ITB: Security Capsule

Security Capsule - SIEM system for recording security events.

2024: Integration with F.A.C.C.T. Threat Intelligence

On September 12, 2024, the F.A.C.C.T. announced the technological integration of the Security Capsule SIEM (SC SIEM) information security event monitoring and correlation system with the F.A.C.C.T. Threat Intelligence system. Technical cooperation will provide SC SIEM users with a deeper proactive approach to protecting against current cyber threats, detecting complex targeted attacks. Read more here.

2016

Certification of FSTEC of Russia

In the fall of 2016, the Security Capsule software and hardware complex successfully passed certification tests in the certification system. FSTEC Russia Certificate of Conformity No. 3649 dated November 9, 2016.

Release of updated version of PACAB SIEM Security Capsule

On September 28, 2016, ITB announced the release of the upgraded version of PACAB SIEM "Security Capsule."

The SIEM "Security Capsule" PACAB is designed to record information security events and performs the following functions:

• registration and accounting of information security (IS) events in information-computing systems and networks,
• delimiting user access to SIEM information resources,
• SIEM access control,
• Monitor the integrity of SIEM files
• correlation of information security events,
• response to information security events.

System Architecture, (2015)

Based on the analysis of information obtained using SIEM "Security Capsule," the Security Administrator takes measures to ensure the security of objects of information and computing systems and networks.

Registration of information security events is implemented by maintaining logs of information security events:

• User access to the application and shutdown
• allowed/unresolved actions of users to access information resources;
• Messages received from network devices
• operator actions on client workstations such as: establishing access to the workstation using the eToken USB key;
• accessing external USB devices, accessing files on external devices.

The composition of the program modules (connectors) is variable by agreement with the customer.

List of developed connectors that accumulate data on information security events:

• Data from network devices that use the syslog protocol (for example, Cisco hardware, S-Terra hardware, CheckPoint)
• Data in DBMS logs, such as Oracle
• data in the system log of operating systems of the Windows, Linux families;
• data when using removable media such as eToken, USB, LPT, COM. IEEE 1394, ZlocK, Device Lock;
• Data from MPS from LSD, for example: Block Host, Dallas Lock;
• data from antivirus tools, for example: Doctor WEB, NOD32, Kaspersky Anti-Virus;
• Data from Active Direction
• Windows registry data;
• data from IDM systems (Identity Management), for example: Outpost;
• data from DLP systems (Data Leak Prevention), for example: Falcongaze.

SIEM "Security Capsule" is focused on compliance with domestic technical regulations and standards in the field of information security.

The system is focused on using:

• security administrators;
• administrators of IE, DBMS, LAN, LDS;
• heads of security services;
• heads of companies, enterprises (organizations);
• developers of confidential information protection systems.

Use

To use the SIEM system, the following conditions must be met: SIEM "Security Capsule" operates under the OS\ Microsoft Windows XP\7\8,10, Windows Sever 2010\2012 OC. Linux The Microsoft.NET Framework 4.0 runtime environment is required for the program to work. The program runs in a client/server architecture. Server part - DBMS. My SQL Database Server 5.5.2 or MS SQL is used as a DBMS.

Architecture

PACAB "Security Capsule" operates on the basis of client-server technology for distributed heterogeneous IS, LDS, LAN and confidential information protection system.

As part of the Security Capsule PACAB, the modules are:

• server part module;
• Monitoring and administration module
• central module;
• Client modules
• connectors;
• reporting module.

The server component has a hierarchical structure. Thus, event monitoring can be carried out locally in geographically remote departments, branches, subsidiaries and dependent organizations. Initial processing of information security events is carried out on local servers, either the full composition of information security events or the generated list of critical events and analysis results are transmitted to the central server.

In order to reduce the load on the data network, the initial processing of events is carried out on the Security Capsule servers installed in the LAN. Depending on the degree of importance and criticality, information about information security events is transmitted to higher-level servers. In order to reduce traffic, information to higher-level servers is transmitted on a schedule, usually during the lowest load on the LDS. Critical events are transmitted in real time.

An important module of the system is the module for processing and displaying information about events, generating reports. System administrators have the ability to independently, in accordance with the requirements of the information security policy, determine the list of monitored events, choosing from the basic set the required. Determine criticality levels.

As part of the event analysis, they are divided into events of OS information security, network devices, IPS from NSD, DBMS, antivirus tools, and application systems. Each monitored event or event group is assigned a status at the system setup stage. Event collection can be continuous, discrete with reference to a single time system, in a time interval. Events from different event sources can be mapped according to different criteria. Events can be sorted, ranked, and filtered by different characteristics. The system administrator has the ability to manage event handling rules. Events related to User Account Control are handled separately, including creation, modification, deletion, control-based access control, such as AD. Also, events related to the installation and/or removal of system-wide and application software, security tools using the system registry control mechanism are subject to processing. Security Capsule implements the maintenance of "white" and "black" lists of software.

The system provides user groups with configurable access rights and functionality for administration.

The modular architecture provides easy maintenance and scaling of the SIEM "Security Capsule."

Using SIEM "Security Capsule" it is possible to identify:

• Network attacks in the internal and external perimeters.
• Minimum hardware environment requirements.
• Viral infections, backdoors and Trojans.
• Attempts at unauthorized access to information.
• and Frod fraud.
• Errors in the operation of information systems.
• Vulnerabilities.
• Configuration errors in security and information systems.

Events captured by SIEM "Security Capsule":

• related to user attempts to establish access.
• messages from network devices.
• caused by user actions on workstations.
• obtained from removable media control means.
• applied information systems.
• related to AD.
• control of operating and software environments.
• DBMS.
• OS of the Windows family, Linux.
• received from MPS from NSD.

Hardware Requirements

• processor Intel X86 or compatible with a frequency of 1 GHz or higher;
• at least 256 MB of RAM;
• to install the Product, at least 200 MB of free space is required on the permanent storage medium of the machine memory used by the computer;
• manual manipulator of "mouse" type;
• a removable storage device (CD and DVD drive);
• SVGA video card;
• Ethernet adapter with 8P8C connector type for twisted pair;
• a computer keyboard;
• monitor with a diagonal of at least 15 inches and a resolution mode of at least 800x600 dpi.

PAKAB "Security Capsule" is certified by the FSTEC of Russia to protect confidential information, including ISDS. Certificate of FSTEC of Russia No. 2705 dated September 7, 2012.