RuSIEM System for collecting information and events from IT systems

Main article: Security Information and Event Management (SIEM)

RuSIEM is a technology for collecting information and events from different IT systems, further formatting data for subsequent processing by security services.

2024

RuSIEM 4.2.0

RuSIEM, a Russian software developer in the field of information security and IT infrastructure event monitoring and management, has released the next release of the RuSIEM SIEM system - 4.2.0. This was announced on August 16, 2024 by the product developers.

A key refinement in version 4.2.0 was the ability to collect events using the SNMP protocol, which is one of the most common methods for collecting and transferring data between network devices, monitoring and managing their operation.

The system also has the ability to track the termination of the event flow for sources connected via the syslog connector.

In addition, the improvements also affected other microservices of the system. For example, in the correlator, optimization was carried out for rules with two blocks of conditions, in reports - the scope of user reports was improved.

Obtaining the certificate of FSTEC of Russia

The Russian security monitoring system Ru SIEM version 4.0.2 passed certification tests FSTEC Russia according to the 4th level of trust. The developer announced this on July 1, 2024.

Users of the previous certified version of the product (3.8) can update the system and evaluate its capabilities. In particular, they have access to an updated system interface, setting up Telegram incident notifications to increase the speed of response and linking parsers to a source to reduce the load on the normalization microservice. In addition, now in the "Correlations" section, users will be able to work not only with static lists, but also with tables.

Updating the certified version of the RuSIEM SIEM system will also save space database in by being able to filter out events according to the established rules, ensure more stable system operation thanks to 22.04 support OS Ubuntu and collect events from various DBMS events using the ODBC module.

The certificate of conformity of FSTEC of Russia Nº 4402 confirms the possibility of using the SIEM system RuSIEM version 4.0.2:

• at significant facilities of the category 1 critical information infrastructure;
• in state information systems of the 1st security class;
• in automated control systems of production and technological processes of the 1st class of protection;
• in personal data information systems, if it is necessary to ensure 1 level of personal data security;
• Class 2 public information systems.

2021

Integration with Zecurion Data Loss Prevention Solution

On November 17, 2021, the company RuSIEM announced the launch of a partner technology project for system integration monitoring and managing Ru events information security SIEM and the data breaches company's Data Loss Prevention (DLP) solution. Zecurion

The pandemic and the transfer of personnel to a remote mode of operation have increased the relevance of protecting confidential data from leaks. Most of these incidents are caused not only and not so much by vulnerabilities in the software as by the human factor. To protect against accidental and deliberate leaks, companies need to use information protection tools to identify both internal and external violators.

A good solution to this problem is a combination of an SIEM system designed to identify and take into account incidents occurring in the organization and a DLP system that sees threats beyond the SIEM perimeter. As a result of the technical integration of RuSIEM and Zecurion solutions, customers will receive a solution that allows not only reading and analyzing events coming from the DLP system and, probably, indicating threats of information leaks, but also analyzing indirect data, which will help to identify internal violators as efficiently as possible.

The synergy between SIEM and DLP greatly simplifies the work of the security service, "said Anton Fishman, CTO of RuSIEM. - Considering that working with both systems requires special knowledge and skills, we try to make this task easier for customers and make the system intuitive to information security specialists and ready for use as much as possible out of the box.

For our company, this is not just another technological partnership, but primarily active joint promotion in each other's customers. We not only addressed the integration of our solutions, but also carefully studied the features of RuSIEM products. In the near future, we plan to release a module for interaction with the SIEM system of our partners. Closer to the deadline for the implementation of such a module, we will reveal additional details, "said Alexander Belyavsky, commercial director of Zecurion.

As part of the PAC for information security event management tasks

On October 28, 2021, RuSIEM announced the creation of a hardware and software complex (PAC) based on the line of enterprise-level servers of the standard VEGMAN architecture of YADRO. PAC is a ready-made solution for information security event management tasks, it is based on software and a computing platform that fully meet the requirements of the registers of domestic equipment and software.

RuSIEM PAC is a standard solution that we support on an ongoing basis and guarantee the full compatibility of all its components. Thus, customers receive a ready-made and fully configured PAC for their specification, which withstands high capacities, which further reduces the time required for the initial deployment of the system, - said Maxim Stepchenkov, co-owner of RuSIEM.

As part of the load tests, the stability and quality of the SIEM system from RuSIEM was checked for different event flows. Based on the test results, various solution models were collected.

{{quote "The company is actively working on the implementation of directives governments on the transition to the use of mainly domestic software equipment. This kind of migration is always an integrated approach, so we regularly test new domestic solutions in order to correlate their capabilities with our needs. Of course, the Russian software and hardware complex for information security tasks is extremely interesting to us, - said Stanislav Sergeyevich Ignatov, director of the information security department of JSC Rosgeo"." }}

Integration with iT Bastion NP SCDPU

RuSIEM and iT Bastion have completed the first stage of the integration system for monitoring the actions of suppliers of IT services of SCDPU NT and the information security event management system RuSIEM. This was announced on August 31, 2021 by RuSIEM.

Photo: www.codeib.ru

The integration of solutions will allow iT Bastion customers who have installed RuSIEM to receive complete and detailed information about information security events in the SIEM system and, as a result, increase the security of their IT infrastructure. Data from the NP DCS will be transmitted to RuSIEM, which processes them automatically using correlation rules written in it under the NP DCS and displays the result of processing in a single interface of the SIEM system. Thus, the integration of the NT CDS and RuSIEM will allow iT Bastion customers to reduce the time to detect incidents in different parts of the IT infrastructure and respond more quickly to them, including with remote access to the IT infrastructure.

"When an organization increases the number of information protection tools used, it becomes necessary to optimize the process and unify the result of processing the data received from them. SIEM-system is the core of information security infrastructure, but it often needs to be improved taking into account the parameters of other information security solutions used in the company. In other words, customize data sources available to the customer, such as, for example, a decision to control the actions of privileged users. To do this, we and colleagues from iT Bastion first predicted threats, and then prescribed correlation rules that would detect attacks. As a result of the work done, we trained RuSIEM to work with data coming from the SCADA NT, "- said co-owner of RuSIEM Maxim Stepchenkov.

"As a vendor, we are increasingly receiving requests from customers to strengthen the protection of the IT infrastructure through integration with certain solutions. Those customers who already have the RuSIEM system installed will not have to wait for the integrator to figure out how to "make friends" with the SCDPU NT. Our integration has been implemented and successfully tested. Thus, customers save time when implementing one of the systems, and therefore money, "- told the general director of "ATI Bastion" Alexander Novozhilov.

The integrated solution can be implemented in a wide range of industries and technology networks. SCDPU NT and RuSIEM are included in the register of Russian software, which allows their customers to comply with the requirements to comply with the ban on the admission of software originating from foreign countries for the purpose of making purchases to meet state and municipal needs.

Rework of Archiving Module

On July 21, 2021, RuSIEM, a Russian developer of information security software, released an updated technological release of the RuSIEM event monitoring, collection and analysis system.

The release includes about 40 updates and features. Among the main changes is the refinement of the archiving module, the use of which now allows you to upload and store information security events on external network media on a long-term basis. This makes it possible to comply with the requirements of the law regarding the storage time of events with much lower hardware resources, as well as better investigation of incidents. The implementation of complex attacks usually takes place in several stages and lasts several months, that is, when investigating incidents, it is necessary to mainly refer to data that entered the system several months or even years ago.

Since the damage from complex attacks is quite significant for the company, it is necessary to be able to quickly detect and close the "test" to prevent its reuse. The archiving function will allow you to transfer events to network storage and, if necessary, access them to analyze and find the vulnerability, "explains Anton Fishman, CTO of RuSIEM.

The second part of the system updates is associated with the RuSIEM RuAgent operator module. The module now collects information about low-level events occurring at the kernel level of the operating system, which is necessary to identify new types of threats. This functionality is used in systems of the EDR (Endpoint Detection & Response) class. It is this functionality that allows you to identify complex and targeted attacks aimed at stealing funds and data.

The use of EDR allows you to collect and send low-level events to the SIEM system, the analysis of which makes it possible to identify and investigate the most complex and modern attacks. The modern HPE is multi-part and comes through different channels (instant messengers, mail, the Internet and others), while attackers often use current vulnerabilities that have not yet been fixed or closed with patches, and specially check that it is not detected by modern antiviruses. It is possible to identify such threats only by collecting and analyzing events taking place at the kernel level of the operating system - at the lowest level, - notes Anton Fishman.

Ability to use Mitre ID in correlation rules

On July 12, 2021, RuSIEM, a Russian information security software developer, announced the release of the technological release of the RuSIEM event monitoring, collection and analysis system.

RuSIEM

As technologies used by both developers and users of IT solutions and attackers continuously evolve, information protection systems must quickly adapt to emerging risks and threats. This fully applies to SIEM systems designed, like any information security solution, to minimize the risks of money theft, as well as prevent financial losses and reputational risks due to disruption of the continuity of technological and IT processes as a result of cyber attacks and threats. noted Anton Fishman, CTO of RuSIEM

According to the company, the updated release of the RuSIEM system contains improvements that allow you to quickly and without increasing resources to detect various types of threats, classify and promptly prevent their consequences.

The release includes about 40 updates and features. The most significant changes affected the functionality of collecting information, managing information security events and setting up correlation rules, as well as working with users' information assets.

In addition, among the key updates:

• possibility of using Mitre ID and other classifiers in correlation rules. This allows you to categorize correlations and optimize work when investigating incidents and preparing reports for regulators;
• Optimization of the correlation daemon when working with syslog, which made it possible to optimize system performance by more than 2.5 times at the same hardware cost.
• added support for ElasticSearch 7.14. Users of the system can use more updated operations and commands when working with data, but the main effect can be seen in the future when adding archiving functionality. RuSIEM users with ElasticSearch 7.14 will be able to work with data in archived snapshots in real time without loading it into the system.

In fact, updates solve one task - to optimize the process of managing the risk of implementing information security threats. Requirements for the organization of risk management are imposed by state regulators, for example, in the financial sector. Therefore, as a developer of the SIEM system, we try to ensure that the results of its use comply with the recommendation and regulatory industry documents. supplemented by Fishman

FSTEC Certificate

On May 19, 2021, the company, a RuSIEM Russian developer software in the field of monitoring and event management, information security announced the receipt of a certificate for the FSTEC of Russia RuSIEM event monitoring, collection and analysis system.

The Certificate of Conformity of the FSTEC of Russia No. 4402 issued on May 12, 2021 certifies that the RuSIEM Security Event Management System software package developed and manufactured by RuSIEM LLC in accordance with specifications 02646976.62.01.29.001 TU is an information security event management system.

In accordance with the expert opinion, the RuSIEM system meets the requirements for information security established in the document "Information Security Requirements Establishing Levels of Trust in Information Technical Security Tools and Information Technology Security Tools" (FSTEC of Russia, 2020) - according to the 4th level of trust and technical specifications when fulfilling the operating instructions given in the form 02646976.62.01.29.001 30 01.

The certificate was issued on the basis of a technical conclusion from the 05.04.2021 issued based on the results of certification tests by the testing laboratory of Documentary Systems JSC and an expert conclusion from the 12.04.2021 issued by the certification body of FAA GNII PTZI FSTEC of Russia.

The certificate of compliance is valid until May 12, 2026.

Maxim Stepchenkov, co-owner of RuSIEM, noted: "Obtaining a certificate of FSTEC of Russia is a strategically important event for the development of the product. Customers get the opportunity to purchase not only a quality product, but also a product that meets the regulatory requirements in terms of. SIEM Now companies, and industrial, power within the public sector framework of regulatory requirements, will be able to use our product and evaluate its effectiveness. "

The SIEM system from RuSIEM is a member of the Unified Register of Domestic Software (No. 3808) and is recommended for use in government agencies.

2019

Technologies:

• The solution is based on its own technology based on consumer demand, practical experience and technical analysis of competitors.
• Modern development principles are used that allow the solution to develop, replace modules and replenish the solution with new ones, adapt to the needs of customers
• Practical use of AI and DL technology

Examples of events:

• Network attacks
• Frode and Fraud
• Where and when accounts were blocked
• Changing Non-Admin Configurations
• Privilege escalation
• Identify unauthorized services
• LSD detection (login under the account of the dismissed employee)
• No anti-virus protection on the new installed computer
• Change critical configurations from VPN connections
• Control of executed commands on servers and network equipment
• Audit configuration changes (network devices, applications, operating systems)
• Compliance with the requirements of the Legislation and Regulators (PCI STO BR, ISO 27xx)
• Abnormal user activity (bulk delete/copy)
• Virus Outbreak Detection
• Vulnerability detection by software installation event
• Active vulnerability alert when a previously disabled service is started
• Detect time-distributed attacks
• Impact of Infrastructure Failure on Business Processes

2017: DeviceLock DLP became an event source for RuSIEM

On July 17, 2017, Smart Line and RuSIEM announced the technological integration of their own products to improve efficiency in preventing corporate information leaks and analyzing incidents.

As a result of integration, DLP the DeviceLock DLP complex acts for the event management system information security RuSIEM as a source of information security events^[1]

DeviceLock DLP sends real-time real-time information to SIEM systems using SNMP and SYSLOG protocols, can duplicate the records of event logging logs. Alarm alerts can be generated and sent to SIEM systems as a result of allowed and prohibited attempts to transfer data over various network communication channels, write information to removable drives, print documents to local and network printers, transfer data in terminal sessions via the clipboard, etc.

Notes