RuSIEM Information and event collection system from IT systems

Main article: Security Information and Event Management (SIEM)

RuSIEM - technology for collecting information and events from different IT systems, further formatting of data for subsequent processing by security services.

2021

Integration with Zecurion Data Loss Prevention Solution

On November 17, 2021, the company RuSIEM announced the launch of a partner technology project for system integration monitoring and managing Ru events information security SIEM and the data leaks company's Data Loss Prevention (DLP) solution. Zecurion

and Pandemic the redeployment of staff to remote operation mode increased the relevance protecting sensitive data of. leaks Most of these incidents are caused not only by and not so much by vulnerabilities in, software but by a human factor. To protect against accidental and intentional leaks, companies need to use means to information protection identify both internal and external violators.

A good solution is a combination of a SIEM system designed to detect and account for incidents occurring in an organization and a system DLP that sees threats beyond the perimeter of SIEM. As a result of the technical integration of RuSIEM and Zecurion solutions, customers will receive a solution that allows not only to read and analyze events coming from the DLP system, and probably testifying to leak threats, information but also to analyze indirect ones, data which will help to identify internal violators as efficiently as possible.

Synergy between SIEM and DLP significantly simplifies the work of the security service, "said Anton Fishman, technical director of RuSIEM. - Considering that working with both systems requires special knowledge and skills, we try to make this task easier for customers and make the system intuitive to IB specialists and ready for use at most "out of the box."

For our company, this is not just another technological partnership, but primarily an active joint promotion in each other's customers. We not only solved the integration of our solutions, but also carefully studied the peculiarities of RuSIEM products. In the near future, we plan to release an interaction module with the SIEM system of our partners. Closer to the implementation date of such a module, we will reveal additional details, "said Alexander Belyavsky, commercial director of Zecurion.

As part of the PAC for information security event management tasks

On October 28, 2021, RuSIEM announced the creation of a software and hardware complex (PAC) based on the line of enterprise-level servers of the standard VEGMAN architecture of YADRO. PAC is a ready-made solution for information security event management tasks, it is based on software and a computing platform that fully meet the requirements of registries of domestic equipment and software.

PAC RuSIEM is a model solution that we support on an ongoing basis and guarantee full compatibility of all its components. Thus, customers receive a PAK ready and fully configured for their specification, which withstands high capacities, which additionally reduces the time required for the initial deployment of the system, "said Maxim Stepchenkov, co-owner of the RuSIEM.

As part of load testing, the stability and quality of the SIEM system from the company was checked RuSIEM at different event flows. Based on the test results, different solution models were collected.

{{quote 'The Company is actively working on the implementation of government directives on the transition to the use of mainly domestic software and equipment. This kind of migration is always an integrated approach, so we regularly test new domestic solutions to correlate their capabilities with our needs. Of course, the Russian software and hardware complex for information security tasks is extremely interesting to us, "said Stanislav Sergeyevich Ignatova, director of the information security department of Rosgeologia JSC. }}

Integration with SCDPU NT "AIT Bastion"

RuSIEM and AIT Bastion have completed the first stage of the integration system for monitoring the actions of IT service providers SKDPU NT and the information security event management system RuSIEM. This was announced on August 31, 2021 by RuSIEM.

Photo: www.codeib.ru

Integration of solutions will allow IT Bastion customers who have installed RuSIEM to obtain complete and detailed information security events in the SIEM system and, as a result, improve the security of their IT infrastructure. Data from the NT SCDCP will be transmitted to the RuSIEM, which processes it automatically using the correlation rules prescribed in it under the NT SCDCP and displays the processing result in a single interface of the SIEM system. Thus, the integration of NT SCDPU and RuSIEM will allow AIT Bastion customers to reduce the time to detect incidents in different parts of the IT infrastructure and respond to them more quickly, including when accessing IT infrastructure remotely.

"As your organization increases the amount of information protection you use, there is a need to optimize the process and unify the result of processing data from them. The SIEM system is the core of the IB infrastructure, but it often needs to be finalized taking into account the parameters of other IB solutions used in the company. In other words, to castomize data sources available to the customer, such as, for example, the decision to control the actions of privileged users. To do this, we and colleagues from AIT Bastion first predicted threats, and then prescribed correlation rules that will detect attacks. As a result of the work done, we trained RuSIEM to work with data coming from NT SCDPU, "- said co-owner of the company RuSIEM Maxim Stepchenkov.

"As a vendor, we increasingly receive requests from customers to strengthen IT protection through integration with various solutions. Those customers who already have a RuSIEM system installed do not have to wait until the integrator comes up with a way to "make friends" with SKDPU NT. Our integration has been implemented and successfully tested. Thus, customers save time when implementing one of the systems, and therefore money, "- said the general director of AIT Bastion Alexander Novozhilov.

An integrated solution can be implemented across a wide range of industries and technology networks. SKDPU NT and RuSIEM are included in the register of Russian software, which allows their customers to comply with the requirements to comply with the ban on the admission of software originating from foreign countries for the purpose of procurement to meet state and municipal needs.

Refinement of archiving module

On July 21, 2021, RuSIEM, a Russian developer of information security software, released an updated technological release of the system for monitoring, collecting and analyzing RuSIEM events.

The release includes about 40 updates and features. Among the main changes is the refinement of the archiving module, the use of which now allows you to upload and store information security events on external network media on a long-term basis. This allows you to comply with the requirements of the law regarding the storage time of events with much less hardware resources, as well as better conduct incident investigations. The implementation of complex attacks usually takes place in several stages and lasts several months, that is, when investigating incidents, you need to mainly refer to data that entered the system several months or even years ago.

Since the damage from complex attacks is quite significant for the company, it is necessary to be able to quickly detect and close the "breakdown" to prevent its reuse. The archiving function will allow you to transfer events to online storage and, if necessary, contact them to analyze and find a vulnerability, "explains Anton Fishman, technical director of the RuSIEM.

The second part of the system updates is connected to the operator module RuSIEM RuAgent. The module now collects information about low-level events occurring at the operating system kernel level, which is necessary to identify new types of threats. This functionality is used in systems of the EDR (Endpoint Detection & Response) class. It is this functionality that allows you to identify complex and targeted attacks aimed at stealing funds and data.

Using EDR allows you to collect and send low-level events to the SIEM system, the analysis of which makes it possible to identify and investigate the most complex and modern attacks. Modern VPO is multi-component and comes through various channels (messengers, mail, the Internet and others), while attackers often use current vulnerabilities that have not yet been fixed, or are not closed by patches, and specifically check that it is not detected by modern antiviruses. You can identify such threats only by collecting and analyzing events occurring at the level of the operating system kernel - at the lowest level, "notes Anton Fishman.

Ability to use Mitre ID in correlation rules

On July 12, 2021, RuSIEM, a Russian developer of information security software, announced the release of a technological release of a system for monitoring, collecting and analyzing RuSIEM events.

RuSIEM

As technologies used by both developers and users of IT solutions and intruders are constantly evolving, information protection systems must quickly adapt to emerging risks and threats. This applies fully to SIEM-class systems designed, like any information security solution, to minimize the risks of money theft, as well as to prevent financial losses and reputational risks due to the interruption of technological and IT processes as a result of cyber attacks and the implementation of threats. noted Anton Fishman, Technical Director RuSIEM

According to the company, the updated release of the RuSIEM system contains improvements that allow you to quickly and without increasing the cost of resources detect various types of threats, classify and timely prevent their consequences.

The release includes about 40 updates and features. The most significant changes concerned the functionality of collecting information, managing information security events and setting correlation rules, as well as working with user information assets.

In addition, key updates include:

• possibility of using Mitre ID and other classifiers in correlation rules. This allows you to categorize correlations and optimize work when investigating incidents and preparing reports for regulators;
• Optimizing the correlation daemon with syslog to optimize system performance by more than 2.5 times at the same hardware cost
• added support for ElasticSearch 7.14. Users of the system can use more updated operations and commands when working with data, but the main effect can be seen in the future when adding archiving functionality. Users of RuSIEM with ElasticSearch 7.14 will be able to work with data in archive snappers in real time, without loading them into the system.

In fact, updates solve one problem - to optimize the process of managing the risk of implementing threats to information security. Requirements for the organization of risk management are made by state regulators, for example, in the financial sphere. Therefore, as a developer of the SIEM system, we try to ensure that the results of its use comply with the advisory and regulatory industry documents. supplemented by Fishman

FSTEC Certificate

On May 19, 2021 the RuSIEM company, the Russian software developer in the field of monitoring and management of events of information security, reported about obtaining the certificate of FSTEC of Russia on the system of monitoring, collecting and analysis of events of RuSIEM.

The compliance certificate of the FSTEC of Russia No. 4402, issued on May 12, 2021, certifies that the software complex "Security Event Management System" RuSIEM, "developed and manufactured by RuSIM LLC in accordance with the specifications 02646976.62.01.29.001, is an information security event management system.

In accordance with the expert opinion, the RuSIEM system meets the requirements for information security established in the document "Information security requirements that establish confidence levels in information technical protection tools and information technology security tools" (FSTEC of Russia, 2020) - according to the 4th level of trust and technical conditions when fulfilling the operating instructions given in the form 02646976.62.01.29.001 30 01.

The certificate was issued on the basis of a technical opinion from the 05.04.2021, drawn up according to the results of certification tests by the testing laboratory of Documentary Systems JSC, and an expert opinion from the 12.04.2021, drawn up by the certification body of FAU GNII PTZI FSTEK of Russia.

The certificate of conformity is valid until May 12, 2026.

Maxim Stepchenkov, co-owner of RuSIEM, noted: "Receiving a certificate from the FSTEC of Russia is a strategically important event for the development of the product. Customers are able to purchase not only a quality product, but also a compliant product for SIEM. Now industrial, energy and public sector companies, as part of regulatory requirements, will be able to take advantage of our product and evaluate its effectiveness. "

The SIEM system from RuSIEM is a member of the Unified Register of Domestic Software (No. 3808) and is recommended for use in public institutions.

2019

Technologies:

• The solution is based on its own technology, based on consumer demand, practical experience and technical analysis of competitors.
• Modern development principles are used, allowing the solution to develop, replace modules and replenish the solution with new ones, adapt to the needs of customers
• Practical use of AI and DL technology

Examples of events:

• Network attacks
• Frode and fraud
• Where and when accounts were blocked
• Changing Non-Admissions Configurations
• Privilege Enhancement
• Identifying Unauthorized Services
• Detection of NSD (logon as retired employee)
• No antivirus protection on the newly installed computer
• Changing Critical Configurations from VPN Connections
• Monitor commands on servers and network equipment
• Audit configuration changes (network devices, applications, OS)
• Compliance with Regulations and Regulators (PCI STO BR, ISO 27xx)
• Abnormal user activity (bulk delete/copy)
• Virus Epidemic Detection
• Vulnerability Detection by Software Installation Event
• Alert of active vulnerability upon start of previously disabled service
• Detection of time-distributed attacks
• Impact of Infrastructure Failure on Business Processes

2017: DeviceLock DLP has become a source of events for RuSIEM

On July 17, 2017, Smart Line and RuSIEM announced the technological integration of their own products to increase efficiency in preventing corporate information leaks and analyzing incidents.

As a result of integration, the DLP DeviceLock DLP complex acts for the event management system information security RuSIEM as a source of information security events^[1]

DeviceLock DLP sends real-time operational information to SIEM systems via SNMP and SYSLOG protocols, and can duplicate event log entries. Alarm alerts can be created and sent to SIEM systems as a result of authorized and prohibited attempts to transfer data through various network communication channels, recording information on removable drives, printing documents to local and network printers, transmitting data in terminal sessions through the clipboard, etc.

Notes