R-Vision SOAR formerly R-Vision IRP

The main articles are:

• Security Information and Event Management (SIEM)
• SOAR Security Orchestration Automation and Response

R-Vision SOAR (formerly R-Vision Incident Response Platform, R-Vision IRP) is a software platform for automating information security incident monitoring, recording and response activities.

2024: R-Vision SOAR 5.3 with the function of calculating the impact of incidents on business processes

R-Vision introduced an updated version of the R-Vision SOAR 5.3 on April 16, 2024. In the update, the team of experts improved the user interface so that SOC analysts can more productively solve their daily tasks. To improve the efficiency of communication between information security specialists in this version of the solution, work with e-mail was modernized. In addition, R-Vision SOAR 5.3 has added a function to calculate the impact of incidents on business processes. It increases the transparency of SOC to assess the state of information security in the organization. This function will speed up both the decision-making process for prioritizing response and management decisions for building a information protection system.

The key change in the user interface is the improved editing mode in the incident card. Now, depending on what task the SOC analyst is solving, he can choose to either use spot editing of fields to make quick edits, or switch to edit mode if multiple changes need to be made.

In addition, the system has made multiple changes to the interface that make it more intuitive, and the information in it is more readable:

1. change the view of the "Incidents" section, add an action panel;
2. redesigned the display of the criticality level of the incident;
3. added a setting that allows you to switch to a compact view for the incident list.
4. added a button to quickly switch the display of scripts running on incidents.

Version 5.3 combines two popular functions: the ability to create incidents from e-mail messages and maintain email correspondence in conjunction with incidents right on the system. Now you can configure and use this functionality together using the same mailbox. In addition, a visual HTML editor for messages that are sent automatically has appeared in response scripts. Innovations make it easier to set up functionality and improve the efficiency of e-mail communication as part of incident investigation.

One of the most striking changes in the update is the ability to calculate and display the impact of information security incidents on assets and business processes in the organization. This function works on the basis of a resource-service model, allowing you to clearly imagine how incidents registered in SOAR affect business processes. The impact is estimated depending on the criticality level of the incidents and the configurable hardware link graph.

Thus, a "health map" of business processes and a "chain of influence" built from equipment and incidents are available in the system. On the one hand, it is a decision support tool for prioritizing incidents for SOC employees, and on the other, a mechanism for ensuring information security transparency for SOC management and company management.

The field of information security in Russia is actively developing. Domestic SOCs are solving increasingly complex problems with an increasing degree of automation. In the R-Vision SOAR 5.3 release, we worked on these aspects, "said Danil Borodavkin, R-Vision Product Manager.

2023

Integration with "SCADA NT" and "SCADA NT CD"

The companies "iT Bastion" and R-Vision entered into a cooperation agreement, within the framework of which they carried out work on the integration of the system of control over the actions of privileged users (PAM - Privileged Access Management) "SKDPU NT" and "SKDPU NT Compact" with the platform for automation of response to incidents R-Vision SOAR. ATI Bastion announced this on September 7, 2023. Read more here.

R-Vision SOAR 5.2 with built-in functionality of mail correspondence

On April 24, 2023, R-Vision announced the release of a platform update to automate incident response and improve the efficiency of SOC R-Vision SOAR 5.2. In this version, a tool for e-mail communication has become available to users and the capabilities of response scenarios have been expanded.

One of the key changes to the platform was the built-in functionality of mail correspondence, which is implemented as a separate tab in the incident card. All messages in it are displayed in the messengers usual form for users. In this case, you can create an incident mail thread either manually or automatically using response scenarios. For example, configure the start message to be automatically sent asking for an additional message information when an incident is created. This improves the convenience of incident communication and saves time on switching between the system interface and email.

In the updated version, R-Vision has improved its response scenarios by configuring automatic handling of connector execution errors. Thus, R-Vision SOAR users have the ability to more effectively control the execution of the script. If a network failure occurs or the external system becomes temporarily unavailable, the connectors will be restarted automatically, without human input.

In addition, in R-Vision SOAR 5.2, the developer introduced a new approach to setting up automatic scripting. Now in the platform you can set various triggers as a starting condition: creating a new incident, changing an existing one, or adding a comment to the incident.

Another change is global variables, a function for more flexible scripting. With its help, it is possible to set the value once and use it within different response scenarios. Global variables support secure storage and can be used, for example, to manage authorization tokens on external systems.

The emerging platform functionality is aimed primarily at improving the convenience of working with the system. In particular, in version 5.2, we continue to improve automation mechanisms, which are one of the main values ​ ​ of R-Vision SOAR. In developing the product, we always focus on current market demands and feedback from our Customers. Thus, the added capabilities when working with mail and response scenarios can significantly reduce user labor costs, "said Danil Borodavkin, R-Vision SOAR product manager.

2022

Jatoba DBMS Compatibility

A series of tests for the correctness of the joint functioning of Jatoba DBMS and R-Vision SOAR and R-Vision SGRC products, which are functional blocks of the R-Vision Information Security Control Center software platform, has been completed. Gazinformservice announced this on August 9, 2022. Read more here.

Certification for compliance with information security standards of Belarus

R-Vision SOAR R-Vision SGRC products, and R-Vision ACP have been certified (Operational and Analytical Center under the President of the Republic of Belarus OAC) as part of the software platform. "Information Security Control Center (TsKIB)" "R-Vision" The availability of the OAC certificate confirms the compliance of the products with R-Vision standards information security Belarus and is an important condition for use in the territory. This was states reported on July 27, 2022 by R-Vision. More. here

Availability on Jet CyberCamp platform as part of cyber training

On June 7, 2022, the company ITJet Infosystems"" announced that, together with the system developer cyber security R-Vision , they had prepared a joint cyber training program. As part of this program, INFORMATION SECURITY specialists will be able to gain practical experience with R-Vision SOAR, R-Vision SGRC and during R-Vision TIP training on the Jet Infosystems platform. Jet CyberCamp More. here

R-Vision SOAR version 5.0

On May 16, 2022, R-Vision announced that it had released the R-Vision SOAR update - a platform for automation and efficiency of SOC, formerly known as R-Vision IRP. Version 5.0 introduces a large block of functional changes. In particular, the product's capabilities for interaction with State system of detection, prevention and elimination of consequences of computer attacks have been expanded, the ability to work with incident groups, compromise indicators and much more has been implemented. The user interface is also optimized in this release.

With the release of version 5.0, the R-Vision IRP system was renamed R-Vision SOAR. The name change highlights the current level of maturity of the software product, the functionality of which has long gone beyond IRP (Incident Response Platform) solutions and meets the requirements of the SOAR (Security Orchestra, Automation and Response) class.

One of the key changes in the version was the functionality for interacting with: state system for detection, prevention and elimination of consequences of computer attacks (State system of detection, prevention and elimination of consequences of computer attacks) it became possible to correspond with the operator NCCCI on the incidents sent and received. Now, thanks to R-Vision SOAR, from State system of detection, prevention and elimination of consequences of computer attacks you can receive incidents previously registered outside the system, as well as create incidents based on incoming notifications from NCCCA for operational testing from the information regulator. In this case, in the response scenarios, it is possible to configure the automatic filling of the State system of detection, prevention and elimination of consequences of computer attacks card on the data incident and its further sending to State system of detection, prevention and elimination of consequences of computer attacks.

Significant changes affected the incident management functionality. In R-Vision SOAR 5.0, it became possible to group incidents into groups, which allows you to handle situations when several incidents are related. Within an incident group, you can configure field auto-fill rules. For example, follow the status of a parent incident to child incidents, or sum the amount of damage from child incidents to parent incidents. Another important change is the support of compromise indicators (IoC) in the form of a special section in the incident card and the ability to output data on indicators to dashboards.

In R-Vision SOAR 5.0 added: displaying scripts in the form of a visual timeline, a button to run a script directly from the incident card, the ability to configure mandatory fields when changing the status of incident processing, and much more.

Working with the main entities of the system through the REST API was implemented in previous versions of R-Vision SOAR. In the 5th version, the API capabilities have become even wider, which allows you to seamlessly integrate R-Vision SOAR into any processes and infrastructure of the organization.

With the release of version 5.0, the developer has greatly simplified the product licensing scheme - R-Vision SOAR is now supplied with bundles, the functionality of which optimally covers the needs of Customers for scaling, fault tolerance and integration with other systems. At the same time, unlike other IRP/SOAR solutions in the Russian market, the R-Vision SOAR licensing scheme does not take into account the number of external systems of the Customer interacting with the platform within the framework of response scenarios.

{{quote 'author
= commented Danil Borodavkin, R-Vision SOAR Product Manager at R-Vision. |«По результатам продолжительной работы в релиз R-Vision SOAR 5.0 вошло большое количество нововведений. Это достаточно значимое обновление системы за последние несколько лет. Дополнительные функции помогут более гибко управлять автоматизацией ИБ и обрабатывать инциденты в условиях увеличения их количества. Помимо обновления функционала, с версии 5.0 запущен процесс плавной переработки visual component of the system, "-}}

Integration with SearchInform CIB

Control of information security incidents identified by the DLP system "SearchInform CIB" is now available in the R-Vision Incident Response Platform (IRP). Thanks to integration, an information security specialist can work in one console - SOC systems. This allows you to reduce the response time to the incident. This was announced by SearchInform on February 1, 2022. Read more here.

2021

R-Vision IRP version 4.7

On October 19, 2021 R-Vision , the company announced that it had released the next version of the monitoring and response automation platform for the incidents information security R-Vision Incident Response Platform (IRP). The product has the opportunity to work with incident groups, interaction with, State system of detection, prevention and elimination of consequences of computer attacks redesigned visualization response scenarios and options for launching them.

The R-Vision IRP 4.7 platform allows you to group incidents. In the system, you can organize work with chains of related or similar incidents. One parent incident is selected for the group, the rest will be subordinates. By grouping incidents, the user can consider and analyze information security events in aggregate if, for example, they have a single cause of occurrence. In addition to the user interface, working with incident groups is supported in response scenarios and through the Public API of the system.

Interaction with the state system for detecting, preventing and eliminating the consequences of computer attacks (State system of detection, prevention and elimination of consequences of computer attacks), updated in 2021, has been implemented. The platform user can quickly transmit information on the identified incidents to the regulator, exchange comments with State system of detection, prevention and elimination of consequences of computer attacks operators in the incident card and receive incoming notifications of attacks. The outgoing message in State system of detection, prevention and elimination of consequences of computer attacks can be filled automatically from the data already present in the system. Thus, it is possible to organize full-fledged interaction with the regulator directly inside the system, where incidents are processed and responded to, which is especially important for CII subjects.

"In integration with State system of detection, prevention and elimination of consequences of computer attacks, we tried to do everything in order to simplify interaction with the regulator and give opportunities for high automation of this process. Another key update 4.7 is incident groups. Working with aggregates from incidents is in demand among our users, and we will continue to develop this functionality, "- noted Danil Borodavkin, R-Vision Incident Response Platform product manager.

Updates in the platform also affected response scenarios. In version 4.7, a script launch timeline is available in the incident card with the ability to control its display: the user can go to the selected script, as well as collapse the script diagram into a compact block. The button for launching a playbook can now be placed in the incident card.

R-Vision Customer Support will notify current product users that updates are available for migration.

R-Vision IRP version 4.5

R-Vision released an updated version of the R-Vision IRP information security incident response platform on March 4, 2021. In version 4.5, it became possible to use response scenarios for several organizations in multitenancy mode, configurable validation of values ​ ​ for incident card fields, Public API methods, as well as a number of improvements to improve the performance of the SOC analyst.

In R-Vision IRP 4.5, it became possible to form a hierarchy of organizations in multi-lease mode, which is especially important for organizations with an extensive branch network and for MSS providers. In this format, the parent organization can propagate response scripts and connectors to downstream organizations. This simplifies the configuration of incident processing automation in large companies and in the case of a service model for providing information security services to customers.

The Public API features have been enhanced so that you can unload the incident database from the system and use the obtained data in external systems, for example, to generate the necessary reports, schedules, forecasts, as well as as to conduct an assessment and risk analysis in the organization.

The system implements the ability to validate the fields of the incident card. The mechanism for checking the data for compliance with the specified format is configured using regular expressions for any field in the incident form. Regular expressions for ease of use can be stored in a special reference book.

In release 4.5, the main efforts are aimed at improving the convenience of working with the system when it is used by providers of security monitoring services and large companies with an extensive structure of subsidiaries. The transition to the tenant tree, which is the basis for changes, touched upon response scenarios, and in the future will be extended to other product functionality. Another important improvement is the Incident Upload API. This is a very good integration reserve. In the next versions of the system, API functionality will also grow, - said Danil Borodavkin, head of the IRP product area.

In this version of the platform, you can extract data on controlled assets from an arbitrary source by writing a script in Python, one of the programming languages.

It became possible to automatically fill out an electronic form for sending data to FinCERT, which is relevant for financial and credit institutions and eliminates the need to perform routine tasks from specialists from monitoring centers.

From the general improvements, it is noted that in this version of the system any text value in the incident card field can be represented as a hyperlink formed according to a given rule from its value. Response scenarios for the Notification action add the ability to attach incident evidence files to the email so that the user has a more complete incident context.

The R-Vision IRP platform is a SOAR class product that aggregates incident data from multiple sources, enriches with additional context, automates routine incident handling processes, response procedures, and coordination of the Information Security Incident Monitoring and Response (SOC) team, increasing its effectiveness and response rate to cyber threats.

2020

Obtaining the FSTEC certificate on the 4th level of trust

On December 25, 2020, R-Vision announced that it had received a certificate from the Federal Service for Technical and Export Control (FSTEC) of Russia for the 4th level of trust in the R-Vision Information Security Control Center software package. Thus, the R-Vision IRP incident response platform, which is part of the software package, has become a SOAR class product certified according to the latest FSTEC requirements.

"Security requirements information establishing levels of confidence in technical information protection tools and security tools" information technology were approved by Order of the FSTEC of Russia dated July 30, 2018 No. 131 and entered into force on June 1, 2019.

We have certified our R-Vision IRP and R-Vision SGRC solutions to meet the highest requirements of FSTEC for solutions designed to protect restricted information that is not a state secret. This allows us to use our products without any restrictions to protect systems of all categories, classes and levels of security, which greatly facilitates the task of building corporate information security and compliance centers for our customers, and of course once again emphasizes the high level of security and quality of our technologies, - commented Valery Bogdashov, Executive Director of R-Vision.

Certificate No. 4346 issued by the department is valid until December 22, 2025. It confirms the possibility of using the R-Vision IRP and R-Vision SGRC platforms, which are part of the R-Vision Information Security Control Center, in significant facilities of the critical information infrastructure (CII) of category 1 and automated control systems of production and technological processes (APCS) of class 1 security. Also, this software package can be used in state information systems (GIS) of the 1st class of security, in personal data information systems ( ISDS) if it is necessary to ensure the 1st level of security of personal data and in public information systems of the 2nd class.

As part of the Customer Incident Response Automation Service

Rostelecom-Solar and R-Vision on August 11, 2020 announced that they were launching an incident response automation service on the customer side. The joint solution based on the R-Vision IRP (Incident Response Platform) platform has been worked out for more than a year and is now available to customers of the Solar JSOC cyber threat monitoring and response center. The service provides a set of ready-made dynamically updated response scenarios with a division of responsibilities.

The IRP service from Solar JSOC helps customers simplify and shorten the response cycle in the company, as well as minimize the burden on information security specialists by automating a number of tasks. The client receives a ready-made incident management tool from a single window with the ability to end-to-end control over the actions of both the service provider and the internal information security service. It becomes possible to see in real time the necessary response stages with the distribution of responsible roles, statuses and deadlines for each of the stages.

Connection to the service takes place within 2-4 weeks. As a result, the client has at his disposal an extensive database of regularly updated incident response scenarios (playbooks) from Solar JSOC experts. At the same time, thanks to the most detailed and understandable instructions, even specialists who do not have deep specialized knowledge in information security will be able to implement response processes. Due to this, the influence of the human factor is reduced.

"As part of the service, Solar JSOC customers have access to incident response tools, enhanced by the expertise of Rostelecom-Solar specialists. The provision of products based on the service model is one of the priorities for us. This model requires close cooperation with the service provider and presents additional requirements for the functionality and flexibility of the product so that the customer eventually receives a high-quality service, - said Igor Smetanev, Commercial Director of R-Vision. - We have been cooperating with Rostelecom-Solar for a long time: some customers of our IRP platform use JSOC incident monitoring and response services, and the product has been integrated. The presented service from JSOC is another stage of our both technological and commercial partnership. "

To implement the R-Vision service, IRP was equipped with additional capabilities, and internal Solar JSOC processes were adapted. The specialists of "Rostelecom-Solar" and R-Vision integrated the platform into the Solar JSOC incident management cycle and configured the interaction between the internal IRP of the service provider and the client part based on R-Vision IRP. Now, thanks to centralized scenario management, customers will be able to receive new playbooks on the day of their development on the Solar JSOC side - about 20 scenarios per quarter.

"In the person of R-Vision, we have found a technological partner who not only provided a platform for the implementation and automation of our 8-year response developments, but also shares our strategic vision for the development of this area," said Vladimir Dryukov, director of the Solar JSOC Cyber ​ ​ Threat Monitoring and Response Center for Rostelecom-Solar.

The solution can be provided both in the full-cycle service model (including leasing licenses and maintaining the operability of the customer-dedicated platform), and in the hybrid version, when the customer's existing R-Vision IRP platform is connected to the service. This allows customers to choose the best format for budgeting and managing the cost of the service without severe restrictions on the part of the service provider.

As of August 2020, Rostelecom-Solar and R-Vision are already conducting joint projects to introduce the IRP service for several federal companies from the commercial and public sectors.

R-Vision IRP 4.4: Nested Response Scenarios, Incident Card Data Array Support

On June 19, 2020, it became known that the company R-Vision had updated information security the R-Vision Incident Response Platform. R-Vision IRP 4.4 introduced nested response scenarios, support for working with data arrays in the incident card, and a number of improvements to improve operator convenience and speed.

One of the important functional features of the release is the ability to work with data arrays. In the incident card, they are displayed as a table. The presented format allows you to store lists of information within the framework of the incident, for example, related indicators of compromise, a list of implemented measures or a checklist of the necessary actions for the operator to perform. An array of data can be output from the system in JSON or CSV format in its entirety or as separate lines or columns that are addressed by tags. This way you can generate a notification or request for information with automatic substitution of data from the array.

R-Vision IRP 4.4 supports running other scenarios already created in the product from the response scenario. Nested playbooks allow you to flexibly customize and easily adjust algorithms responses. In a Cyclic Action and a Decision Type Action, exceeding the time counter limit can be used as a criterion, which makes it possible to initiate any action in case of a violation. SLA

There is an indication of the number of overlooked incidents, the function of quickly assigning the current user responsible for the incident and a number of other improvements aimed at more convenient operation of SOC operators.

The options for visualizing data were expanded: when creating a graph through the designer, an option appeared to display the permissible level and trend line, for diagrams you can specify data in percent. The Report Builder has been improved, the Report Builder is available for export and import, and all reporting is now divided into two tabs, system templates and Report Builder.

R-Vision IRP 4.4 supports authorization through external services using the OAuth 2.0 protocol. To log in, the user needs to select a provider on the R-Vision authorization page. The list of available providers is configured by the administrator.

The R-Vision IRP platform is a SOAR class product that aggregates incident data from multiple sources, enriches with additional context, automates routine incident handling processes, response procedures, and coordination of the Information Security Incident Monitoring and Response (SOC) team, increasing its effectiveness and response rate to cyber threats.

2019

Flexible incident response algorithms and advanced teamwork tools in SOC

On November 25, 2019, the company R-Vision announced an update to information security the R-Vision Incident Response Platform. The R-Vision IRP 4.2-4.3 releases have improved the response action automation designer, added innovations for team collaboration SOC and incident handling workflow management.

One of the main innovations of the system is the transition from a linear life cycle, where the incident goes through the processing stages sequentially, to the ability to set arbitrary processing diagrams and control the logic of switching between statuses. It is also possible to flexibly customize the displayed content of the incident: the composition of the incident card can be dynamically changed, according to the pre-configured criteria, or depending on the role of the user working with the incident.

The automation designer in R-Vision IRP has been translated into an updated graphics engine, thanks to which the diagram of actions performed for the incident is automatically rebuilt when blocks are added and removed. In addition to ease of use, automation tools have been supplemented with the ability to launch actions in a loop and create incident tasks.

Extended SOC teamwork tools. This the option to automatically assign a person responsible for an incident based on the load and availability of employees facilitates the organization of the SOC team. Thanks to the redesigned built-in chat and notification panel, incident interaction has become much more convenient.

We have rethought how the product offers to deal with incidents. Now the response process is as controlled as possible by the workflow: we can set which team will handle the incident at one stage or another, automatically distribute incidents when moving from one stage to another, and display an adapted incident card so that each specialist interacting with the system can concentrate on his work. And this falls very well on the processes in today's multi-level SOC, commented Danil Borodavkin, Head of IRP Product Area

With the release of this release, additional customization options received data visualization functionality. To create custom graphs, a graph designer has been added that supports all basic types of data representation. You can now import incidents from external systems using universal database integration.

The R-Vision IRP platform is a SOAR solution that accumulates information security incident data from multiple sources, coordinates the SOC team, and automates response procedures.

Integration with Attack Killer

On February 4, 2019, Attack Killer (InfoWatch Group of Companies) announced that it had signed a partnership agreement for cooperation with R-Vision. As part of the cooperation, the companies agreed to integrate the automatic protection system for web resources and applications Attack Killer with the R-Vision IRP incident response platform, which will allow KII entities to comply with the requirements of the federal law of the 187-FZ "On the Security of Critical Information Infrastructure of the Russian Federation." Read more here.

2018

Version 4.0

R-Vision, a Russian developer of solutions for automating information security management and incident response, announced the release of the next version of the R-Vision Incident Response Platform on November 15, 2018. In version 4.0, special attention is paid to the functionality of response scenarios, more flexible integration with third-party solutions, as well as the preparation of incidents in accordance with regulatory requirements for subsequent dispatch to FinCERT and State system of detection, prevention and elimination of consequences of computer attacks.

One of the distinguishing features of IRP class solutions is the presence of response scenario functionality that allows you to automatically perform algorithm response actions specified for a specific type of incident. In version 4.0, a graphical editor is available for more convenient configuration of response scripts. The script execution process was received visualization as a workflow map for the incident with a color indication of the status of each action included in it. By looking at the map, a response center specialist can quickly assess the progress of the incident and quickly make the necessary adjustments to the actions.

Developing our product, we largely focus on real situations and the specific needs of our clients, partners and other companies with which we conduct an active professional dialogue, "said R-Vision CEO Alexander Bondarenko. - Thus, the capabilities implemented in version 4.0 make it possible to effectively solve exactly the problems faced by most heads of information security incident response centers.

To quickly interact with other tools in the infrastructure, the product is supplemented with a connector designer, which allows you to create connectors to any solutions directly inside the R-Vision interface and configure them to automatically start at the right time or when the specified conditions are triggered.

R-Vision 4.0 also focuses on compliance with the latest regulatory and regulatory requirements. Thus, the description of the incident contains the necessary set of fields required to provide the state system for detecting, preventing and eliminating the consequences of computer attacks (State system of detection, prevention and elimination of consequences of computer attacks), as well as sending it to FinCERT of the Central Bank of the Russian Federation. For information exchange with these centers, the corresponding connectors are implemented.

The solution architecture allows you to implement vertical and horizontal scaling, build multi-level models of SOC centers. The updated version of the platform also supports corporate installations in multitanancy mode and the use of the product by MSSP providers.

IRP R-Vision Capabilities

For August 2018, the R-Vision IRP platform offers the following capabilities:

• IT Infrastructure Control:
  • The software package allows you to conduct an inventory of the infrastructure, identify the most critical assets, and identify the specialists responsible for ensuring the security of assets. By integrating with existing security solutions (antiviruses, security scanners, etc.), as well as using its own control mechanisms, it is possible to consolidate and present various information about the security status of the infrastructure in a single console, control the installed software, detect unauthorized equipment and external connections, identify and control the elimination of vulnerabilities. Infrastructure topology can be represented in the form of network maps, room plans and geographical location diagrams.

• Integration with external sources:
  • The collection and consolidation of the necessary information on the state of the IT infrastructure and recorded incidents of information security can be ensured through the use of several mechanisms: email, software interface (API), built-in message receiving system, and native connectors for key security systems: vulnerability scanners, antivirus protection tools, information leakage protection (DLP) systems, security event collection and correlation (SIEM ) systems, and others. Parsing messages received in the system can be adapted to the specifics of the protected infrastructure by using rules based on regular expressions or tags.

• Unified Incident Database:
  • The absence of a single center containing information about all recorded information security incidents is one of the key problems that reduce the responsiveness to incidents of authorized employees. Using the IRP platform as the basis for the implementation of the information security incident response center (SOC) allows you to record the facts of detecting information security incidents, as well as relevant information in a single, centralized database. This, in turn, makes it possible to increase the manageability of incident response activities and the efficiency of processing emerging incidents, as well as comply with the relevant requirements of methodological documents and standards established by regulators (FSTEC, Central Bank, etc.).

• Adaptable logic:
  • The IRP platform contains a wide range of mechanisms that allow you to adapt the logic of the system to the specifics and features of the incident response process in a specific company. Such mechanisms include:
  • * an incident description constructor that allows you to specify the composition of information collected by the relevant incident categories;
  • * constructor of incident processing cycles, which allows to create different status schemes (routes) of incident movement during processing;
  • * flexible rules for setting access to incident information, including the ability to automatically assign responsible persons to incidents based on related assets, or set rules; * * * customizable reference books and incident templates that allow you to quickly enter data on recorded incidents.

• Response Automation:
  • The IRP platform contains a set of ready-made response mechanisms that can be easily customized by the user of the system for their own needs:
  • * notification rules, on the basis of which the system promptly notifies certain persons in the organization of the incident;
  • * Escalation and assignment rules, which, according to the specified characteristics of incidents, allow the automatic appointment of responsible persons and the composition of the working team for responding to the relevant incident;
  • * response rules that allow you to determine the scope of the incident actions performed, distribute tasks in the response team, and automatically execute the specified scripts to collect relevant information.
  • * standards for the implementation of certain actions, as well as the general time frame for responding to incidents of various categories and criticality levels.

• Incident Communication:
  • The IRP platform contains built-in incident communication mechanisms that allow you to exchange data with other participants, while having complete control over the amount of information transmitted and recipient lists.

• Collaboration:
  • Each incident in the IRP R-Vision platform has its own work area, within which the employees responsible for responding to the relevant incident interact. The person responsible for handling the incident has the ability to determine the composition of the working group, establish the amount of information available for viewing, and distribute tasks among the members of the working group. All evidence and materials collected during the incident processing are stored in a common repository and become available to all members of the working group. Operational communication within the team is provided through a command chat on the incident.

• Visualization and Reporting:
  • The IRP platform offers a wide range of information visualization tools. Customizable dashboards provide information in the form of graphs and diagrams containing functions for moving from graphs to their corresponding information (drill-down). Infrastructure data can be presented in the form of network maps and room diagrams. An analysis of the relationships between the elements of the system, which contributes to the investigation of incidents, can be carried out using so-called relationship schemes. Information on assets, incidents and other elements of the system for its subsequent processing can also be exported as Excel files. R-Vision IRP contains a wide list of ready-made reports, as well as mechanisms for setting up your own templates. Reporting rules allow you to set up a schedule for automatically generating documents and sending them to the appropriate recipients.

Threat Intelligence Platform Functionality

On May 15, 2018, R-Vision announced the expansion of the R-Vision Incident Response Platform solution with Threat Intelligence Platform functionality. Now the R-Vision platform can automatically collect and process cyber intelligence data, use it in response algorithms and transfer it directly to defense equipment. This makes it easier to detect hidden activity of hackers and increases the speed of response, minimizing possible damage.

Threat intelligence technology allows you to detect malicious activity of cybercriminals by certain signs, called indicators of compromise. Integrating this data into the incident response process allows you to quickly establish a compromise and quickly block a threat. However, without an automated solution, high-quality processing and analytics of a huge array of threat data is almost impossible.

Threat Intelligence Platform from R-Vision allows you to automatically collect, process and enrich compromise indicators collected from threat intelligence from various suppliers. The system has built-in integration with threat data exchange platforms IBM X-Force Exchange and AlienVault Open Threat Exchange, with threat intelligence services from Group-IB and Kaspersky Lab and allows you to connect other commercial and public sources.

This functionality allows you not only to download information from certain feeds, but also to cross-check data on individual indicators using additional queries in external sources. The processed data can be directly transferred to the security tools used, which reduces the number of false positives that occur when using raw data.

Version 3.6

R-Vision, a Russian developer of solutions for automating information security management and incident response, on April 27, 2018 announced the release of the next version of the R-Vision Incident Response Platform, designed to create corporate cybersecurity centers (SOC).

According to the developers, version 3.6 implements capabilities that allow more flexible incident management, and expands the range of operations that can be performed remotely in automatic mode, thereby providing a faster and more adaptive response.

We continue to increase the functionality of our product towards maximum automation of the operations performed by SOC specialists, as well as expand the range of tasks that can be implemented from the "single window" of the R-Vision console, - said Alexander Bondarenko.

In the part of incident management, macro correlation has been added, which allows you to search for related incidents according to a certain criterion. It also became possible to create incidents from vulnerabilities and control their elimination on nodes.

One of the key features of the platform is dynamic response scenarios (the so-called "playbooks"), which allow you to automatically implement the algorithm of actions specified for a specific type of incident. In version 3.6, response scenarios are supplemented with the following types of actions: requesting information from users and automatically making a decision during the development of the scenario.

A significant part of the functionality of R-Vision IRP 3.6 is designed to facilitate work with assets, the company noted. In particular, integration with databases was optimized and the ability to directly load information from the database on a schedule was implemented. Also added is the option of remote connection to provisioned nodes directly from the R-Vision interface, the functionality of launching automation scripts on assets on a given schedule and launching scripts with executable files.

The new version also optimized the system interface and introduced the ability to choose between light and dark interface themes. The design of the geocard has also changed and an option has been added to display assets, hosts, incidents and vulnerabilities on it.

2017

Integration with Kaspersky Fraud Prevention Cloud

On September 4, 2017, Kaspersky Lab and R-Vision announced a technological partnership to jointly and more effectively counter cyber threats in remote service channels. To do this, the companies combined their solutions for recognizing and preventing financial fraud on the Internet: Kaspersky Fraud Prevention Cloud (KFP) and R-Vision Incident Response Platform (IRP). Integration will allow you to start the process of processing information security incidents in automatic mode based on data received in real time from Kaspersky Fraud Prevention Cloud. This approach will allow not only to identify fraud even before the transaction is made, but also to take the necessary actions to prevent it.

As a result of the merger of Kaspersky Lab and R-Vision technologies, the process of protecting users of online banking and payment systems will be automated and accelerated by registering incidents in IRP R-Vision detected by the Kaspersky Fraud Prevention Cloud platform in real time. Notifying specialists of new detected threats and distributing tasks within the incident response team will also occur automatically. In addition, after processing each incident in the R-Vision IRP system, feedback about it will be received by Kaspersky Fraud Prevention - this will optimize fraud recognition using machine learning technologies used in the Kaspersky Lab solution.

Cooperation with Kaspersky Lab will open up new opportunities for our clients to centrally control the information security system and quickly repel cyber attacks. The tight integration of our products will allow you to consolidate threat information from different sources at a single entry point, and this, in turn, will speed up the response to all possible incidents. As a result, customers save their resources and time while receiving higher-level protection, "explained Alexander Bondarenko, CEO of R-Vision.

We highly appreciate the technology partnership with R-Vision: in our opinion, this is one of the most effective ways to develop security technologies in all segments of corporate IT infrastructures. In addition, this approach is especially convenient and beneficial for end users who do not have to think about how to integrate various solutions within the same network, "said Alexander Ermakovich, Head of Kaspersky Fraud Prevention. - R-Vision has advanced incident response technologies. Together, we will be able to optimize the recognition and prevention of fraud in the financial environment and prevent monetary losses.

Description of R-Vision Incident Response Platform

As of November 2017, the R-Vision system allows you to create a corporate security management center (SOC), which is a point of consolidation of information about all information security incidents, as well as a platform for automatic incident processing and coordinated work of the response team.

Incident response speed is one of the key performance indicators of the information security division of any organization. In the context of an increasing number of recorded reports of possible information security incidents and taking into account the speed of implementation of modern cyber attacks, the only way to maintain the ability to quickly respond is to automate the actions performed and develop ready-made plans for responding to emerging situations.

The R-Vision system allows you to conduct an inventory of the IT infrastructure, take into account tangible and intangible assets and their relationships, identify the most critical assets, identify unauthorized devices and external connections, vulnerabilities on scanned nodes and prioritize them by severity.

In terms of incident management, the R-Vision platform collects information on recorded information security incidents from all sources used in the organization. Each incident notification is enriched with details about related assets, users, criticality of business processes.

Next, ready-made response scenarios are launched that allow you to automate the algorithm of actions of the response team (escalation, notification, formation of a workgroup, setting tasks), as well as ensure the execution of actions to collect additional information, or preventive actions aimed at blocking an attack, in automatic mode. The product allows you to flexibly configure the information security incident response policy, set different options for response scenarios for each incident category.

To effectively repel modern cyber attacks, it is crucial to be able to share information with other industry participants, external experts and organizations, public response centers (CERT/SOC). The R-Vision system contains built-in mechanisms for exchanging such information. This allows you to quickly receive information that can be used to detect and block a cyber attack. In addition, this allows providing information identified during the investigation of the incident to other trusted exchange participants, which may be information security services of subsidiaries and/or parent organizations (in the case of large holding structures), partner organizations/counterparties, relevant government services (FinCERT, STATE SYSTEM OF DETECTION, PREVENTION AND ELIMINATION OF CONSEQUENCES OF COMPUTER ATTACKS, etc.).

The system also takes into account the measures taken to respond to information security incidents, can define standards for the implementation of certain actions, as well as general deadlines for responding to incidents of various categories and criticality levels. All this together allows you to evaluate the effectiveness of the response team and identify areas for improvement.

Automation of monitoring and response to information security incidents using the R-Vision platform allows organizations to control the security of information assets, significantly speed up response to information security incidents, increase the efficiency of employees responsible for information security, and minimize risks and possible damage from cyber attacks.

2016: Integration with InfoWatch Traffic Monitor

On November 24, 2016, R-Vision and the InfoWatch group of companies announced an agreement on the joint development, production and distribution of information security products on the market.

Under this agreement, it is planned to ensure the integration of the platform for organizing an information security incident response center R-Vision Incident Response Platform with technology to prevent leaks of confidential information and protect businesses from internal threats InfoWatch Traffic Monitor.

As a result of integration, it is planned to implement the ability to send events from InfoWatch Traffic Monitor to the R-Vision IRP system for analyzing and storing incidents of the corporate information security system in a single information system, simplifying access to it by the company's security officer.

It is possible to map events coming from InfoWatch Traffic Monitor to events coming to R-Vision IRP from other systems.

In modern realities, prompt response to information security incidents requires consolidation of information about incidents from various sources and means of protection. The partnership opens up new opportunities for the implementation of solutions of our companies, as well as prospects for expanding customer and partner bases. Many organizations use InfoWatch Group products to protect critical data, and through technological partnership we plan to provide users with additional synergies achieved through the close integration of our company's developments and InfoWatch solutions. Alexander Bondarenko, General Director of R-Vision LLC

Integration-The DLP solution InfoWatch and system R-Vision IRP will provide customers with advanced tools to prevent possible internal threats related to the company's information security, when comparing the actions of external attackers with the actions of employees within the organization, identifying collusion, determining the circle of accomplices and involved persons, and will significantly simplify the process of investigating such incidents. Marina Batalova, Product Development Manager of InfoWatch Group of Companies