Translated by

Kaspersky Unified Monitoring and Analysis Platform (KUMA)

Developers: Kaspersky (earlier Kaspersky Lab)
Date of the premiere of the system: May, 2020
Technology: Cybersecurity - Information management and events in a security system (SIEM)

2020: Product presentation

On May 21 Kaspersky Lab announced the new product which is in active development – the Kaspersky Unified Monitoring and Analysis Platform (KUMA) platform. It belongs to the class of the SIEM systems (Security Information and Event Management).

The company notes that initially were not going to create a product such. Pavel Taratynov, the architect of Information Security Centers, Kaspersky Lab, during the online presentation told why the company decided to create him in spite of the fact that the world market of SIEM systems is quite mature and competitive.

As show survey results of our clients, much after all lack an alternative. And if a few years ago when we estimated need of an entry into this market, we did not see it, then now the situation changed. Now the choice of solutions cybersecurity is very strongly influenced by geopolitics. If to look at market leaders according to the leading analytical agencies, then we will see that all of them from one country. And our many large customers for one reason or another cannot or do not want to use these solutions, - Taratynov noted.

According to him, and Kaspersky Lab partly became the hostage of this situation when in 2019 Splunk which client was a company suddenly left Russia. Then Kaspersky Lab was faced the need to urgently look for an alternative.

Even before release of the commercial version, the security service of Kaspersky Lab for itself selected KUMA as the main SIEM and as of May is in process of implementation, the representative of the company added.

According to "a magic quadrant" of Gartner (2020 Gartner Magic Quadrant for SIEM), world leaders in this market are IBM Splunk Exabeam, Securonics, LogRhythm, Rapid7 and Dell Technologies (RSA)[1]. Fresh researches of the Russian market of SIEM from analysts did not come out recently. According to a research IDC of 2018, the most noticeable domestic players in this market in Russia - the company Positive Technologies and NGO Echelon.

Answering a question of with what already existing Russian systems did not arrange the company, the representative of the company told the following. Performance, flexibility of architecture and low system requirements were the main requirements of internal service cybersecurity "Kaspersky Lab" to SIEM. Also they needed to have a possibility of first technical support, to influence development of a product in terms of functionality. The same is necessary also for customers of the company, Taratynov considers.

However, Pavel Taratynov claims, the basic reason which pushed the company to creation of own SIEM was the fact that lately in its portfolio there were many different solutions which at the same time are not always integrated among themselves. There was not enough central link to offer customers a uniform ecosystem, but not just a set of solutions.

With respect thereto the decision to develop not only SIEM, and to develop and develop a single modular platform of security where SIEM will be one of components was made. It should integrate all solutions and provide a single window for problems of monitoring, response to incidents, orchestrations of solutions of Kaspersky Lab and also the single console of management. The role of the last, in total with monitoring of incidents will also execute SIEM. At the same time the platform will be open for integration into solutions of third-party suppliers.

According to Pavel Taratynov, the stack of KUMA technologies was developed from scratch and not based on other products of the company. It was initially projected under the high-loaded systems. The solution is based on microservice architecture where each component is the microservice working irrespective of others, the representative of Kaspersky Lab explained.

From Pavel Taratynov's presentation – the list of sources of events which will be supported by KUMA at the end of 2020 further it it is going to expand

The solution contains the components characteristic of SIEM: collectors, korellyator, a system core which provides centralized operation, a proxy for the protected connection and communication with the database where events and the agent for collecting of logs with Windows machines are stored. Also open source components are used, but the solution on them is not tied, and they can be replaced further if it is necessary. For example, Elastic is used as base for storage of events.

In addition to basic feature set, such as support of third-party sources, the retrospective analysis, support of preserving of "crude" events, etc., developers are going to implement a number of "corporate" functions through its integration with other products of the company, Taratynov says.

From Pavel Taratynov's presentation

The representative of the company explained a set of data sources which support is going to be implemented first of all with the fact that Kaspersky Lab has a number of commercial customers who are going to implement KUMA in the nearest future, or already implement it, and this list – the requirement from these customers.

The first release of a product is planned for December, 2020, but pilot projects can be carried out, since June, Taratynov reported. The price of a new product in the company did not specify TAdviser during the presentation.

Development of SIEM is painted till 2021. In addition to the general development of functionality of a product, for the Russian market it is going to localize the solution in terms of the interface, documentation, obtaining all necessary certificates, inclusions in the register of domestic software, etc.