All products

SOAR

Security Orchestration, Automation and Response

Incident management

IRP, SOC, information security tools, incidents, information security events, Kill Chain, playbooks, ticketing, response, NIST, MITER

Product overview

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach.

Security Vision SOAR reduces the influence of the human factor, increases the speed of response to incidents, and builds proactive defense in accordance with international information security standards.

The solution aggregates events and incidents, automatically executes commands on various external systems to quickly contain and eliminate negative consequences in accordance with the NIST methodology, providing expert recommendations at various stages of incident management.

Application

Dynamic playbooks and MITRE database


Playbooks automatically built for 200+ types of incidents depending on the connected information security systems (SIEM, UEBA, AV/EDR, NGFW, WAF, Proxy, etc.) and IT systems, 100+ MITRE ATT&K techniques and tactics, as well as built-in expert recommendations at different stages of incident handling

Kill chain construction and adaptive response


Automatic construction of an attack chain and object-oriented response, selecting actions depending on the types of objects (internal/external host, account, email address, URL, malware, process, vulnerability)

NIST methodology and built-in recommendations


Depending on the types of incidents and attacks, expert recommendations are available in cards and connection graphs at various stages: primary analysis, extended containment, primary response and post-incident

Examples and integrations

NIST incident lifecycle


1) Preparation of descriptions of services, information security, lists of exceptions, composition of SOC teams and other tools and processes;
2) Enrichment of data in the vicinity of the incident;
3) Analysis and classification, collection of digital evidence;
4) Containment and isolation of accounts, hosts, URLs/Emails/domains;
5) Response based on key objects: 70+ pre-configured actions for hosts, 20+ for KM, and other types of objects;
6) Restoring compromised objects from backup, unlocking;
7) Post-incident, preventing the recurrence of similar incidents.

Common data sources


Information about events and incidents is collected, for example, from:
• SIEM (including with connected audit logs)
• NGFW (network telemetry, host management)
• WAF (logs)
• Proxy servers (logs)
• Email servers (antispam lists, blocking)
• End nodes (node snapshot, installed software)
• Vulnerability scanners (technical vulnerabilities, criticality)
• IoC enrichment tools (hash, IP, email, domain)
• analytical services (MITRE, VirusTotal, LOLBAS, URLScan, WhoisXML, etc.)
• LDAP (OpenLDAP, MS AD)
• Antivirus solutions (AV, EPP, EDR) and other information security/IT systems

External enrichment services


Additional information about indicators is supplemented, for example, from:
•VirusTotal
• WhoIsXMLAPI
• URLScan
• IPInfo.io
• IPgeolocation.io
• AbuseIPDB
• LOLBAS
• Kali tools
• Shodan
•ChatGPT
and etc.

Reporting


For each incident or statistics for the selected period, you can generate a report using your own template and then download it as a file or send it by mail in various formats:
• pdf;
• txt;
• docx;
• xlsx;
• ods;
• odt;
• csv.

Reports can contain any properties obtained during the collection, analysis and processing of information security events.

The appearance can be customized granularly with a choice of fonts, colors, pictures and logos, diagrams, indents, numbering, headers and other characteristics

Visualization and response


Attacks and their incidents use relationship graphs to identify the entities involved and include expert recommendations for interactive response. Graph and table views allow you to run various response commands while the analyst is working, for example:
• sending and removing an object from quarantine;
• blocking traffic for an IP address;
• adding a URL to the Web-control policy
• shutting down processes and services on the host;
• terminating a user session or changing a password;
and other actions that can be canceled, which is additionally displayed in the interface.

Cards and table views for any type of object can be adapted by adding new properties, columns, buttons without any licensing restrictions.

Get a demo of a
Security Vision product

Mail us to sales@securityvision.ru
or get a demo

Other products

Other products

NG SOAR

Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included.

TIP

Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

AM

Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations.

RM

Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

UEBA

User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

ORM

Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

VM

Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions.

CM

Compliance Management

Audit of compliance with various methodologies and standards

AD + ML

User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

BCP

Business Continuity Plan

Automation of ensuring continuity and restoration of activities after emergencies.

FinCERT

Financial Computer Emergency Response Team

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

Government Computer Emergency Response Team

OTS

Operational Technology Security

Operational Technology Security

Still have questions?

Mail us to sales@securityvision.ru or get demo