R-Vision SIEM

Main article: Security Information and Event Management (SIEM)

2024

R-Vision SIEM 2.0 with Correlation Rule Designer

R-Vision released a major update for the R-Vision SIEM 2.0 product on December 19, 2024. The vendor expanded the detection functions and implemented a correlation rule constructor.

The developer added a correlation rule constructor to R-Vision SIEM 2.0. It creates and modifies correlation rules interactively without the use of a code editor. The visual interface and step-by-step visualization of the process make it easier for analysts to create the necessary rules.

The changes also affected the elements of the event processing pipeline. R-Vision experts added the main metrics: "number of errors," "received and sent events" to the pipeline interface. The key figures for each feature are now available immediately, with no additional transition to parts. This feature helps you identify potential errors faster and minimize the loss of incoming events.

In the updated version of the product, the vendor also added a WMI entry point, which collects Windows logs from endpoints, servers and WEC (Windows Event Collector). The function allows you to configure the collection of several system logs at one entry point at once, which facilitates the work of the source configuration engineer.

Also in R-Vision SIEM 2.0 added a section "Query Manager," which is designed to collect and store information about user requests in the event store in the sections "Search," "RQL sandbox" and "Dashboards." In this section, analysts can work with query history and manage resources. For example, view requests made in dashboards and alerts, and monitor which requests load the storage. In addition, resource management functionality has been introduced, with the help of which restrictions on memory consumption are set when performing RQL requests for different user roles. New features allow administrators to improve system resiliency.

Our experience with customers allows us to clearly define the vector of product development. By analyzing customer needs during projects, we are transforming R-Vision SIEM to meet the high demands of the market. As a result, we create solutions that meet current needs and anticipate future customer requests, providing them with a stable basis for improving the level of cybersecurity, "said Viktor Nikulichev, product manager of R-Vision SIEM. - This update is an important stage in the development of R-Vision SIEM. We will reorient the strategy from accumulating functionality to improving the quality of the user experience. Our team will focus on improving analytics and data visualization tools and reducing Time-to-Value so users can get the most out of the product faster.

In addition to reformatting, they added the ability to search for active lists in this section and in the RQL sandbox. Also, in the "Search" section, added highlighting of fields in events that satisfy the filter of the RQL request.

A mode appeared - "Statistics," which allows you to analyze data for all fields in the list of found records and events. The developer has worked in detail on the rating of values ​ ​ - the mode allows you to control the sorting and immediately prompts statistics by fields. Also, the "Statistics" mode allows you to work with statistics on several attributes at the same time, which increases the speed of immersion of the analyst.

Now notification widgets have appeared in the product and system metrics have been added. In addition, in R-Vision SIEM, the developer has built three-dimensional histograms and the ability to build widgets based on data from active lists.

Author's supervision: operation of R-Vision SIEM in real-world conditions

Implementing SIEM (Security Information and Event Management) is a key step to reduce security, compliance, and reporting risks. According to R-Vision, over the past year, the number of cyber threats has increased by one and a half times.

One of the main sources of these threats is the risk of hacking by contractors involved in the supply chain. In order for our customers not to encounter the risk of cyber attacks through the supplier, R-Vision must comply with security requirements, quickly identify and prevent such incidents. This will allow us to guarantee the safety and, as a result, ensure the integrity of our customers' business. Therefore, we decided to strengthen the level of security by monitoring information security events. To achieve this, we used our R-Vision SIEM tool. Read more here.

Add correlation rules to effectively detect threats

R-Vision continues to develop solutions in the field cyber security and expand expertise in the R-Vision product SIEM for customers. To do this, the developer formed two teams of researchers to track global trends cyber security and added correlation rules to effectively detect threats. The company announced this on December 3, 2024.

R-Vision SIEM researchers regularly search for new cybersecurity threats, analyzing attacks hackers and identifying their methods and techniques. To focus on in-depth threat studies, the vendor has formed two teams: Threat Analysis and Detection and Research Laboratory, which monitor global cybersecurity trends. These specialized analyst teams focus on a comprehensive threat study, allowing for expanded R-Vision SIEM expertise.

At Q4 2024, R-Vision SIEM supports over 200 sources to collect events. The vendor interacts with technology partners and participants of the Russian IT and information security market to expand the capabilities for working with data in R-Vision SIEM.

Developing correlation rules is a priority in improving the SIEM system. As of December 2024, R-Vision SIEM includes more than 500 correlation rules that cover over 70% of current attack vectors and are developed based on world best practices, including techniques and tactics that SIEM covers.

Шаблон:Quote 'author=said Diana Kozhushok, Head of R-Vision Cybersecurity Threat Analysis and Detection.

Based on current knowledge, R-Vision analysts update and expand the rule base every two weeks to more effectively detect modern threats. Improvements made include:

• FreeIPA (ALD Pro) package with 21 rules for detecting various MITRE ATT&CK tactics.
• Rules for detecting the use of tunneling and exploiting vulnerabilities in VSCode extensions.
• Detection of vulnerabilities actively exploited by attackers, such as CVE-2023-38831 (WinRAR), CVE-2023-22515, CVE-2023-22527 and CVE-2023-22518 (Confluence), CVE-2024-0507 (GitHub), as well as vulnerabilities in xz.
• Rules for identifying [[[frths|hacker]] utilities such as ngrok and gsocket, as well as tools for attacking RDPStrike.
• Detecting the use of Telegram as a control channel (C2).
• Rules for identifying DNS tunneling that can be used to organize management (C2) and exfiltration of data from victim devices.

In addition, basic rules have been added to the system for monitoring various business applications, such as Confluence, Jira and GitLab, as well as for monitoring systems virtualizations (), vCenter (databases for example, and) PostgreSQL and for ClickHouse network devices (,) and IPS Eltex(Cisco SolarWebProxy, "Continent").

Шаблон:Quote 'author=said Diana Kozhushok, Head of R-Vision Cybersecurity Threat Analysis and Detection.

R-Vision continues to actively develop and improve its SIEM system, providing a high level of protection and responsiveness in identifying incidents, which allows organizations to effectively combat modern cyber threats and minimize risks.

R-Vision SIEM 1.8 with advanced functionality

On September 26, 2024, R-Vision introduced an updated version of the flagship product R-Vision SIEM 1.8 with advanced functionality. In this version, the developer added an audit of information security event sources to quickly identify and fix problems, monitor the health of Kubernetes to minimize the risks of failures, and accelerate user authentication thanks to the implementation of the LDAP protocol.

{{quote 'We are actively deepening our expertise and developing R-Vision SIEM functionality according to market needs. As of September 2024, the examination package already supports more than 100 sources of events and contains more than 350 correlation rules. These tools allow us to effectively identify the main areas of attack and ensure that most of the infrastructure is covered without additional settings. Our goal is to offer customers a product that helps users to efficiently and safely solve everyday problems, "said Viktor Nikulichev, R-Vision product manager. }}

In this release of R-Vision SIEM 1.8, you can now track the status of the sources from which events arrive in the collectors. The state of the sources is assessed by the frequency and number of events, which allows detecting deviations in their operation.

To do this, the system provides custom source audit policies. They track changes in the event flow and send notifications when the specified thresholds are reached through configured integrations.

The timeliness and completeness of incoming events are critical aspects of SOC operation. That is why we have added source control metrics that help to quickly identify and eliminate possible problems, such as the loss of events from one of the sources.

To ensure uninterrupted operation of the SIEM system, it is necessary to carefully monitor the condition of all its components. In R-Vision SIEM 1.8, we apply modern approaches and technologies, including Kubernetes. A special Monitoring section has been added to the system, which allows us to monitor the state of the Kubernetes cluster.

In this section, you can find detailed information about containers, nodes, system modules, and other cluster components. The presence of visual monitoring tools allows analytics to carefully monitor the state of the cluster and resource utilization, as well as collect all the necessary metrics centrally using any convenient external means.

Starting with version 1.8, the system has the ability to use authorization in Active Directory, ALD Pro, FreeIPA and OpenLDAP domains via LDAP (Lightweight Directory Access Protocol) - an effective tool for centralized management of both individual domain users and domain groups. With its help, you can:

Synchronize data about users, including their logins, full names, positions, statuses, email addresses and phone numbers.

The implementation of LDAP connections significantly reduces the time required to authenticate users, and also opens up opportunities for configuring the role model in the system.

The developer has improved the basic functionality of the R-Vision SIEM 1.8 system by adding two new features:

• Export and import of dashboards.
  

Users can now download and unload dashboards in JSON format. This allows them to easily import ready-made dashboard templates and use them as content, which greatly simplifies the work of analysts.

• Message templates for SMTP integration.
  

When configuring alerts through SMTP integration, users can use the alert or correlation event fields that generated alerts in message templates. This enables you to create your own templates for different tasks and integration assignments.

These improvements make working with the system more productive, allowing analysts to focus on data analysis rather than routine.

R-Vision SIEM 1.6 with Correlator Distributed Mode

On June 27, 2024, R-Vision announced the release of R-Vision SIEM version 1.6. The update includes improvements in working with correlation rules, as well as increasing the ability to scale, additional control and user management.

R-Vision SIEM 1.6 has been supplemented by the correlator distributed operation mode, which is available when configuring the collector. You can now use the resources of multiple nodes in a cluster to handle events in parallel. Thus, to handle more events, it is possible to scale correlation resources horizontally by available physical machines, saving on the cost of large configurations.

The R-Vision SIEM team of experts also paid special attention to working with large infrastructures. A flexible role model is important for such customers. Therefore, in this version, the developers have implemented the functionality of multi-tenancy in the system, thanks to which you can centrally manage one solution to protect several branches of the organization.

The developer also provided a flexible system of restrictions due to permission groups and roles. Including the ability to distribute access roles and create groups of users with completely unique permissions. Password policy, in turn, establishes the requirements for the reliability and use of passwords for accounts, which increases the security of the system itself.

In addition, the developer has made the functionality of snippets for managing function templates that are used in the development of correlation and normalization rules. For example, if you plan to use the same fragment of code in several programs, you can save it as a snippet, and then use this snippet to add it to the desired places in the programs.

In R-Vision, we develop technologies based on customer feedback. We are constantly improving our products, adding new functions and making their use more convenient, - said Viktor Nikulichev, product manager of R-Vision SIEM. - The improvements made respond to the main customer request for system scaling and monitoring. And the functionality of distributed correlation opens up new opportunities for our customers.

Inclusion in the AFL Repository

On March 19, 2024, R-Vision announced the inclusion of the R-Vision SIEM solution in the FinTech Association Repository (AFL Repository). This repository contains verified information security products that are recommended for use as part of import substitution in the financial industry. R-Vision SIEM is listed on the AFL register on March 15, 2024. The registry number is AFT0247.

The inclusion of R-Vision SIEM in the FinTech Association repository is a step that will significantly expand R-Vision's opportunities for cooperation with organizations from the financial industry, "said Kamil Baimashkin, Deputy Executive Director of R-Vision. - This is especially important within the framework of the import substitution program of foreign software. Therefore, the introduction of the R-Vision SIEM information security event flow management system into the list of IT solutions for the financial sector confirms that the product will help financial institutions find a worthy replacement for foreign vendors who have left the market without losing functionality and performance, and provide a solution for even the most complex information security tasks.

In the banking sector, where security is a key factor, SIEM systems (Security Information and Event Management) play a crucial role. They allow you to quickly detect threats and respond to them, which is especially important in the context of frequent cyber attacks. With SIEM systems, banks can track and analyze large amounts of data, allowing them to identify suspicious transactions in a timely manner, assess risks and take measures to prevent possible incidents. This, in turn, helps to maintain customer confidence and maintain a reputation as a reliable financial institution.

In addition, SIEM systems provide centralized monitoring and control over all bank information systems, which greatly simplifies the security management process. They also allow you to automate the incident response process, which reduces the likelihood of errors and increases the efficiency of specialists.

Financial sector organizations pay great attention to technological development and strive to digitalize their processes and services as much as possible. This requires them to provide a high level of information security to prevent the leakage of critical data. The repository of the FinTech Association helps organizations choose reliable suppliers of information security solutions that have proven their viability in the market and are independent of foreign technologies, "said Viktor Nikulichev, product manager of R-Vision SIEM.

R-Vision SIEM 1.3

On January 16, 2024, R-Vision, a developer of cybersecurity systems, announced the expansion of the functionality of R-Vision SIEM technology. Version 1.3 includes a number of updates: the developer optimized the set of functions for collecting and processing events, implemented tools for working with content and search. He also added a report designer and expanded ways to integrate with external systems.

R-Vision SIEM 1.3

As reported, in this version of its own SIEM system, the company's experts have expanded the functionality of the event processing pipeline, which allows you to the analyst SOC to control the processing collection functionality in the graphical interface. data So, to the already available entry and exit points, buses and the event normalizer, the R-Vision command added elements: an aggregator, a router and a filter. This allows users to variably configure event management, which is especially important when there is a large source and system infrastructure.

In addition, the changes affected the work with the objects of expertise. Each such object is the content part of the product, which contains a written expertise on the processing and analysis of information security events. It includes: normalization and correlation rules, active lists, enrichment tables, as well as event models. The R-Vision team optimized the process of preparing expertise objects by adding functions. Now information security specialists, in addition to creating and changing their own rules, can copy and delete examination elements, enable, disable and update the rules used, use templates and versioning. Also in the update, the company's specialists optimized the functionality of validation and testing of rules, which helps SOC employees conduct additional checks on the effectiveness of the rules they developed in the test system. This allows you to avoid errors in the preparation of content and pre-evaluate its effectiveness. Which, in turn, reduces the number of false positives when they are started and will ensure system performance.

Also in R-Vision SIEM 1.3, the developer expanded the functions of the search tool: he added syntax highlighting, prompts to queries that SOC analysts form, fast filters directly from information security events, an interactive progress bar and a graph of event distribution. As well as support for all key query functions in databases, due to which the analyst can quickly find the necessary events in the stream of incoming data.

An important change in the system update was the addition of a report designer to the system that optimizes the reporting process. The constructor helps the SOC analyst to create report templates and send them according to established schedule.

Significant changes affected the work with external systems. So, in version 1.3, an active collection of events from various databases and using the HTTP protocol was added for SOC analysts. Also in the updated version, R-Vision experts have expanded integration capabilities, which, in particular, help to move to the interfaces of R-Vision SOAR, Endpoint and UEBA systems. This allows you to collect more events from different systems and automatically transmit incidents for response to SOAR.

2023: Presentation of the R-Vision SIEM solution

On September 28, 20232, R-Vision introduced two technologies - R-Vision SIEM and R-Vision VM, the creation of which was another step towards the development of its own ecosystem for the evolution of SOC R-Vision EVO.

R-Vision SIEM provides centralized event flow management from all information systems, helps identify incidents in a timely manner, and maintains business integrity. It allows you to optimize the use of company resources through an integrated approach to handling security events at all stages of data management.

R-Vision VM is a technology that allows you to identify information security vulnerabilities in the organization's infrastructure, aggregate the information received in a single database, as well as prioritize the discovered vulnerabilities and monitor the process of eliminating them.

Our partnership with R-Vision began a few years ago, when NSD was faced with the task of building a truly effective Vulnerability Management process. Against the background of the events of 2022, the situation was also complicated by the lack of support for solutions from foreign information security suppliers, which means that the issue of working with vulnerabilities has become even more acute. Modernizing the vulnerability management process using expertise and R-Vision technologies allowed us to quickly and easily automate it, thereby ensuring timely elimination of vulnerabilities and protection from their exploitation, "commented Oleg Kuserov, Director of Information Security at the National Settlement Depository.