the affected assets.
ML-summary - automatic incident report: a single standard for investigation results
When an incident is closed, the ML model generates a short summary, which is displayed in the closed incident card and included in the report on it. In it, the model captures the outcome of the investigation in a single format, including:
· what happened;
· what was done during the investigation;
· what actions have been taken;
· what is the result?;
· whether the attacker has succeeded in anything.
The feature helps to maintain knowledge about incidents, simplifies transfer between shifts, and improves the quality of management reporting.
Effect for SOC and information security departments
The new releases are aimed at practically accelerating the daily operation of the SOC, allowing:
· faster interpretation of events and artifacts;
· get more accurate recommendations on how to respond;
· reduce the entry threshold for new employees by maximizing the use of best practices, including those accumulated within the organization when handling incidents;
· reduce the time for triage incidents thanks to ML criticality assessment;
· reduce the loss of context by generating standard and easy-to-read investigation results.
.jpg)
.png)
