SOT
SOAR
Security Orchestration, Automation and Response
NG SOAR
Next Generation SOAR
AM
Asset Management
VM
Vulnerability Management
FinCERT
Financial Computer Emergency Response Team
GovCERT
Government Computer Emergency Response Team
Product overview
Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach.
Security Vision SOAR reduces the influence of the human factor, increases the speed of response to incidents, and builds proactive defense in accordance with international information security standards.
The solution aggregates events and incidents, automatically executes commands on various external systems to quickly contain and eliminate negative consequences in accordance with the NIST methodology, providing expert recommendations at various stages of incident management.
Application
Dynamic playbooks and MITRE database
Playbooks automatically built for 200+ types of incidents depending on the connected information security systems (SIEM, UEBA, AV/EDR, NGFW, WAF, Proxy, etc.) and IT systems, 100+ MITRE ATT&K techniques and tactics, as well as built-in expert recommendations at different stages of incident handling
Kill chain construction and adaptive response
Automatic construction of an attack chain and object-oriented response, selecting actions depending on the types of objects (internal/external host, account, email address, URL, malware, process, vulnerability)
NIST methodology and built-in recommendations
Depending on the types of incidents and attacks, expert recommendations are available in cards and connection graphs at various stages: primary analysis, extended containment, primary response and post-incident
Examples and integrations
NIST incident lifecycle
1) Preparation of descriptions of services, information security, lists of exceptions, composition of SOC teams and other tools and processes;
2) Enrichment of data in the vicinity of the incident;
3) Analysis and classification, collection of digital evidence;
4) Containment and isolation of accounts, hosts, URLs/Emails/domains;
5) Response based on key objects: 70+ pre-configured actions for hosts, 20+ for KM, and other types of objects;
6) Restoring compromised objects from backup, unlocking;
7) Post-incident, preventing the recurrence of similar incidents.
Common data sources
Information about events and incidents is collected, for example, from:
• SIEM (including with connected audit logs)
• NGFW (network telemetry, host management)
• WAF (logs)
• Proxy servers (logs)
• Email servers (antispam lists, blocking)
• End nodes (node snapshot, installed software)
• Vulnerability scanners (technical vulnerabilities, criticality)
• IoC enrichment tools (hash, IP, email, domain)
• analytical services (MITRE, VirusTotal, LOLBAS, URLScan, WhoisXML, etc.)
• LDAP (OpenLDAP, MS AD)
• Antivirus solutions (AV, EPP, EDR) and other information security/IT systems
External enrichment services
Additional information about indicators is supplemented, for example, from:
•VirusTotal
• WhoIsXMLAPI
• URLScan
• IPInfo.io
• IPgeolocation.io
• AbuseIPDB
• LOLBAS
• Kali tools
• Shodan
•ChatGPT
and etc.
Reporting
For each incident or statistics for the selected period, you can generate a report using your own template and then download it as a file or send it by mail in various formats:
• pdf;
• txt;
• docx;
• xlsx;
• ods;
• odt;
• csv.
Reports can contain any properties obtained during the collection, analysis and processing of information security events.
The appearance can be customized granularly with a choice of fonts, colors, pictures and logos, diagrams, indents, numbering, headers and other characteristics
Visualization and response
Attacks and their incidents use relationship graphs to identify the entities involved and include expert recommendations for interactive response. Graph and table views allow you to run various response commands while the analyst is working, for example:
• sending and removing an object from quarantine;
• blocking traffic for an IP address;
• adding a URL to the Web-control policy
• shutting down processes and services on the host;
• terminating a user session or changing a password;
and other actions that can be canceled, which is additionally displayed in the interface.
Cards and table views for any type of object can be adapted by adding new properties, columns, buttons without any licensing restrictions.
Get a demo of a
Security Vision product
Mail us to
sales@securityvision.ru
or get a demo
Still have questions?