In this article, we will talk about the mechanisms that underlie the Security Vision 5.0 platform and allow you to automate any formalized process in the field of IT and information security.
Recently, the globally updated information security process management platform Security Vision 5.0 has entered the market. The changes have affected many aspects, from design and architecture to filling modules and principles of working with data, while the flexibility of the platform has not only been preserved, but also increased. In this article, we will talk about the mechanisms that underlie the platform and allow you to automate any formalized process in the field of IT and information security.
Object Oriented Approach
Most IRP / SOAR systems today are focused around one single object: the “incident”. Best practices recommend using CMDB for asset control, and Vulnerability Management System for vulnerability control. IDM will be responsible for accounts and GRC will be responsible for risks. Even if all these systems are in the company and each of them copes with its tasks, to obtain a comprehensive picture it will be necessary to do a lot of work: unload all the results of interest, bring them to a single data model and, based on this data, generate the necessary analytics. As a result, you never have a really up-to-date picture of what is happening – the situation can change dramatically immediately after you load the data into Excel. Needless to say
When it counts for minutes, and sometimes for seconds, incident response specialists simply do not have time for consolidated analytics from dozens of different sources, some of which are available only by calling the “possessor of sacred knowledge”. The owner of the system left for lunch – and now Initial Access turns into Lateral Movement .
But the list of types of objects of control in IB is not at all limited to the above. certifications, software and licenses, external service providers, user awareness companies, hardware inventory and obsolescence, changes, projects, Shadow IT and more. All this requires accounting and a special life cycle, for the successful functioning of which a well-coordinated interaction of employees and systems is required. It is for this reason that there are no restrictions on the types of control objects in our product, and it has become simple and convenient to create them.
The Security Vision platform can be delivered with pre-installed modules for managing incidents, assets, vulnerabilities, risks, specialized conformity assessments such as CII, PCI DSS, SWIFT, etc. These modules contain all the necessary objects, directories, dashboard workflows and reports.
But even the best analysts will not be able to think through every nuance of the customer’s infrastructure, take into account the peculiarities of the company’s internal processes, the requirements of regulators and business. For this reason, the main focus of our product is on the flexibility of any of the system elements. And this flexibility is available to the average user, without the involvement of a vendor or integrators. Without external scripts, right in the platform interface in NoCode or LowCode mode (in the case of integrations).
What does this flexibility look like in reality? Let’s consider several customization scenarios.
Undoubtedly, the constantly growing number of incidents is becoming the main driver in information security automation. The process of their processing for the analyst should be as simple and clear as possible. He does not have time to read the string of incident properties in the hope of finding meaningful information. Depending on the type of incident, the focus should be on completely different inputs. For this reason, different types of incidents in the platform have completely different views in Security Vision.
Your existing incident handling process can be modified as part of your existing incident handling policy or procedure. For example, let’s add the attribute “Closing reason” to the incident card, which will be required to be filled in only if the status is “Waiting for closing confirmation”, and the ability to edit it will be available only to a user with the role “Information security incident manager”.
The calculation of the criticality of an incident can take into account any parameters of both the event itself and the objects involved in it.
In our case, the initial criticality of the incident and the criticality of the asset are used to calculate the criticality of the incident. For each of the incident types and information enrichment tools, you can assign your own criticality parameters and significance weights. You can use qualitative metrics or link the calculation to a quantitative risk assessment built in the company.
The field reflecting the quantitative assessment of potential damage can be hidden for employees of the first lines of support, making it available only to managers.
Properties of objects are available for layout in the card relative to each other, as well as for combining into semantic blocks and tabs. The data output form allows you to replace the values with color indicators or icons for greater clarity.
One of the most interesting features of the platform interface is the ability to add graphic widgets directly to object cards. Chart the number of incidents by device or user involved in the incident, broken down by severity? See the timeline of a user’s VPN connection over the past month? No problem, adding such analytics to a specific type of incident has never been easier.
Most incident handling systems operate with tree-structured workflows. This means that our object can only move forward and never backward. However, it is often impossible to identify all involved accounts, hosts, IoCs in one pass. All stages of containment have already been carried out and it seems that the incident can be closed, but the Sandbox report reveals new objects, and the picture of the investigation completely changes. In such a situation, it is quite logical to return the incident to work.
In Securty Viison, incident handling reports are available for generation directly from the card. You can use ready-made report templates, such as the NKTsKI format, or customize your own, within the existing methodology in the company.
However, all of the above was mainly related to the interface. But the incident handling process gains real power thanks to the integration designer.
Today, a huge number of both paid and free services for enriching the available information are available for a SOC specialist. VirusTotal, Threat Crowd, Hybrid Analytics: – all these integrations are available by default in most IRP \ SOAR platforms. But let’s consider a situation where we want to add a new enrichment framework or just handle a new property that returns the API of the service we are interested in. To do this, you do not need to wait for a vendor’s response or write Python scripts. In Security Vision, we literally set up a connection in a couple of iterations and get the desired value.
All that remains is to add data retrieval to the incident handling workflow, choosing whether this action will be fully automatic or require manual activation of the function by the analyst.
But integrations aren’t just about friendly external APIs. Many infrastructure components are still difficult to integrate into automated procedures. For example, a Cisco cluster in Active-Passive mode will require access to the active IP address. How does the system know about the required connection parameters? The functionality of redundant connector configurations allows you to create additional configurations that will be applied if the main system is unavailable.
It is not always enough to get the data you need in just one step. Quite often, for example, in Sandbox systems, the following scenario occurs: 1. send the file being examined 2. get the request id 3. apply for the analysis status at regular intervals 4. and, finally, get the analysis results. But there are also more complex interactions, in which the data for authorization in the system must be obtained from Privileged Access Management and only after that the operations of interest must be carried out. The connector steps mechanism allows you to cope with such difficulties. The data from one step can be used as input parameters for the next. In Security Vision, functions of data transformation are available to the “meeting”: text, numeric, operations with arrays and structures.
If the company already has ready-made response tools in the form of scripts in PowerShell, Bash, Python or other scripting programming languages, then it will not be a problem to implement them into the platform. The script receives static values or variables from system objects. The built-in regex, jpath, xpath and a number of other handlers will help you cope with any format of the returned data.
Many companies are faced with the problem of processing large reports, for example, from vulnerability scanners. The infrastructure scan file can be several gigabytes in size, but most systems are capable of processing files no larger than 100 MB. Security Vision connectors are able to cope even with such a task that is not solvable for many.
Complex report structures are another non-trivial task. For example, the scan policy and the credentials used are in one NameSpace, the plugins used are in the other, and the scan results are in the third. How to turn a report into a single table instead of 3 different ones? In Security Vision, this is very easy to do.
All the integrations described above can be performed both within the workflow and on a regular basis in the task scheduler. The results can be stored in the properties of objects, reference books or the platform can create new objects based on them: indicators of compromise, vulnerabilities, assets, or save their own types created by the user.
Having considered the functionality of creating objects, let’s now take a closer look at the part of it that is responsible for inventory and working with assets. In Security Vision, data sources about the assets being created can be any information storage available for integration: Active Directory, CMDB, virtualization management tools, or SIEM system asset models. Most often, the built-in mechanism of non-agentless scanning is used to identify systems.
In the absence of an account or unsuccessful authentication, the host can be identified by indirect signs: responses from services, information in Active Directory, or using custom rules (for example, based on the specifics of host names).
If authorization is successful, inventory scripts collect information about configuration, security status, software, updates, and other system components. All inventory scripts are written in bash and PowerShell, which allows any technician to familiarize themselves with their content, modify them to suit their needs, or search for problems in case of any errors and incorrect data received.
We have provided Security Vision with the ability to obtain information about user and groups, virtualization, startup and much more. However, if this information is not enough, the system allows you to add the retrieval of any system properties available for machine collection. Such custom operations can be implemented both by adding the necessary calls to the regular inventory process, or by creating a manual operation available from the asset card.
Our customers are often faced with the fact that inventory data is not enough even in disparate systems. What is the criticality of this system? Is it a productive environment or a test environment? Who is the business owner and who is the technical administrator? The collection of this kind of information from users can be built directly in Security Vision. The workflow will independently send a letter to the employee responsible for the inventory and the owner of the system with a reminder that it is necessary to fill in the required parameters. The system interface for such user roles can be configured in such a way that only the necessary menus and objects will be available for viewing and filling.
Any information contained in Security Vision can be presented in the form of reports and dashboards. The dashboard builder allows you to customize drill-down actions, for example, display a detailed description of a selected category or navigate to another related dashboard. The use of this designer does not require technical knowledge: the formation of analytics is similar to pivot tables and graphs in Excel. However, for more advanced statistics, we left the possibility of writing your own SQL queries right in the designer interface.
This is just a small list of tools that enable the Security Vision platform to optimize and automate almost any information security process. The flexibility of each of the elements allows you to implement scenarios for specific tasks of your company, without resting on the limits of the product and contractual individual revision.
Security Vision brings people and systems together in a single solution. This approach allows to achieve an unprecedented level of automation even in those processes that previously required significant human resources. Stay tuned for updates on our website: in the following articles we will tell you more about the SGRC module and its functions for working with audits, risks and compliance assessment, we will tell you how you can build a process for managing vulnerabilities and updates in the Security Vision platform, and also explain how the data, uploaded to the platform as part of the MITER ATT & CK framework and related projects can help increase the maturity level of your SOC division.
Cryptocurrency exchange Binance was robbed of $570 million. Hacker withdrew BNB tokens
Cryptocurrency exchange Binance has undergone another hacker attack. The attackers managed to withdraw BNB tokens worth about $570 million.
Somewhat earlier it was reported that the attack allowed the hackers to steal about $110 million, but now it turned out that everything is much worse. At the same time, the specialists of the exchange managed to freeze part of the funds, but we are talking about only 7 million dollars, which is clearly insignificant against the background of 570 million.
The exchange revealed that a cross-chain bridge connected to its BNB chain was attacked, allowing hackers to move BNB tokens off the network. Now the network has been restored, and the clients’ funds, according to Binance, are safe.
The fact of the theft of funds contributed to a sharp drop in the BNB rate by almost 5%, but after a few hours, almost half of the fall was redeemed.
Hacker who earned $27 million in cyberattacks will spend 20 years in prison and pay $21 million in fines
A Florida district court has sentenced 34-year-old IT engineer Sebastien Vashon-Desjardins to 20 years in prison for carrying out at least 90 cyberattacks.
It is noted that for several years of his activity, the hacker, using the NetWalker encryption virus, earned about $ 27 million. A search of Vashon-Desjardins revealed a crypto wallet containing 719 bitcoins, which was about $22 million at the time of the cybercriminal’s arrest in January 2022.
According to investigators, the 34-year-old cybercriminal acted in collusion with other hackers. Vashon-Desjardins himself played the role of an attacker: he infected the corporate networks of various companies with a virus and then demanded a ransom from them. Organizations from the USA, Canada and a number of European countries suffered from the activities of the criminal.
It is noted that, in addition to the prison term, the court also imposed a fine on Vashon-Desjardins in the amount of $ 21 million. Also, the criminal will have to pay compensation to the companies affected by his actions. The amount of damages has not yet been established.
Unique behavior of Ryzen 7000 processors. The notorious patches from the Specter vulnerability improve the performance of new CPUs
Recently, various vulnerabilities in processors have been talked about much less often, and users no longer worry about performance degradation due to patches. As it turns out, Ryzen 7000 processors generally benefit from such patches!
At least this is true for Linux, since it was in this OS that the author tested the Ryzen 9 7950X and Ryzen 5 7600X. It turned out that when working out of the box, the CPUs show better performance than when loading a special version of Linux with a deactivated patch from the Specter V2 vulnerability.
Of course, such results do not appear everywhere, and during normal work they are unlikely to be critical. In particular, in total, according to the results of 190 tests, the difference was only 3%.
The iPhone 14 Pro Max performed great, but still fell short of the iPhone 13 Pro Max. The autonomy of the novelty is slightly lower
DxOMark specialists tested the power subsystem of the iPhone 14 Pro Max. The device earned 133 points, taking 15th place...
GeForce RTX 3070 or Radeon RX 6800 XT just to run the game in Full HD. The recommended requirements for A Plague Tale: Requiem are amazingly high.
It looks like there are more and more games with high PC requirements right before our eyes. A Plague Tale:...
Origin will close soon: Electronic Arts has released a new platform for PC
Electronic Arts has announced the release of a new gaming platform EA for PC, which should replace Origin. According to...
Is Samsung’s problem with GOS gaming services a result of the company’s desire to save money? The head of Samsung Electronics responded to lawmakers
Samsung continues to deal with the consequences of its decisions regarding the introduction of Games Optimization Service (GOS) gaming services...
Phones6 days ago
“iPhone 13 Pro Max battery is draining like crazy. Apple needs to do something about this.” A common problem in iOS 16 has not gone away
Electric Cars7 days ago
“I have expensive cars, I play golf and caress women with large breasts.” One of the leaders of Apple was fired after a bad joke
News6 days ago
There may be alien life. The Juno spacecraft flew just 417 km from the surface of Europa
Electric Cars4 days ago
Tesla Model 3 loses control, crashes and catches fire. This was caught on video