R-Vision SIEM

Main article: Security Information and Event Management (SIEM)

2024

R-Vision SIEM 1.8 with enhanced functionality

On September 26, 2024, R-Vision introduced an updated version of the flagship product R-Vision SIEM 1.8 with advanced functionality. In this version, the developer added an audit of information security event sources to quickly identify and fix problems, monitor the health of Kubernetes to minimize the risks of failures, and accelerate user authentication thanks to the implementation of the LDAP protocol.

{{quote 'We are actively deepening our expertise and developing R-Vision SIEM functionality according to market needs. As of September 2024, the examination package already supports more than 100 sources of events and contains more than 350 correlation rules. These tools allow us to effectively identify the main areas of attack and ensure that most of the infrastructure is covered without additional settings. Our goal is to offer customers a product that helps users to efficiently and safely solve everyday problems, "said Viktor Nikulichev, R-Vision product manager. }}

In this release of R-Vision SIEM 1.8, you can now track the status of the sources from which events arrive in the collectors. The state of the sources is assessed by the frequency and number of events, which allows detecting deviations in their operation.

To do this, the system provides custom source audit policies. They track changes in the event flow and send notifications when the specified thresholds are reached through configured integrations.

The timeliness and completeness of incoming events are critical aspects of SOC operation. That is why we have added source control metrics that help to quickly identify and eliminate possible problems, such as the loss of events from one of the sources.

To ensure uninterrupted operation of the SIEM system, it is necessary to carefully monitor the condition of all its components. In R-Vision SIEM 1.8, we apply modern approaches and technologies, including Kubernetes. A special Monitoring section has been added to the system, which allows us to monitor the state of the Kubernetes cluster.

In this section, you can find detailed information about containers, nodes, system modules, and other cluster components. The presence of visual monitoring tools allows analytics to carefully monitor the state of the cluster and resource utilization, as well as collect all the necessary metrics centrally using any convenient external means.

Starting with version 1.8, the system has the ability to use authorization in Active Directory, ALD Pro, FreeIPA and OpenLDAP domains via LDAP (Lightweight Directory Access Protocol) - an effective tool for centralized management of both individual domain users and domain groups. With its help, you can:

Synchronize data about users, including their logins, full names, positions, statuses, email addresses and phone numbers.

The implementation of LDAP connections significantly reduces the time required to authenticate users, and also opens up opportunities for configuring the role model in the system.

The developer has improved the basic functionality of the R-Vision SIEM 1.8 system by adding two new features:

• Export and import of dashboards.
  

Users can now download and unload dashboards in JSON format. This allows them to easily import ready-made dashboard templates and use them as content, which greatly simplifies the work of analysts.

• Message templates for SMTP integration.
  

When configuring alerts through SMTP integration, users can use the alert or correlation event fields that generated alerts in message templates. This enables you to create your own templates for different tasks and integration assignments.

These improvements make working with the system more productive, allowing analysts to focus on data analysis rather than routine.

R-Vision SIEM 1.6 with Correlator Distributed Mode

On June 27, 2024, R-Vision announced the release of R-Vision SIEM version 1.6. The update includes improvements in working with correlation rules, as well as increasing the ability to scale, additional control and user management.

R-Vision SIEM 1.6 has been supplemented by the correlator distributed operation mode, which is available when configuring the collector. You can now use the resources of multiple nodes in a cluster to handle events in parallel. Thus, to handle more events, it is possible to scale correlation resources horizontally by available physical machines, saving on the cost of large configurations.

The R-Vision SIEM team of experts also paid special attention to working with large infrastructures. A flexible role model is important for such customers. Therefore, in this version, the developers have implemented the functionality of multi-tenancy in the system, thanks to which you can centrally manage one solution to protect several branches of the organization.

The developer also provided a flexible system of restrictions due to permission groups and roles. Including the ability to distribute access roles and create groups of users with completely unique permissions. Password policy, in turn, establishes the requirements for the reliability and use of passwords for accounts, which increases the security of the system itself.

In addition, the developer has made the functionality of snippets for managing function templates that are used in the development of correlation and normalization rules. For example, if you plan to use the same fragment of code in several programs, you can save it as a snippet, and then use this snippet to add it to the desired places in the programs.

In R-Vision, we develop technologies based on customer feedback. We are constantly improving our products, adding new functions and making their use more convenient, - said Viktor Nikulichev, product manager of R-Vision SIEM. - The improvements made respond to the main customer request for system scaling and monitoring. And the functionality of distributed correlation opens up new opportunities for our customers.

Inclusion in the AFL Repository

On March 19, 2024, R-Vision announced the inclusion of the R-Vision SIEM solution in the FinTech Association Repository (AFL Repository). This repository contains verified information security products that are recommended for use as part of import substitution in the financial industry. R-Vision SIEM is listed on the AFL register on March 15, 2024. The registry number is AFT0247.

The inclusion of R-Vision SIEM in the FinTech Association repository is a step that will significantly expand R-Vision's opportunities for cooperation with organizations from the financial industry, "said Kamil Baimashkin, Deputy Executive Director of R-Vision. - This is especially important within the framework of the import substitution program of foreign software. Therefore, the introduction of the R-Vision SIEM information security event flow management system into the list of IT solutions for the financial sector confirms that the product will help financial institutions find a worthy replacement for foreign vendors who have left the market without losing functionality and performance, and provide a solution for even the most complex information security tasks.

In the banking sector, where security is a key factor, SIEM systems (Security Information and Event Management) play a crucial role. They allow you to quickly detect threats and respond to them, which is especially important in the context of frequent cyber attacks. With SIEM systems, banks can track and analyze large amounts of data, allowing them to identify suspicious transactions in a timely manner, assess risks and take measures to prevent possible incidents. This, in turn, helps to maintain customer confidence and maintain a reputation as a reliable financial institution.

In addition, SIEM systems provide centralized monitoring and control over all bank information systems, which greatly simplifies the security management process. They also allow you to automate the incident response process, which reduces the likelihood of errors and increases the efficiency of specialists.

Financial sector organizations pay great attention to technological development and strive to digitalize their processes and services as much as possible. This requires them to provide a high level of information security to prevent the leakage of critical data. The repository of the FinTech Association helps organizations choose reliable suppliers of information security solutions that have proven their viability in the market and are independent of foreign technologies, "said Viktor Nikulichev, product manager of R-Vision SIEM.

R-Vision SIEM 1.3

On January 16, 2024, R-Vision, a developer of cybersecurity systems, announced the expansion of the functionality of R-Vision SIEM technology. Version 1.3 includes a number of updates: the developer optimized the set of functions for collecting and processing events, implemented tools for working with content and search. He also added a report designer and expanded ways to integrate with external systems.

R-Vision SIEM 1.3

As reported, in this version of its own SIEM system, the company's experts have expanded the functionality of the event processing pipeline, which allows you to the analyst SOC to control the processing collection functionality in the graphical interface. data So, to the already available entry and exit points, buses and the event normalizer, the R-Vision command added elements: an aggregator, a router and a filter. This allows users to variably configure event management, which is especially important when there is a large source and system infrastructure.

In addition, the changes affected the work with the objects of expertise. Each such object is the content part of the product, which contains a written expertise on the processing and analysis of information security events. It includes: normalization and correlation rules, active lists, enrichment tables, as well as event models. The R-Vision team optimized the process of preparing expertise objects by adding functions. Now information security specialists, in addition to creating and changing their own rules, can copy and delete examination elements, enable, disable and update the rules used, use templates and versioning. Also in the update, the company's specialists optimized the functionality of validation and testing of rules, which helps SOC employees conduct additional checks on the effectiveness of the rules they developed in the test system. This allows you to avoid errors in the preparation of content and pre-evaluate its effectiveness. Which, in turn, reduces the number of false positives when they are started and will ensure system performance.

Also in R-Vision SIEM 1.3, the developer expanded the functions of the search tool: he added syntax highlighting, prompts to queries that SOC analysts form, fast filters directly from information security events, an interactive progress bar and a graph of event distribution. As well as support for all key query functions in databases, due to which the analyst can quickly find the necessary events in the stream of incoming data.

An important change in the system update was the addition of a report designer to the system that optimizes the reporting process. The constructor helps the SOC analyst to create report templates and send them according to established schedule.

Significant changes affected the work with external systems. So, in version 1.3, an active collection of events from various databases and using the HTTP protocol was added for SOC analysts. Also in the updated version, R-Vision experts have expanded integration capabilities, which, in particular, help to move to the interfaces of R-Vision SOAR, Endpoint and UEBA systems. This allows you to collect more events from different systems and automatically transmit incidents for response to SOAR.

2023: Presentation of the R-Vision SIEM solution

On September 28, 20232, R-Vision introduced two technologies - R-Vision SIEM and R-Vision VM, the creation of which was another step towards the development of its own ecosystem for the evolution of SOC R-Vision EVO.

R-Vision SIEM provides centralized event flow management from all information systems, helps identify incidents in a timely manner, and maintains business integrity. It allows you to optimize the use of company resources through an integrated approach to handling security events at all stages of data management.

R-Vision VM is a technology that allows you to identify information security vulnerabilities in the organization's infrastructure, aggregate the information received in a single database, as well as prioritize the discovered vulnerabilities and monitor the process of eliminating them.

Our partnership with R-Vision began a few years ago, when NSD was faced with the task of building a truly effective Vulnerability Management process. Against the background of the events of 2022, the situation was also complicated by the lack of support for solutions from foreign information security suppliers, which means that the issue of working with vulnerabilities has become even more acute. Modernizing the vulnerability management process using expertise and R-Vision technologies allowed us to quickly and easily automate it, thereby ensuring timely elimination of vulnerabilities and protection from their exploitation, "commented Oleg Kuserov, Director of Information Security at the National Settlement Depository.