A safety data and occasion administration (SIEM) system can’t stay static; its detection logic must continuously evolve. The risk panorama is ever-changing, which implies it is advisable hold including new guidelines repeatedly for efficient information evaluation. Admittedly, the majority of correlation guidelines are inevitably fine-tuned by the inner data safety crew, however having up-to-date guidelines out of the field is essential in easing this course of. One other essential level is that an SIEM system should be able to adapting to the evolution of the company IT infrastructure, and be ready to make use of new occasion sources – every of which frequently requires a brand new normalizer (the mechanism for changing information from arbitrary sources to a single format). We’re continuously engaged on this, including new normalizers and correlation guidelines to the Kaspersky Unified Monitoring and Evaluation Platform. This publish particulars what was added in model 3.0.3.
New and refined normalizers
In between variations 2.1 and 3.0.3 of the Kaspersky Unified Monitoring and Evaluation Platform, we launched 99 replace packages with new or improved normalizers. These embrace 63 updates that present assist for brand new occasion sources, and 38 that enhance present normalizers by including assist for brand new occasion varieties and making varied refinements and fixes. The remaining updates include repeatedly enhanced correlation guidelines, filters, and different usability-oriented assets.
Different new additions embrace normalizers that introduce assist for the next occasion sources:
- Cisco Prime, for Cisco Prime 3.10 occasions acquired by means of syslog
- PowerDNS, for processing PowerDNS Authoritative Server 4.5 occasions acquired by means of syslog
- Microsoft Lively Listing Federation Service (AD FS), for processing Microsoft AD FS occasions. The normalizer gives assist for this occasion supply beginning with Kaspersky Unified Monitoring and Evaluation Platform model 3.0.1
- Microsoft Lively Listing Area Service (AD DS), for processing Microsoft AD DS occasions. The normalizer additionally gives assist for this occasion supply beginning with Kaspersky Unified Monitoring and Evaluation Platform model 3.0.1
- NetApp ([OOTB] NetApp syslog, for processing NetApp ONTAP 9.12 occasions acquired by means of syslog; and [OOTB] NetApp file, for processing NetApp ONTAP 9.12 occasions saved in a file)
- RedCheck Desktop, for processing RedCheck Desktop 2.6 logs saved in a file
- MikroTik networking {hardware}
- PostgreSQL DBMS
- MySQL DBMS
- VMware ESXi
- Microsoft 365
As well as, our specialists have refined the next normalizers:
- For Microsoft merchandise: revised the normalizer construction and added assist for brand new merchandise and extra occasion varieties
- For PT NAD: applied assist for occasions of the present product model
- For UNIX-like working methods: applied assist for added occasion varieties
- For Juniper networking units: made vital normalizer revisions and optimizations
- For Citrix NetScaler: applied assist for added occasion varieties
Up to date correlation guidelines
We’ve considerably improved the content material of all present correlation guidelines within the SOC Content material bundle, whereas specializing in validating rule logic and refining the foundations with inputs from our prospects’ real-life experiences. We’ve additionally improved the standard of the rule descriptions, together with incident description guidelines.
Together with updating the Russian-language SOC Content material bundle, we’ve additionally launched a full-fledged English-language SOC Content material bundle, absolutely synchronizing its content material with the Russian model. Any further, we plan to replace the 2 packages in sync.
The platform now provides over 500 guidelines, together with additional important instruments equivalent to lively lists, filters, and dictionaries.
Correlation rule format
We’re planning so as to add markup for present guidelines quickly in accordance with MITRE ATT&CK® ways and methods. It will broaden the system’s capabilities to visualise the extent of safety towards all recognized threats.
When selecting avenues for improvement, we typically align with the MITRE ATT&CK® data base – the de facto business commonplace. We additionally contemplate suggestions from our prospects that we get throughout pilots, integration tasks, consulting classes, and even in emails acquired by account managers, in addition to the experiences of our personal SOC – probably the most profitable and expert groups within the business.
How updates are delivered to the SIEM system
All of the content material we develop is distributed by means of the Kaspersky Replace Servers subsystem to shorten supply occasions. The subsystem requests updates and notifies of them in automated mode, however lets the operator resolve on making use of these. This helps directors obtain details about obtainable updates shortly, assessment the contents of every replace, and resolve whether or not to introduce new assets within the infrastructure or replace present ones.
The replace subsystem considerably expands the capabilities of the Kaspersky Unified Monitoring and Evaluation Platform to reply quickly to modifications within the risk panorama and infrastructure. The choice to make use of it with out direct web entry ensures that information processed by the SIEM system stays safe and inside the perimeter, whereas customers can get the newest system content material updates.
The entire listing of occasion sources supported in Kaspersky Unified Monitoring and Evaluation Platform 3.0.3 is obtainable within the technical assist part, the place you can also discover details about the correlation guidelines. After all, our SIEM updates aren’t restricted to new normalizers and detection logic: we not too long ago wrote about UI enhancements and routine automation.
