Kaspersky Unified Monitoring and Analysis Platform (KUMA)

2023

Integration into Softline Universe

Softline Group of Companies (PJSC Softline) has implemented Kaspersky Lab solutions in Softline Universe. Within the framework of the ecosystem developed in Softline Universe, based on Kaspersky Lab products, Kaspersky Endpoint Security was integrated to protect email traffic from malicious software and spam - Kaspersky Unified Monitoring and Analysis Platform (KUMA) as a single console for monitoring, analyzing and responding to cyber threats. Softline announced this on November 22, 2023. Read more here.

As part of PAC to protect service information

Russian manufacturers and developers presented a joint secure software and hardware complex of the information security administrator (PAC IB). It is designed to protect service information and personal data in customer information systems. Fplus announced this on November 10, 2023. PAC is built on the basis of the SIEM system Kaspersky Unified Monitoring and Analysis Platform (KUMA). Read more here.

Use in SOC "Cybersecurity K2"

K2 Cybersecurity launches Information Security Monitoring Center (Security Operations Center,). SOC It will combine the expertise K2 Cybersecurity in the field information protection and technology. " Kaspersky Lab Using the Kaspersky Unified Monitoring and Analysis Platform (KUMA) built on, microservice architecture SOC K2 Cybersecurity specialists will be able to monitor, analyze and inform the client in real time about both attacks from outside and from within the infrastructure. The company K2 Teh announced this on October 4, 2023. Read more here. [1]

As part of the "Server PAC" of domestic developers

The companies Basis Fplus",,,,", " MyOfficeKaspersky Lab and DION Getmobit BASEALT September 21, 2023 presented software and hardware complexes for a stationary workplace and ensuring the operation of the server center. Protects the infrastructure of the Kaspersky SIEM Unified Monitoring and Analysis Platform Server PAC. More. here

Delta Tioga Pass and Delta Argut compatibility

and Delta Computers Kaspersky Lab"" confirmed the compatibility and correctness of work, and software Kaspersky Anti Targeted Attack Platform (KATA) Kaspersky Endpoint Detection and Response (KEDR) Kaspersky Unified Monitoring and Analysis Platform (KUMA) server with products. This was Delta Tioga Pass и Delta Argut announced on September 6, 2023 by Delta Computers. More. here

Integration with MTS SOC

On April 11, 2023, the company MTS RED introduced an update to the cyber attack monitoring and response center. MTS SOC Thus, the technological basis is now implemented on the SIEM Kaspersky Unified Monitoring and Analysis Platform system. The solution from "" Kaspersky Lab allows you to centrally collect, analyze and correlate events from cyber security various data sources to identify and prevent incidents and complex ones. hacker attacks Also, the key update of MTS SOC was the emergence of a personal account, which makes protection processes more transparent, and incident response more prompt. More. here

KUMA 2.1

On March 1, 2023, the company Kaspersky Lab"" introduced an updated version of the safety Kaspersky Unified Monitoring and Analysis Platform (KUMA) event monitoring and management system. KUMA 2.1 introduced an updated approach data storage to security events, implemented support, increased 1C fault tolerance of the system core and expanded the ability to detect and respond to threats. The changes also affected content auto-update and integration with the system. State system of detection, prevention and elimination of consequences of computer attacks

KUMA 2.1

Reduce cost of ownership and equipment costs

According to the company, KUMA 2.1 provides support for two storage areas: the online storage of security event data runs on ClickHouse, and the archive storage can be implemented on Hadoop. This approach is implemented in many SIEM systems, but in KUMA 2.1, specialists can create search queries in a single interface without switching between two data areas.

This allows you to fully focus on the investigation of the incident and maintain the optimal speed of work. At the same time, the updated storage area will not require expensive servers and can be deployed on budget equipment: this will allow business owners to reduce total cost of ownership (TCO) by almost half and reduce equipment costs by almost 4 times.

Auto Content Update System

The upgrade subsystem enhances KUMA's ability to respond to changes in the threat landscape and infrastructure. In version 2.1, it became possible to automatically add service packs necessary to investigate incidents and an updated version of existing content. This applies to both correlation rules and connectors to log sources. At the same time, downloading updated versions of connectors and correlation rules can be implemented without direct access to the Internet, which ensures the confidentiality of the data processed by the system. Built-in chat and automation of work with NCCC. KUMA 2.1 has expanded automated support for scenarios with the State system of detection, prevention and elimination of consequences of computer attacks module. Now in the personal account, users can transfer data to the regulator and receive feedback from NCCCC representatives directly in the KUMA chat, as well as update the incident data obtained during the investigation. At the same time, thanks to integration with the Kaspersky CyberTrace platform, which processes reports from the National Coordination Center for Computer Incidents, the researcher can extract compromise indicators and use them to detect events in SIEM. This allows you to automate part of the tasks for working with NCCCA.

Auto-Response and Integration with Employee Training Platform

More than 80% of incidents in companies arise due to low awareness of employees in the field. IT safety To minimize such risks, KUMA 2.1 has added advanced tools for response, contextual analysis, and containment. With an integrated training platform (Kaspersky Automated Security Awareness Platform KASAP) and a directory Active Directory that stores information about user actions, specialists can manage a group of accounts domain in and use the training system directly in the SIEM interface. For example, block accounts of users who perform suspicious actions, initiate a shift, password manage the membership of a user account in AD groups, view information about employee courses or record them in training.

SIEM is a central element of most mature information security systems, so it must meet all relevant market requirements and take into account the changing landscape of cyber threats. KUMA 2.1 expands the capabilities of analysts, allows you to optimize the budget for information security, providing protection at the optimal level. noted Ilya Markelov, Head of Development of Kaspersky Lab's Unified Corporate Platform

Solar JSOC Customer Availability

To provide services for monitoring and responding to cyber attacks, Rostelecom-Solar launched the SIEM platform Kaspersky Unified Monitoring and Analysis Platform (KUMA). It allows you to centrally collect, analyze and correlate cybersecurity events from various data sources to quickly identify and prevent cyber incidents. This was reported on January 20, 2023 at Kaspersky Lab. Read more here.

2022

As part of PAC based on Depo Storm Kaspersky Unified Monitoring and Analysis Platform (KUMA)

Axoft, Kaspersky Lab and DEPO Computers presented Russian hardware and software complexes based on the DEPO Storm server platforms and Kaspersky Lab software products. The complexes were tested by engineers of the DEPO Computers technology center and are ready for use in government agencies and enterprises of the corporate sector. Read more here.

Version 2.0 with enhanced capabilities to enrich events from security solutions with up-to-date data

On August 10, 2022, Kaspersky Lab announced that it had strengthened the security event monitoring and management system of Kaspersky Unified Monitoring and Analysis Platform (KUMA). The updated functionality improves the productivity of information security professionals working with the system and enhances the ability to detect and respond to threats within the XDR platform.

Endpoint response. Due to the closer integration KUMA 2.0 interface with Kaspersky Security Center and Kaspersky EDR, you can now manually or automatically configure a stricter security policy for: attacked computer isolate it from the network, start installing a patch for a vulnerable person ON , or block a suspicious one. As file a result, users will be able to more quickly respond to the threat and minimize its consequences.

KUMA 2.0 has added dozens of additional SQL-like statements, which greatly expands the capabilities of proactive threat hunting.

In addition to the existing integration with Kaspersky EDR for notification processing, the updated version of KUMA allows you to collect and normalize "raw" telemetry. This improves proactive threat detection and helps build correlations of data from endpoints with events from other sources.

The updated KUMA has expanded the ability to enrich events from security solutions with up-to-date data. For example, enrichment with geolocation information by IP address (GeoIP) is available, as well as from various dictionaries containing data, for example, from corporate HR systems, MCDS, etc.

Identify complex attack scenarios. By supporting more than 20 additional functions and calculated variables, the efficiency of detecting cyber attacks of any complexity is increased.

More and more organizations are realizing the importance of an integrated approach to information security. Tight integration of solutions within a single platform gives the most important quality in the fight - reduces detection time and increases reaction speed. KUMA 2.0 is the central element of Kaspersky Symphony XDR, which combines security solutions into a comprehensive cyber defense system, "said Dmitry Stetsenko, head of development at Kaspersky Lab's unified cybersecurity platform.

In addition to the above, the KUMA 2.0 release included many other improvements that were added based on customer feedback and wishes.

Compatibility with Security Vision, a dedicated information security automation platform

Kaspersky Lab and Security Vision have confirmed the compatibility of the SIEM system of Kaspersky Unified Monitoring and Analysis Platform (KUMA) and the automated information security platform Security Vision during comprehensive testing. This was announced by Kaspersky Lab on July 27, 2022.

Integration involves two threads of interaction:

• Information on IT assets: Security Vision enriches the internal asset database with data from KUMA;
• Information on suspected incidents (alerts) and initiating events is transmitted as part of a bidirectional interaction scheme.

Working in conjunction, the products complement each other's functionality: KUMA monitors events for violations of adopted security policies, and Security Vision automates the process of investigating and responding to detected information security events. The result of integration will be most in demand in companies with a high level of maturity of information security processes within their Security Operation Center.

Russian companies are increasingly faced with critical cyber incidents. It is possible to repel the attack in a timely manner and minimize its consequences with an operational reaction to it. According to Kaspersky Global Emergency Response Team statistics, in 2021 more than half of the incidents were identified only after the onset of adverse consequences, and in 37% of cases it took more than a month to restore business processes. Automation of the main information security functions will significantly reduce the time of detection and response. For large companies that work with large amounts of data from many different sources, automation is already a necessity. KUMA is the core of our XDR platform, one of the principles of which is openness to external integrations. Interaction with Security Vision IRP will complement the box integrations available at KUMA and significantly expand the capabilities of our customers to automate even the most complex and resource-intensive information security processes, allowing, for example, to build multi-stage incident response chains. commented Dmitry Stetsenko, head of the development of the unified cybersecurity platform Kaspersky Lab.

It is very important to respond in a timely and high-quality manner to emerging threats to information security, and in the current geopolitical situation for July 2022, this is relevant. Therefore, the relevance of information security solutions from reliable domestic suppliers is increasing. The use of KUMA and Security Vision solutions will allow continuous monitoring and detection of potential cybersecurity incidents, as well as automatic response to minimize their impact and reduce losses. said Roman Ovchinnikov, head of execution at Security Vision.

Kaspersky Unified Monitoring and Analysis Platform (KUMA) is a solution of the SIEM (Security Information and Event Management) class, which is designed for centralized collection, analysis and correlation of information security events from various data sources to identify potential cyber incidents and their timely neutralization. The system is based on a microservice architecture that provides opportunities for flexible scaling and quick updating of individual modules. KUMA has high performance - more than 300 thousand events per second (EPS) per node, and at the same time relatively low system requirements for its deployment.

Security Vision is a platform for automating information security processes, monitoring and responding to cybersecurity incidents, which for the first time allows you to robotically perform the software and hardware functions of an operator with an automation share of up to 95% due to:

• creating elements of self-regulating software using mathematical methods to free a person from participation in routine operations and processes of obtaining, converting, transmitting and using information;
• using machine learning algorithms and methods;
• using predictive big data analytics algorithms and cognitive information retrieval.

2021: Integration with NCCC

Kaspersky Lab on October 5, 2021 announced the update of its SIEM system Kaspersky Unified Monitoring and Analysis Platform (KUMA). The solution is designed to centrally collect, analyze and correlate information security events from various data sources to identify potential cyber incidents and neutralize them in time.

The developers focused on the functions in demand among companies with large infrastructures, as well as tools that simplify compliance with regulatory requirements. The updated version is integrated with the Russian National Coordination Center for Computer Incidents (NCCCA) thanks to the built-in State system of detection, prevention and elimination of consequences of computer attacks module. KUMA has significantly expanded its incident management capabilities. The updated section of the interface, "Incident," provides the ability to coordinate the collaboration of several analysts, appoint those responsible, change the priority and escalate individual cases.

Incident cards have been added to the platform to help collect all information for each case in one place: suspicious security events and other data, such as affected devices and users. Incidents can be created either automatically or manually, as well as generated cards in the necessary form for export from the interface to the National Coordination Center for Computer Incidents.

Another change was multitenancy support for security service providers (MSSPs) and large enterprises. This enables multi-branch companies and MSSP providers to identify and prioritize threats to multiple branches in a single, centralized environment. At the same time, the main platform administrator can assign roles to the users of each "tenant" that clearly determine what information they can view, create or change.

Also among the new features of KUMA:

• Monitor the status of event sources to notify administrators of issues in a timely manner
• replenishing the database of connectors for receiving events;
• automatic categorization of devices (dynamic categorization);
• Full backup of KUMA core data
• a set of preinstalled correlation rules prepared by Kaspersky Lab experts in accordance with MITRE ATTACK;
• HTTPRest API for managing devices and active lists.

Kaspersky Unified Monitoring and Analysis Platform is a key component of the Kaspersky Lab ecosystem of solutions for protecting large businesses. We analyzed the needs of our customers based on more than 150 requests over the past year and added a number of features and capabilities to the updated version that are important for protecting IT infrastructures large companies. Including these are multitenancy for MSSP service providers and geographically distributed companies, convenient incident management tools, as well as data exchange with NCCC, which helps to comply with the requirements of Russian regulators in the field of facility security, critical infrastructure- said, Mikhail Pribochiy Managing Director of Kaspersky Lab in Russia and. - KUMA countries CIS has established itself as a powerful tool and shows impressive streaming correlation performance: more than 300,000 events per second (EPS) per node.

2020: Product Presentation

On May 21, Kaspersky Lab announced its new product, which is in active development - the Kaspersky Unified Monitoring and Analysis Platform (KUMA) platform. It belongs to the class of SIEM (Security Information and Event Management) systems.

The company notes that initially they were not going to create a product of this kind. Pavel Taratynov, architect of information security centers, Kaspersky Lab, during an online presentation told why the company decided to create it, despite the fact that the global market for SIEM systems is quite mature and competitive.

As the results of a survey of our clients show, many still lack an alternative. And if a few years ago, when we assessed the need to enter this market, we did not see it, now the situation has changed. Now the choice of information security solutions is very strongly influenced by geopolitics. If you look at market leaders according to leading analytical agencies, we will see that they are all from the same country. And many of our large clients, for one reason or another, cannot or do not want to use these solutions, - said Taratynov.

According to him, Kaspersky Lab itself was partly held hostage to this situation when in 2019 Splunk, whose client was the company, suddenly left Russia. Then Kaspersky Lab faced the need to urgently look for an alternative.

Even before the release of the commercial version, Kaspersky Lab's security service chose KUMA as the main SIEM for itself and is in the process of implementation as of May, a company representative added.

According to the "magic quadrant" of Gartner (2020 Gartner Magic Quadrant for SIEM), the global leaders in this market are IBM, Splunk, Exabeam, Securonics, LogRhythm, Rapid7 and Dell Technologies (RSA)^[1]. Recent research on the Russian SIEM market from analysts has not been released recently. According to a 2018 IDC study, the most prominent domestic players in this market in Russia are Positive Technologies and NPO Echelon.

Answering a question about what the company was not satisfied with the existing Russian systems, a company representative said the following. The main requirements of the internal information security service of Kaspersky Lab for SIEM were performance, architecture flexibility and low system requirements. They also needed to be able to provide operational technical support, influence the development of the product from the point of view of functionality. The company's customers need the same, Taratynov said.

However, according to Pavel Taratynov, the main reason that pushed the company to create its own SIEM was that recently many different solutions have appeared in its portfolio, which are not always integrated with each other. There was not enough central connectivity to offer customers a single ecosystem, not just a suite of solutions.

In this regard, it was decided to develop not only SIEM, but to develop and develop a single modular security platform, where SIEM will be one of the components. It should combine all solutions and provide a single window for monitoring, incident response, orchestration of Kaspersky Lab solutions, as well as a single management console. The role of the latter, combined with incident monitoring, will be performed by SIEM. At the same time, the platform will be open for integration with third-party solutions.

According to Pavel Taratynov, the KUMA technology stack was developed from scratch and is not based on other products of the company. It was originally designed for high-load systems. The solution is based on a microservice architecture, where each component is a microservice that works independently of the others, a representative of Kaspersky Lab explained.

From the presentation of Pavel Taratynov - the list of sources of events that KUMA will support at the end of 2020, it is planned to expand it further

The solution contains components specific to SIEM: collectors, callers, a system kernel that provides centralized control, proxies for secure connection and communication with the database where events and an agent for collecting logs from Windows machines are stored. Open source components are also used, but the solution is not tied to them, and they can be replaced later, if necessary. For example, Elastic is used as a base for storing events.

In addition to the basic set of functions, such as support for third-party sources, retrospective analysis, support for preserving "raw" events, etc., the developers plan to implement a number of "proprietary" functions through its integration with other company products, Taratynov says.

From the presentation of Pavel Taratynov

The representative of the company explained the set of data sources, the support of which is planned to be implemented in the first place, by the fact that Kaspersky Lab has a number of commercial customers who plan to implement KUMA in the near future, or are already implementing it, and this list is a requirement from these customers.

The first release of the product is scheduled for December 2020, but pilot projects can be carried out starting in June, Taratynov said. The price of the new product in the company did not specify TAdviser during the presentation.

SIEM development is scheduled until 2021. In addition to the general development of the product functionality, it is planned to localize the solution for the Russian market in terms of interface, documentation, obtaining all the necessary certificates, inclusion in the register of domestic software, etc.

Notes