RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

R-Vision Threat Intelligence Platform (TIP)

Product
The name of the base system (platform): R-Vision SGRC Center for Information Security Control (CKIB)
Developers: R-Vision
Date of the premiere of the system: April 2019
Last Release Date: 2024/10/31
Branches: Information security
Technology: Information Security - Information Leak Prevention,  Information Security - Fraud Detection System,  Information Security Information and Event Management (SIEM),  Threat Intelligence (TI) - Cyber Intelligence

Content

The main articles are:

R-Vision TIP (R-Vision Threat Intelligence Platform) is a platform that allows you to automatically collect compromise indicators from free and commercial exchange channels (the so-called cyber intelligence data, threat intelligence), process them, enrich them with additional information and use in internal security systems to detect possible compromise systems, timely block threats and investigate incidents.

2024

R-Vision TIP 3.33 with enhanced FinCERT integration

R-Vision on October 31, 2024 announced the release of an update to the threat data analysis platform - R-Vision TIP 3.33. Major changes include: enhanced integration with FinCERT for more accurate threat detection and a flexible data model for system customization.

In R-Vision TIP 3.33, FinCERT databases are integrated, which is especially important for banks under the supervision of the Bank of Russia. FinCERT serves as a key source of data on compromised bank artifacts. The expansion of the list of feeds in R-Vision TIP opens up opportunities for the prompt receipt of ballots, anti-fraud feeds and daily distribution of compromise indicators (IoCs) from FinCERT.

Taking into account the peculiarities of bank indicators of compromise, we have expanded the functionality of R-Vision TIP by adding IoC types: SNILS, TIN, personal account numbers and others. This will allow banks to receive only current and priority samples of compromise indicators, which will significantly increase the effectiveness of protecting their systems from external threats.

After collecting and enriching the data, as well as adding context to the indicators, taking into account duplicates and false positives, it is necessary to connect these prioritized data with the anti-fraud system through export mechanisms.

In this version of the R-Vision TIP 3.33 platform, it became possible to change the logic of the AND/OR filters and set new filters. Fields in CSV, JSON and OpenIOC format are exported in the specified order. CSV now supports regular expressions for filtering, except for sources, types, countries, and related entities. In addition, it became possible to choose the format for exporting dates for CSV and JSON.

Also in the update, the developer added new features to get data:

  • improving mapping in opensors-feeds
  • importing indicators from XML (OpenIOC) and JSON formats
  • Advanced matching capabilities in STIX and JSON Lines formats.

In R-Vision TIP 3.33, features have been added to automatically link entities based on tags and dates, improving filtering, incident investigation, and communication. In addition, it has become possible to visualize the temporal relationships between these entities in the form of a graph of relationships, which significantly increases the flexibility of filtering. The new features open up additional tools for users to investigate incidents in depth and improve information exchange between colleagues.

File:Aquote1.png
With the rapid increase in the amount of data that needs processing, R-Vision is constantly working to improve the automation tools of the R-Vision TIP platform. The added functions will not only speed up workflows, but also make the platform flexible to use for customers from different areas of business, - said Valeria Chulkova, product manager of R-Vision TIP. - Flexibility in data management is key to quickly adapting to ever-changing market conditions and new challenges. Automation tools help you respond quickly to current threats and conduct in-depth analysis of potential risks, which in turn contributes to the sustainable development and competitiveness of companies.
File:Aquote2.png

R-Vision TIP 3.24 with the ability to filter events that come from Apache Kafka

R-Vision, a Russian developer of cybersecurity systems, announced on May 20, 2024 that the R-Vision TIP data analysis platform has been updated to version 3.24. The capabilities of R-Vision TIP 3.24 are aimed at automating work with compromise indicators and increasing the effectiveness of threat analysis.

Among the key changes is the expansion of opportunities for exporting compromise indicators to security equipment. In the updated version of R-Vision TIP, the developer added the ability to create rules for exporting IP address type compromise indicators in UserGate format and in OpenIOC format for subsequent download to target systems. These improvements enhance IOC export capabilities and make the information protection process more efficient.

In the R-Vision TIP 3.24 update, the developers improved the search for compromise indicators in the data stream from SIEM systems:

  • You can now send information about CEF compromise indicator detection events back to the SIEM system.
  • added the ability to filter events that come from Apache Kafka. This function allows you to search for events in a thread by specified fields.

The R-Vision team has expanded the list of supported FinCERT fids "Fid-Antifrod." Now, funds with SWIFT data and wallets that are used in the Fast Payment System (FPS) have become available for connection. The developer also added support for importing compromise indicators in the STIX 2.1 format. This will allow financial institutions to more effectively identify fraudulent transactions related to the use of these payment instruments.

File:Aquote1.png
R-Vision TIP is a mature product that facilitates the detection of hidden threats and speeds up information security processes in organizations. Expanding the ability to export compromise indicators in the R-Vision TIP 3.24 version reduces the risk of missing potential threats, ensuring more reliable protection of companies' information assets, - said Valeriya Chulkova, product manager of R-Vision TIP. - We see a market request to ensure automatic monitoring of relevant indicators in SIEM systems, so the update improved the search for compromise indicators. The R-Vision team has done comprehensive work to improve the automation of compromise indicators to more efficiently aggregate data from different sources.
File:Aquote2.png

Compliance with cybersecurity standards of the Republic of Belarus

On January 29, 2024, R-Vision announced that the R-Vision TIP threat information analysis platform was certified by the Operational Analytical Center (OAC) under the President of the Republic of Belarus. Product certification was carried out in accordance with the technical regulations TR 2013/027/BY. The OAC certificate confirms that the R Vision Threat Intelligence Platform (TIP) meets the information security standards of the Republic of Belarus.

The OAC Certificate of Conformity allows the use of R-Vision TIP:

In addition, R-Vision will continue to certify its solutions in 2024. Thus, the company plans to confirm that R Vision Threat Deception Platform (TDP) is a system for digital imitation of IT infrastructure elements and identifying attackers meets the requirements of [cybersecurity] of the Republic of Belarus.

File:Aquote1.png
The certification of R-Vision TIP in the OAC confirms the high level of trust in R-Vision products by the regulator and opens up opportunities for companies that want to increase the security of information systems through the use of the latest protection technologies. - said Kamil Baimashkin, Deputy Executive Director of R-Vision - The information security market of the Republic of Belarus opens up opportunities for us to grow and develop our business. We have successfully implemented a number of projects in the state, so certification of another solution from the R-Vision product ecosystem is a continuation of our development strategy.
File:Aquote2.png

2023

R-Vision TIP 3.16 with reactive and retrospective search for compromise indicators

R-Vision released an updated version of the cyber threat information analysis platform, R-Vision TIP 3.16, on December 6, 2023. Version 3.16 includes a number of significant updates: the developer has expanded the list of supported SIEM systems and firewalls, redesigned the FinCERT feed service, and also improved its own data source - R-Vision Threat Feed, which can now independently determine the connections between entities, countries and industries of threat actors.

One of the functions of the R-Vision TIP platform is the ability to reactive and retrospective search for indicators of compromise within the stream of events coming from SIEM systems. After leaving the Russian market of foreign SIEM suppliers, the need to expand the list of domestic vendors increased. The R-Vision TIP platform supports integration not only with foreign solutions, but also with domestic SIEM systems. So, in the updated version of the product, the vendor added integration with such Russian systems as VolgaBlob Smart Monitor and Kaspersky Unified Monitoring and Analysis Platform.

Also in the update, R-Vision expanded the list of supported third-party SMTs for exporting compromise indicators. The detected compromise indicators can be automatically exported to firewalls for further processing and protection of the network infrastructure. In this version of the platform, the list of vendor solutions available for integration has been replenished with the domestic firewall manufacturer Ideco UTM. In addition, the ability to configure integration and rules for exporting indicators from R-Vision TIP to Kaspersky Security Network has been added.

The R-Vision TIP team continues to develop its own feed integrated into the platform. It automatically collects TI reports from reliable open sources, and also extracts key Threat Intelligence artifacts from them. In the updated version of R-Vision Threat Feed, the data set for training the TI artifact recognition model has been increased 11 times and the accuracy of entity recognition has significantly increased: now the model is able to determine the direct connections between entities, as well as the country and industry of threat subjects and victims.

In the R-Vision TIP 3.16 version, the developers expanded the data model by adding the following types of indicators to it - TIN, SNILS, hash the sum of passport numbers, account numbers, electronic wallets and phones. This information is uploaded to the R-Vision TIP from a new data source - AS "Fid-Antifrod," which contains information about the recipients of compromised transfers. In early versions of the R-Vision TIP platform, the user could receive information through the main channel about incidents of the Bank of Russia, the ACOI FinCERT feed.

Often, information received from data providers lacks the context needed to analyze indicators of compromise and/or related security breach events. As part of the systematic expansion of context sources, the updated version of R-Vision TIP implemented support for two new UrlScan and URLhaus enrichment services.

File:Aquote1.png
Cyber ​ ​ intelligence data is a key element for threat analysis, so the list of TI data providers will continue to be replenished in R-Vision TIP, commented Valeria Chulkova, head of the R-Vision TIP product. - In addition, the R-Vision TIP team will also continue to expand the list of domestic manufacturers supported by SMTs, which is especially important due to the current information security market conditions.
File:Aquote2.png

R-Vision TIP 3.0 with compromise indicator rating customization function

On May 10, 2023, R-Vision introduced a major version of the R-Vision TIP 3.0 cyber threat information analysis platform. The updated product has received a number of significant functional improvements. In particular, users can now use more quality data to analyze threats thanks to a new source - the MITRE ATT&CK knowledge base. They also have access to the function of customizing the rating of compromise indicators.

In R-Vision TIP 3.0, the developer expanded the volume of cyber intelligence received data by implementing integration platforms with a new supplier - the MITRE ATT&CK knowledge base. malware It became possible to receive information about, threat actors and their techniques directly from the platform interface in the threat section. Entity cards contain everything coming from the knowledge base: information description of entities, tactics associated with them, synonyms of groupings, sabtechnics, links to web resources where cases of attackers using certain techniques are presented, as well as recommendations for their detection.

In addition, the relationship graph displays data the connection of all entities received from the new supplier with compromise indicators and with each other. This is an additional analysis tool and allows you to track which techniques are used by different groups and what malicious is ON used in this case. The information obtained is also clearly reflected in the indicator card, which allows TI analysts to quickly assess the stage of the attack, develop tactics for responding to incidents and prioritize the measures taken.

In version 3.0, R-Vision made a number of important improvements to the threat ranking section by adding customization of user presets to calculate the rating of compromise indicators. Thanks to this, users can independently set the necessary values ​ ​ of such metrics as: the vastness, completeness of data and the efficiency of their provision by the source. Thus, you can now more accurately influence the calculation of the final rating of the indicator than in previous versions of R-Vision TIP.

File:Aquote1.png
In the process of analyzing Threat Intelligence data, the presence of a context associated with indicators of compromise is important. Using data from the MITRE ATT&CK matrix directly in the R-Vision TIP interface, cyber threat analysts are able to quickly evaluate and classify the tactics and techniques that attackers use during an attack. Working with this context gives a more complete picture of threats, helps to identify "weak" points in information systems, take the necessary protective measures, as well as improve the incident response process, - said Valeria Chulkova, product manager at R-Vision TIP.
File:Aquote2.png

2022

R-Vision TIP version 2.20

On December 1, 2022, R-Vision introduced an updated version of the R-Vision TIP (Threat Intelligence Platform) threat analysis platform. In version 2.20, the developer expanded the list of available integrations with cyber intelligence data providers and compromise indicator enrichment services. The changes also affected the process of transferring incidents to the R-Vision SOAR system.

One of the key platform updates was the expansion of the amount of cyber intelligence information received. The vendor added the ability to integrate the system with domestic Threat Intelligence data providers: PT Threat Intelligence Feeds and BI.ZONE ThreatVision. Thus, sources connected to R-Vision TIP will provide analysts with a large IoC context, making further use of data more accurate.

Other important changes involve enriching compromise indicators with additional context. In particular, in the updated version, R-Vision has implemented built-in integration with the Kaspersky Threat Lookup enrichment service. At the same time, it became possible to fine-tune: now users will be able to set the lifetime of enrichment data not only in days, but also in hours and minutes. This will allow you to even more accurately update information about indicators of compromise and analyze cyber intelligence data. The appearance of the enrichment data block in indicator cards has also been transformed, which helps to bring data from different enrichment services to a uniform form. In addition, the developer has updated the integration with OPSWAT Metadata to support service changes.

Other updates include improved system user interface logic. The alert and integration rules are combined into a single section, simplifying the process of transferring incidents to the information security automation and incident response platform R-Vision SOAR, allowing both actions to take place simultaneously. Before sending to R-Vision SOAR, it became possible to select the type of event grouping: by rule or by indicator value. Another change allows TI analysts to receive information about all activities that occurred during a particular incident: now the indicator card will reflect the types of activity associated with the incident ID obtained from the R-Vision SOAR.

File:Aquote1.png
The company is constantly working on technical improvements to R-Vision TIP and strives to make the work of users in the system more stable and faster. We will also continue to expand the integration capabilities of the platform, and it is also planned to implement the possibility of customizing the model for calculating the rating of compromise indicators,
reported Valeria Chulkova, R-Vision TIP product manager.
File:Aquote2.png

Certification of FSTEC of Russia according to the fourth level of trust

On November 22, 2022, R-Vision, a developer of cybersecurity systems, announced successfully passed certification tests of the R-Vision TIP Threat Information Analysis Platform software for compliance with information protection requirements according to the 4th level of trust of the Federal Service for Technical and Export Control (FSTEC) of Russia.

Illustration: rvision.ru

Certificate of Compliance No. 4614, issued on November 2, 2022, confirms that R-Vision Threat Intelligence Platform (R-Vision TIP) fully meets the information security requirements established in the regulatory and methodological documents of the FSTEC of Russia.

The R-Vision TIP platform, like other information security tools corresponding to the 4th level of trust, can be used in:

As you know, the 4th is the highest level of information protection in organizations that do not process state secrets.

File:Aquote1.png
"It is important for us to ensure not only high functionality, but also the safety of all R-Vision products, so we are very careful about the process of their certification. FSTEC certification for the fourth level of trust at the state level confirms the reliability and safety of the R-Vision TIP threat analysis platform and enables our customers to use the Threat Intelligence data management platform with confidence. " Alexander Bondarenko, CEO of R-Vision, commented.
File:Aquote2.png

The R-Vision Threat Intelligence Platform (R-Vision TIP) is also included in the state unified register of domestic software.

Availability on Jet CyberCamp platform as part of cyber training

On June 7, 2022, the company ITJet Infosystems"" announced that, together with the system developer cyber security R-Vision , they had prepared a joint cyber training program. As part of this program, INFORMATION SECURITY specialists will be able to gain practical experience with, and R-Vision SOAR R-Vision SGRC R-Vision TIP during training on the Jet Infosystems platform. Jet CyberCamp More. here

R-Vision TIP 2.5: changes in compromise indicators, bulletin tools and vulnerability cards

On April 21, 2022 R‑Vision , the company announced that it had upgraded information analysis the R-Vision Threat Intelligence Platform (TIP) to version 2.5. Key changes to the platform affected the logic of enriching compromise indicators, working with the bulletin tool and cards, and there vulnerabilities were major changes in the system interface.

Enrichment

In R-Vision TIP 2.5, the developer has improved the logic for enriching compromise indicators with additional context. Users can configure the maximum number of days to store enrichment data. After the specified period, the system will automatically re-request the enrichment data, which will help users to more accurately process indicator information.

Dashboard

A significant part of the R-Vision TIP improvements are related to improvements to the ballot tool. Threat and vulnerability bulletins are used to inform subordinate organizations and authorized employees about security threats, current vulnerabilities in software and hardware that are relevant to a particular infrastructure or organization. The platform has the ability to create bulletins about one or more vulnerabilities, while in this version for each vulnerability the presence of a bulletin and its identifier are displayed.

Vulnerability card

In R-Vision TIP version 2.5, when viewing a vulnerability card, as well as when creating and editing a vulnerability bulletin, the entire structure of Common Weakness Enumeration (CWE) security defects is reflected, taking into account nested elements. This will allow the user to better understand the relationship of the vulnerability with CWE, and, therefore, send more detailed bulletins to subordinate organizations.

When creating a vulnerability bulletin, the list of vulnerable software is displayed even more logically, in the format "software name: software versions 1.x - 1.n." This will greatly facilitate the process of finding the necessary software tools in the list, as well as increase the information content of ballots.

Data providers

The developer has made changes to R-Vision Threat Intelligence Feed (R-Vision TI Feed) - R-Vision's own feed that collects information about compromise indicators and other entities from open sources. The names of threat actors and the names of malware instances in R-Vision TI Feed are automatically normalized and brought into a uniform form, which will avoid duplication of entities.

In addition, there have been improvements in the system interface - it has completely changed. In the updated version, uniform interaction patterns have appeared, thanks to which it has become even more convenient to use the platform. The Content Center library, which has taken on a single look in all R-Vision products, makes the process more intuitive.

File:Aquote1.png
Our main task is the continuous development of platform functionality. So, in the future, we are planning a number of functional improvements that will speed up the implementation of the R-Vision TIP platform, as well as simplify the process of transferring incidents to the R-Vision SOAR system. In addition, we continue to expand the list of TI data providers available to our users, which allows SOC analysts to receive complete information about threats, as well as develop the integration capabilities of the platform with up-to-date protection tools,

noted Valeria Chulkova, R-Vision TIP Product Manager
File:Aquote2.png

2021

R-Vision TIP 2.0 - Compromise Indicator Ranking Engine Optimization

R-Vision introduced the R-Vision Threat Intelligence Platform (TIP) 2.0 on December 6, 2021. Key changes affected the ranking mechanism for compromise indicators, integration with the R-Vision IRP system, an information security incident response platform. Users have the ability to obtain high-quality data using Threat Intelligence.

One of the platform updates was an improvement in the scoring model, through which the rating of compromise indicators is calculated. This model calculates the rating based on statistical metrics that are calculated for the collected data. The calculation takes into account a number of parameters, among them - the relationship of the indicator and all the context associated with it, the completeness of the incoming information and the timeliness of the provision of data regarding other connected sources. The fact that there is or is no compromise indicator in the exception list is also taken into account. Thanks to the advanced R-Vision TIP scoring model, monitoring center analysts can identify the most relevant and malicious indicators of compromise and work with threats that are relevant to the company.

rvision.pro

The R-Vision Threat Intelligence Platform (TIP) version 2.0 of the platform has improved the integration mechanism with R-Vision IRP: now the detection event data is unfolded along the indicator fields in the incident card on the IRP system side, and for mass detection cases, the ability to group events when sent to R-Vision IRP is implemented. This feature will help you more flexibly configure incident response based on the number or extent of malicious detection events that occur.

"Constantly communicating with our users, we see that the needs for Threat Intelligence (TI) are becoming more mature from year to year. Expectations from TI platforms are growing: users are waiting not just for a data aggregator, but also for the mechanisms that will provide data quality, automation of operations for searching for compromise indicators and various integrations with the internal information security ecosystem, "said R-Vision product manager Anton Solovey.

Users of R-Vision TIP 2.0 can receive data threats from R-Vision Threat Intelligence feed, a separate service that automatically collects and processes TI reports from open sources, extracts compromise indicators and associated context from them, and transfers all data to the system. When the R-Vision Threat Intelligence feed service is connected to the platform, TI reports will be available to the user in a human-readable format. The analyst will information have about all important objects related to the report: indicators of compromise, attackers, malicious, ON as well as any other context. You can analyze and use the report data to search To IT infrastructure your organization or to integrate with security. R-Vision Threat Intelligence feed helps you obtain high-quality and complete threat information without taking the time of analysts to SOC process the format reports pdf manually and then record and link the data in your system.

R-Vision Threat Intelligence Platform version 1.20

R-Vision On September 23, 2021, the company announced that it had updated data management the R-Vision Threat Intelligence Platform (TIP) to version 1.20. The product has the ability to mass edit compromise indicators, supplemented the list of suppliers about, data cyber threats expanded the list of available integrations with security tools, optimized work with objects in, and increased Active Directory the flexibility of automation rules.

The R-Vision TIP 1.20 platform allows you to massively change the necessary attributes for several compromise indicators at once. For example, users can add a description or tags to them, edit timestamps, and so on. This feature will help SOC analysts save time on routine tasks and focus on more complex issues.

In product version 1.20, the developers have expanded the number of supported sources of cyber threat data. The platform now has built-in integration with a number of feeds from the nonprofit Shadowserver Foundation, which collects and analyzes data on a wide range of threats, including malicious software and botnet activity. Shadowserver feeds are in demand among CERT's national cyberspace emergency response teams and can be useful to telecom operators with their own autonomous networks.

A separate block of changes concerns the interaction of the platform with other means of protection. Users can now export the required selection of compromise indicators from the product in a supported format for monitoring and blocking on. firewalls UserGate The platform also implements support for the current version of the detection system INFORMATION SECURITY for incidents for September 2021. MaxPatrol SIEM

In addition, the developers have increased the fault tolerance of the platform when connecting a large number of Active Directory objects to it. This improvement will ensure the stable operation of R-Vision TIP in enterprise segment organizations, where the number of such objects can reach several hundred thousand.

Changes to the platform also affected automation rules. They have a condition that allows you to configure the rule to fire when a specific attribute changes. A striking example is sending an incident notification to the SOAR system when updating the compromise indicator.

File:Aquote1.png
"We continue to expand the number of TI (Threat Intelligence) sources in demand by our users, increasing the ability to integrate with security tools so that TI data can be conveniently and quickly used in proactive monitoring and blocking of threats. At the same time? Do not forget about the need to improve the usability of the platform, systematically adding new functionality that helps users solve everyday problems faster, "said Anton Solovey, product manager of the R-Vision Threat Intelligence Platform.
File:Aquote2.png

Integration with ESET Threat Intelligence

Russian A system developer cyber security R-Vision and an international anti-virus company ESET have combined technologies to combat. cyber threats The company's specialists integrated data management are the R-Vision Threat Intelligence Platform with a telemetry service. ESET Threat Intelligence Now platform users will be able to receive streams of data threats from ESET in the familiar interface without additional settings. This was announced on August 10, 2021 by R-Vision.

ESET feeds include four threat data channels: information about botnet networks, malicious domains, URLs, and executable files. This information helps SOC analysts get a more complete picture of current threats, find their signs in the infrastructure in a timely manner, and take protective measures. For example, knowing the hashes of executable malicious files present in cyberspace, specialists can block them in advance or quickly identify them in the system.

ESET researchers receive primary information for fids from more than 110 million of their own sensors located around the world. In addition, analysts also use data that is obtained as a result of information exchange with CERT teams - national emergency response teams in cyberspace. When forming feeds, ESET specialists focus on minimizing false positives: for this, all collected data is pre-filtered and only then gets to end users.

The integration of ESET feeds with the R-Vision TIP platform makes it possible to receive them in a "product" out of the box. Users do not need to spend resources on configuring the interaction of the service with the platform. To connect the feeds, just enter the ESET Threat Intelligence license key in the R-Vision TIP interface, after which the data streams will flow to the platform on a regular basis.

File:Aquote1.png
Our funds are designed to help information security units of large organizations with developed infrastructure and high cybersecurity needs respond to cyber incidents in a timely manner and proactively find new, previously unknown threats. We expect that the integration of our service with the R-Vision TIP platform will increase its usability for our consumers on the Russian market and in, countries CIS- said the Alexander Pirozhkov head of ESET Threat Intelligence.
File:Aquote2.png

File:Aquote1.png
We strive to provide our users with an alternative to source selection and at the same time maintain a balance between their quantity and quality. ESET feeds have good threat attribution: compromise indicators are equipped with a context that helps to understand the attackers' techniques and tactics. Such data allows you to make informed decisions about how to respond to a threat at a particular moment in time and how to prevent it in the future. We believe that a technological partnership with ESET will help us close the needs of our users in cyber intelligence data that cover the regional specifics of threats to Russia and the CIS countries, concluded Anton Solovey, product manager of the R-Vision Threat Intelligence Platform.
File:Aquote2.png

Integration with RST Threat Feed

R-Vision has joined forces with the RST Cloud compromise indicator provider to develop the R-Vision Threat Intelligence Platform (TIP) cyber intelligence management platform. As part of the technological partnership, the product implemented built-in integration with the RST Threat Feed service. This will expand the capabilities of platform users to select Threat Intelligence data sources for the most complete coverage of current threats, R-Vision reported on July 22, 2021.

RST Threat Feed from RST Cloud is an aggregation service that collects and cross-checks compromise indicators from more than 130 sources published by the information security community, as well as enriches them with additional context and ranks them by hazard level. Users of the service from RST Cloud receive data previously prepared for use in the processes of detecting and investigating cyber incidents, as well as proactive search for threats.

The presence of built-in integration with feeds from RST Cloud in R-Vision TIP allows you to add them to the platform out of the box. The connection does not require complex settings: just select RST Threat Feed in the "Data Providers" section and enter the license key for using the service.

File:Aquote1.png
"It is important for our customers to be able to quickly and conveniently connect the RST Threat Feed service to the SOC process automation products used. Including many of them either already have specialized platforms for managing cyber intelligence data in their arsenal, or are actively eyeing them. The native integration of our feeds with R-Vision TIP relieves our integrator partners and customers of the headache of connecting them to the platform. Now the user just needs to make a couple of clicks, enter the activation key in the R-Vision TIP interface, and he begins to receive indicators on a regular basis, "said Nikolai Arefiev, co-founder of RST Cloud.
File:Aquote2.png

File:Aquote1.png
"Expanding technology partnerships with threat data providers is one of the strategic directions for the development of the R-Vision TIP platform. We strive to give our users the opportunity to choose the most relevant feeds in terms of the threat landscape relevant to the specifics of their activities. The more sources are available to the user, the more flexible the data collection will be, which means that the client will be able to get more complete coverage for threats. It is to solve this problem that our cooperation with RST Cloud is aimed, "said Anton Solovey, Product Manager of R-Vision Threat Intelligence Platform.
File:Aquote2.png

R-Vision TIP 1.17

R-Vision released an updated version of the R-Vision Threat Intelligence Platform (TIP) 1.17 on July 14, 2021. Key changes affected the product data model, the capabilities of distributed sensors for detecting compromise indicators, the processing of freely distributed threat data streams and the formation of bulletins.

To improve the quality of threat descriptions, R-Vision TIP 1.17 expanded the data model. Now in the rules of product automation, filters have appeared that allow you to form atomic samples of compromise indicators associated with a specific threat, hacker group or malware. To maximize sample narrowing, SOC analysts can add multiple filters at once. The obtained data can be exported or, for example, sent to the SIEM system to search for relevant compromise indicators.

In this version of the platform, the developers have also improved distributed sensors designed to collect indicators at remote sites near the SIEM system data stream. You can now add a policy for each policy that specifies when the collected data is automatically deleted.

Another change to R-Vision TIP 1.17 concerns open source handling of threat feeds. Now, when adding CSV feeds, the user has access to a constructor in which you can specify which objects and from which columns the platform should collect. This makes it possible to collect from CSV feeds not only indicators of compromise, but also valuable context for obtaining more accurate information information about the threat, for example, malicious names, ON timestamps, the name of a malicious group or campaign.

In addition, R-Vision TIP 1.17 has expanded the ability to generate information about threats and vulnerabilities. Previously, for each vulnerability in the platform, it was necessary to create separate bulletins, but now you can form a single bulletin on multiple threats. This function is designed to improve the convenience of information security analysts, if necessary, to disseminate information and recommendations on protective measures against related threats.

File:Aquote1.png
We are systematically developing both the TI data engine and the ability to easily and quickly search for threats within the infrastructure. The first allows you to more efficiently and efficiently collect TI data, gives users a horizons and coverage of sources, the second helps to flexibly and quickly determine whether the organization's infrastructure is exposed to current threats. The ability to collect data from various sources, normalization, validation, and lifecycle management mechanisms are extremely important, as they allow you to gain knowledge about the threat landscape and respond to them in a timely manner, "said Anton Solovey, Product Manager of the R-Vision Threat Intelligence Platform.
File:Aquote2.png

R-Vision Threat Intelligence Platform 1.15

On April 13, 2021, the company R-Vision announced the update of the data R-Vision Threat Intelligence Platform (TIP) to version 1.15. It features distributed sensor installation, SIEM lifecycle management tools, creation and modification of compromise indicators, STIX support, an advanced threat data model, updated bulletin features and other updates.

Distributed installation of SIEM sensors in R-Vision TIP 1.15

According to the company, one of the main updates is the ability to install sensors to collect compromise indicators next to the SIEM system event stream. Previously, to process this information, it was necessary to use a single centralized sensor installed with the platform. The updated functionality will be in demand by large organizations with a geographically distributed infrastructure that need to install sensors directly in branches. All connected SIEM sensors are available to SOC analysts in the R-Vision TIP user interface, which also provides the ability to remotely configure them.

Platform users can now determine when compromise indicators are out of date by setting their own policies or using information from threat data flow providers. This allows you to analysts INFORMATION SECURITY to filter irrelevant compromise indicators and reduce the time required to process them.

The updated version of the platform also has the ability to create and edit compromise indicators found independently in the company's IT infrastructure. Users can enter all necessary information into the system: type, type, value, description, tags, date and time of the indicator expiration, etc.

In addition, the developers supplemented the solution with a tool for analyzing the quality of data sources. Reports on data sources connected to the platform are generated automatically for a given period of time, and the metrics used in them help to assess the quality of the information received.

To optimize the completeness of the threat description in the product, the data model was expanded. It has a number of entities that underlie the threat attribution system and help users distinguish serious attacks from minor incidents and take prompt response measures.

Also, the updated version of R-Vision TIP implements the ability to maintain user "white lists" of compromise indicators. Now SOC analysts can create their own lists of trusted resources to filter deliberately unharmed indicators of compromise during the data collection stage. Such indicators will be considered exceptions and will not enter the TIP database.

In addition, the platform has added the ability to unload compromise indicators in STIX 2.1 format. This is a specialized format for the exchange of cyber intelligence data, which is recognized by a large number of systems, allows you to share threat data and obtain structured information about indicators of compromise.

The latest versions of the platform implement a mechanism for creating an arbitrary number of dashboards with customizable widgets for specific tasks of SOC analysts. A number of changes also affected the public API: for example, it became possible to upload information on a large amount of indicators to external systems using just one request.

A separate block of changes affected the work with bulletins about threats and vulnerabilities: now you can add several images to them at once and create your own templates of recommendations on what to do in the event of a threat detection. These updates will help organizations with a large branch network and MSS providers optimize the speed of dissemination of important information to take prompt response to information security incidents.

File:Aquote1.png
As of April 2021, we are seeing a growing need in the information security market for convenient tools for managing, structuring, exchanging threat data, as well as automating actions with such data. This is directly related to the increasing volume of attacks, their widespread spread across different industries, expanding tools and techniques of attackers.

noted Anton Solovey, R-Vision Threat Intelligence Platform Product Manager
File:Aquote2.png

2020: Appearance of the link graph

On June 4, 2020, the company R-Vision announced the next release of data the R-Vision Threat Intelligence Platform. Among the functional innovations: visual display of threat data on the link graph, collection of information about vulnerabilities, vulnerable ON and security defects from the CVE, CPE, CWE databases and options for importing and exporting compromise indicators. These capabilities help security analytics build a complete picture of threats and make them easier to analyze.

The product has such a tool characteristic of Threat Intelligence Platform products as a link graph. It displays the relationships of the malicious indicator with other entities and provides a clear idea of ​ ​ the threat, thereby simplifying its analysis. The graph contains tools for scaling, filtering, as well as clustering objects according to various attributes for convenient work.

The presented version adds a collection of vulnerabilities (CVE), a list of vulnerable software (CPE) and security defects (CWE) from the NVD (NIST) and MITRE databases. R-Vision TIP automatically links this information to each other, as well as to the collected indicators of compromise. As a result, the user will receive an exhaustive picture not only from the vulnerability itself, which is exploited by malware, but will also be able to immediately understand which software is subject to it and what led to it. This helps security analytics prioritize vulnerability resolution.

Added the ability to collect compromise indicators from various internal systems used in the organization. R-Vision TIP will automatically store, update and enrich this data, associate it with existing threat information, similar to the process of processing cyber intelligence data from external suppliers. You can now export ready-to-use indicators not only with information protection tools, but also as files in JSON and CSV formats.

The changes also affected the integration of R-Vision TIP with SIEM systems QRadar and ArcSight, which monitors compromise indicators in security events and generates alerts in case of detection. The integration implementation presented provides higher performance and helps to avoid unnecessary load on SIEM.

R-Vision technical support will notify current product users that updates are available.

2019: R-Vision Threat Intelligence Platform Official Release

On October 9, 2019, R-Vision unveiled the official release of its R-Vision Threat Intelligence Platform, a Russian cyber intelligence data management platform.

R-Vision Threat Intelligence Platform

Cyber ​ ​ intelligence data is information about current threats, attacks, tactics and techniques of attackers, as well as so-called indicators of compromise, by which malicious activity can be detected. Early detection of compromise is one of the key factors to minimize data loss, financial losses and reputational damage to the company.

The R-Vision Threat Intelligence Platform collects compromise indicators from different vendors, processes them, enriches them with additional context, and exports them to external security tools for monitoring and blocking. Supported threat sources information include data from,, FinCERT CENTRAL BANK RUSSIAN FEDERATION,, Kaspersky Group-IB IBM X-Force Exchange AT&T Cybersecurity (formerly AlienVault), as well as open data. Thanks to a set of sensors, the product monitors in real time, retrospectively searches for traces of an attacker's activity To IT infrastructure in the organization and notifies security analysts if detected.

All regularly repeated operations with compromise indicators in the R-Vision Threat Intelligence Platform can be performed in automatic mode, which gives an important advantage - the ability to provide a full automated cycle of work, from collection to blocking by means of protection.

{{quote 'author=commented on R-Vision CEO Alexander Bondarenko' Active use of compromise indicators becomes an integral functionality of many modern defenses, allowing you to quickly identify, among other things, hidden attacks on infrastructure, facts of compromise of computer systems and the presence of malicious code. Making the work with the streams of cyber intelligence data coming through various channels as automated and effective as possible is the main task of our solution. The use of the R-Vision Threat Intelligence Platform in conjunction with existing monitoring and security tools allows you to significantly develop their capabilities and increase the chances of an organization detecting a threat in time. }}

Threat Intelligence Platform solutions are becoming one of the important tools for monitoring and responding to information security incidents. By quickly providing a detailed picture of threats and automating actions, such solutions allow you to identify hidden attacks in the early stages, ensure proactive response, and speed up the investigation of incidents that have already occurred.